ZYXEL ZYWALL 2 WG - VPN Router

ZYWALL 2 WG - VPN Router ZYXEL - Free user manual and instructions

Find the device manual for free ZYWALL 2 WG ZYXEL in PDF.

📄 730 pages English EN Download 💬 AI Question
Notice ZYXEL ZYWALL 2 WG - page 3
3 / 730
View the manual : Français FR English EN
Pick your language and provide your email: we'll send you a specifically translated version.

User questions about ZYWALL 2 WG ZYXEL

0 question about this device. Answer the ones you know or ask your own.

Ask a new question about this device

The email remains private: it is only used to notify you if someone responds to your question.

No questions yet. Be the first to ask one.

Download the instructions for your VPN Router in PDF format for free! Find your manual ZYWALL 2 WG - ZYXEL and take your electronic device back in hand. On this page are published all the documents necessary for the use of your device. ZYWALL 2 WG by ZYXEL.

USER MANUAL ZYWALL 2 WG ZYXEL

About This User's Guide

Intended Audience

This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology.

  • Quick Start Guide

The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.

Web Configurator Online Help

Embedded web help for descriptions of individual screens and supplementary information.

Supporting Disk

Refer to the included CD for support documents.

ZyXEL Web Site

Please refer to www.zyxel.com for additional support documentation and product certifications.

User Guide Feedback

Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!

The Technical Writing Team,

ZyXEL Communications Corp.,

6 Innovation Road II,

Science-Based Industrial Park,

Hsinchu, 300, Taiwan.

E-mail: techwriters@zyxel.com.tw

Document Conventions

Warnings and Notes

These are how warnings and notes are shown in this User's Guide.

ZYXEL ZYWALL 2 WG - Warnings and Notes - 1

Warnings tell you about things that could harm you or your device.

ZYXEL ZYWALL 2 WG - Warnings and Notes - 2

Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.

Syntax Conventions

  • The ZyWALL 2WG may be referred to as the "ZyWALL", the "device" or the "system" in this User's Guide.
  • Product labels, screen names, field labels and field choices are all in bold font.
  • A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the "enter" or "return" key on your keyboard.
  • “Enter” means for you to type one or more characters and then press the [ENTER] key. "Select" or "choose" means for you to use one of the predefined choices.
  • A right angle bracket (>) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen.
  • Units of measurement may denote the "metric" value or the "scientific" value. For example, "k" for kilo may denote "1000" or "1024", "M" for mega may denote "1000000" or "1048576" and so on.
  • "e.g.," is a shorthand for "for instance", and "i.e.," means "that is" or "in other words".

Icons Used in Figures

Figures in this User's Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.

ZyWALLComputerNotebook computer
ServerDSLAMFirewall
TelephoneSwitchRouter

SafetyWarnings

ZYXEL ZYWALL 2 WG - SafetyWarnings - 1

For your safety, be sure to read and follow all warning notices and instructions.

  • Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
  • Do NOT expose your device to dampness, dust or corrosive liquids.
  • Do NOT store things on the device.
  • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
  • Connect ONLY suitable accessories to the device.
  • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
  • Make sure to connect the cables to the correct ports.
  • Place connecting cables carefully so that no one will step on them or stumble over them.
  • Always disconnect all cables from this device before servicing or disassembling.
  • Use ONLY an appropriate power adaptor or cord for your device.
  • Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
  • Not to remove the plug and plug into a wall outlet by itself; always attach the plug to the power supply first before insert into the wall.
  • Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
  • Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
  • If the power adaptor or cord is damaged, remove it from the power outlet.
  • Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
  • Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
  • CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the applicable collection point for the recycling of electrical and electronic equipment. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.

  • Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.

  • Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s).

  • If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged.

This product is recyclable. Dispose of it properly.

ZYXEL ZYWALL 2 WG - For your safety, be sure to read and follow all warning notices and instructions. - 1

ZYXEL ZYWALL 2 WG - For your safety, be sure to read and follow all warning notices and instructions. - 2

Contents Overview

Introduction 49

Getting to Know Your ZyWALL 51
Introducing the Web Configurator 55
Wizard Setup 75
Tutorial 95
Registration 107

Network 111

LAN Screens 113
Bridge Screens 125
WAN Screens 131
DMZ Screens 163
Wireless LAN 173

Security 199

Firewall 201
Content Filtering Screens 231
Content Filtering Reports 249
IPSecVPN 257
Certificates 297
Authentication Server 323

Advanced 327

Network Address Translation (NAT) 329
Static Route 345
Policy Route 349
Bandwidth Management 355
DNS 371
Remote Management 383
UPnP 405
ALG Screen 415

Reports, Logs and Maintenance 421

Logs Screens 423
Maintenance 451

SMT and Troubleshooting 467

Introducing the SMT 469

SMT Menu 1 - General Setup 477

WAN and Dial Backup Setup 483

LAN Setup 497

Internet Access 503

DMZ Setup 509

Route Setup 513

Wireless Setup 517

Remote Node Setup 521

IP Static Route Setup 529

Network Address Translation (NAT) 533

Introducing the ZyWALL Firewall 553

Filter Configuration 555

SNMP Configuration 571

System Information & Diagnosis 573

Firmware and Configuration File Maintenance 585

System Maintenance Menus 8 to 10 599

Remote Management 607

IP Policy Routing 611

Call Scheduling 619

Troubleshooting 623

Appendices and Index 629

Table of Contents

About This User's Guide 3

Document Conventions 4

SafetyWarnings 6

Contents Overview 9

Table of Contents 11

List of Figures 29

List of Tables 41

Part I: Introduction 49

Chapter 1
Getting to Know Your ZyWALL 51

1.1 ZyWALL Internet Security Appliance Overview 51

1.2 Ways to Manage the ZyWALL 51

1.3 Good Habits for Managing the ZyWALL 52

1.4 Applications for the ZyWALL 52

1.4.1 Secure Broadband Internet Access via Cable or DSL Modem 52

1.4.2 VPN Application 53

1.4.3 3G WAN Application 53

1.4.4 Front Panel Lights 54

Chapter 2 Introducing the Web Configurator 55

2.1 Web Configurator Overview 55
2.2 Accessing the ZyWALL Web Configurator 55
2.3 Resetting the ZyWALL 57
2.3.1 Procedure To Use The Reset Button 57
2.3.2 Uploading a Configuration File Via Console Port 57

2.4 Navigating the ZyWALL Web Configurator 58

2.4.1 Title Bar 58
2.4.2 Main Window 59
2.4.3 HOME Screen: Router Mode 59
2.4.4 HOME Screen: Bridge Mode 62

2.4.5 Navigation Panel 65
2.4.6 Port Statistics 69
2.4.7 Show Statistics: Line Chart 70
2.4.8 DHCP Table Screen 71
2.4.9 VPN Status 72
2.4.10 Bandwidth Monitor 73

Chapter 3

Wizard Setup 75

3.1 Wizard Setup Overview 75
3.2 Internet Access 75

3.2.1 ISP Parameters 76
3.2.2 Internet Access Wizard: Second Screen 80
3.2.3 Internet Access Wizard: Registration 81
3.2.4 Internet Access Wizard: Status 83
3.2.5 Internet Access Wizard: Service Activation 84

3.3 VPN Wizard Gateway Setting 84
3.4 VPN Wizard Network Setting 86
3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) 87
3.6 VPN Wizard IPSec Setting (IKE Phase 2) 89
3.7 VPN Wizard Status Summary 90
3.8 VPN Wizard Setup Complete 93

Chapter 4

Tutorial 95

4.1 Security Settings for VPN Traffic 95
4.2 Firewall Rule for VPN Example 95

4.2.1 Configuring the VPN Rule 96
4.2.2 Configuring the Firewall Rules 99

4.3 How to Set up a 3G WAN Connection 103

4.3.1 Configuring 3G WAN Settings 103
4.3.2 Configuring Load Balancing 104
4.3.3 Inserting a 3G Card 104
4.3.4 Checking WAN Connections 104

Chapter 5

Registration 107

5.1 myZyXEL.com overview 107
5.1.1 Content Filtering Subscription Service 107

5.2 Registration 108
5.3 Service 109

Part II: Network 111

Chapter 6

LAN Screens 113

6.1 LAN, WAN and the ZyWALL 113
6.2 IP Address and Subnet Mask 113

6.2.1 Private IP Addresses 114

6.3 DHCP 115
6.3.1 IP Pool Setup 115

6.4 RIP Setup 115
6.5 Multicast 115
6.6 WINS 116
6.7 LAN 116
6.8 LAN Static DHCP 119
6.9 LAN IP Alias 120
6.10 LAN Port Roles 122

Chapter 7

Bridge Screens 125

7.1 Bridge Loop 125
7.2 Spanning Tree Protocol (STP) 126

7.2.1 Rapid STP 126
7.2.2 STP Terminology 126
7.2.3 How STP Works 126
7.2.4 STP Port States 127

7.3 Bridge 127
7.4 Bridge Port Roles 129

Chapter 8

WAN Screens 131

8.1 WAN Overview 131
8.2 Multiple WAN 131
8.3 Load Balancing Introduction 132
8.4 Load Balancing Algorithms 132

8.4.1 Least Load First 132
8.4.2 Weighted Round Robin 133
8.4.3 Spillover 134

8.5 TCP/IP Priority (Metric) 135
8.6 WAN General 135
8.7 Configuring Load Balancing 139

8.7.1 Least Load First 139
8.7.2 Weighted Round Robin 140
8.7.3 Spillover 140

8.8 WAN IP Address Assignment 141
8.9 DNS Server Address Assignment 142
8.10 WAN MAC Address 142
8.11 WAN 1 143

8.11.1 WAN Ethernet Encapsulation 143
8.11.2 PPPoE Encapsulation 146
8.11.3 PPTP Encapsulation 149

8.12 WAN 2 (3G WAN) 152

8.13 Traffic Redirect 156
8.14 Configuring Traffic Redirect 156
8.15 Configuring Dial Backup 157
8.16 Advanced Modem Setup 160

8.16.1 AT Command Strings 160
8.16.2 DTR Signal 161
8.16.3 Response Strings 161

8.17 Configuring Advanced Modem Setup 161

Chapter 9

DMZ Screens 163

9.1 DMZ 163
9.2 Configuring DMZ 163
9.3 DMZ Static DHCP 166
9.4 DMZ IP Alias 167
9.5 DMZ Public IP Address Example 169
9.6 DMZ Private and Public IP Address Example 170
9.7 DMZ Port Roles 171

Chapter 10

Wireless LAN 173

10.1 Wireless LAN Introduction 173
10.2 Configuring WLAN 174
10.3 WLAN Static DHCP 177
10.4 WLAN IP Alias 178
10.5 WLAN Port Roles 180
10.6 Wireless Security Overview 182

10.6.1 SSID 182
10.6.2 MAC Address Filter 183
10.6.3UserAuthentication 183
10.6.4 Encryption 183
10.6.5 Additional Installation Requirements for Using 802.1x 184

10.7 Wireless Card 185

10.7.1 SSID Profile 187

10.8 Configuring Wireless Security 188

10.8.1 No Security 190
10.8.2 Static WEP 190
10.8.3 IEEE 802.1x Only 191
10.8.4 IEEE 802.1x + Static WEP 192
10.8.5 WPA, WPA2, WPA2-MIX 194
10.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX 195

10.9 MAC Filter 196

Part III: Security 199

Chapter 11

Firewall 201

11.1 Firewall Overview 201
11.2 Packet Direction Matrix 202
11.3 Packet Direction Examples 203

11.3.1 To VPN Packet Direction 204
11.3.2 From VPN Packet Direction 206
11.3.3 From VPN To VPN Packet Direction 207

11.4 Security Considerations 209
11.5 Firewall Rules Example 209
11.6 Asymmetrical Routes 211

11.6.1 Asymmetrical Routes and IP Alias 211

11.7 Firewall Default Rule (Router Mode) 212
11.8 Firewall Default Rule (Bridge Mode) 214
11.9 Firewall Rule Summary 215

11.9.1 Firewall Edit Rule 217

11.10 Anti-Probing 220
11.11 Firewall Thresholds 221

11.11.1 Threshold Values 222

11.12 Threshold Screen 222
11.13 Service 224

11.13.1 Firewall Edit Custom Service 225

11.14 My Service Firewall Rule Example 226

Chapter 12

Content Filtering Screens 231

12.1 Content Filtering Overview 231

12.1.1 Restrict Web Features 231
12.1.2 Create a Filter List 231
12.1.3 Customize Web Site Access 231

12.2 Content Filter General Screen 231

12.3 Content Filtering with an External Database 234
12.4 Content Filter Categories 234
12.5 Content Filter Customization 243
12.6 Customizing Keyword Blocking URL Checking 245

12.6.1 Domain Name or IP Address URL Checking 246
12.6.2 Full Path URL Checking 246
12.6.3 File Name URL Checking 246

12.7 Content Filtering Cache 246

Chapter 13

Content Filtering Reports 249

13.1 Checking Content Filtering Activation 249
13.2 Viewing Content Filtering Reports 249
13.3 Web Site Submission 254

Chapter 14

IPSecVPN 257

14.1 IPSec VPN Overview 257
14.1.1 IKE SA Overview 258

14.2 VPN Rules (IKE) 259
14.3 IKE SA Setup 261
14.3.1 IKE SA Proposal 261

14.4 Additional IPSec VPN Topics 265

14.4.1 SA Life Time 265
14.4.2 IPSec High Availability 266
14.4.3 Encryption and Authentication Algorithms 267

14.5 VPN Rules (IKE) Gateway Policy Edit 267
14.6 IPSec SA Overview 273

14.6.1 Local Network and Remote Network 273
14.6.2 Active Protocol 273
14.6.3 Encapsulation 274
14.6.4 IPSec SA Proposal and Perfect Forward Secrecy 274

14.7 VPN Rules (IKE): Network Policy Edit 275
14.8 VPN Rules (IKE): Network Policy Move 279
14.9 Dialing the VPN Tunnel via Web Configurator 280
14.10 VPN Troubleshooting 281
14.10.1 VPN Log 282
14.11 IPSec Debug 283
14.12 IPSec SA Using Manual Keys 284

14.12.1 IPSec SA Proposal Using Manual Keys 284
14.12.2 Authentication and the Security Parameter Index (SPI) 284

14.13 VPN Rules (Manual) 284
14.14 VPN Rules (Manual): Edit 286

14.15 VPN SA Monitor 289
14.16 VPN Global Setting 289
14.17 Telecommuter VPN/IPSec Examples 291

14.17.1 Telecommuters Sharing One VPN Rule Example 291
14.17.2 Telecommuters Using Unique VPN Rules Example 292

14.18 VPN and Remote Management 294
14.19 Hub-and-spoke VPN 294

14.19.1 Hub-and-spoke VPN Example 295
14.19.2 Hub-and-spoke Example VPN Rule Addresses 295
14.19.3 Hub-and-spoke VPN Requirements and Suggestions 296

Chapter 15

Certificates 297

15.1 Certificates Overview 297
15.1.1 Advantages of Certificates 298
15.2 Self-signed Certificates 298
15.3 Verifying a Certificate 298

15.3.1 Checking the Fingerprint of a Certificate on Your Computer 298

15.4 Configuration Summary 299
15.5 My Certificates 300
15.6 My Certificate Details 301
15.7 My Certificate Export 304

15.7.1 Certificate File Export Formats 304

15.8 My Certificate Import 305
15.8.1 Certificate File Formats 306

15.9 My Certificate Create 308
15.10 Trusted CAs 310
15.11 Trusted CA Details 311
15.12 Trusted CA Import 314
15.13 Trusted Remote Hosts 315
15.14 Trusted Remote Hosts Import 317
15.15 Trusted Remote Host Certificate Details 318
15.16 Directory Servers 320
15.17 Directory Server Add or Edit 321

Chapter 16

Authentication Server 323

16.1 Authentication Server Overview 323

16.1.1 Local User Database 323
16.1.2 RADIUS 323

16.2 Local User Database 323
16.3 RADIUS 325

Part IV: Advanced 327

Chapter 17

Network Address Translation (NAT) 329

17.1 NAT Overview 329

17.1.1 NAT Definitions 329
17.1.2 What NAT Does 330
17.1.3 How NAT Works 330
17.1.4 NAT Application 331
17.1.5 Port Restricted Cone NAT 332
17.1.6 NAT Mapping Types 332

17.2 Using NAT 333

17.2.1 SUA (Single User Account) Versus NAT 333

17.3 NAT Overview Screen 334

17.4 NAT Address Mapping 335

17.4.1 What NAT Does 335
17.4.2 NAT Address Mapping Edit 337

17.5 Port Forwarding 338

17.5.1 Default Server IP Address 339
17.5.2 Port Forwarding: Services and Port Numbers 339
17.5.3 Configuring Servers Behind Port Forwarding (Example) 340
17.5.4 NAT and Multiple WAN 340
17.5.5 Port Translation 340

17.6 Port Forwarding Screen 341
17.7 Port Triggering 343

Chapter 18

Static Route 345

18.1 IP Static Route 345
18.2 IP Static Route 345
18.2.1 IP Static Route Edit 347

Chapter 19

Policy Route 349

19.1 Policy Route 349
19.2 Benefits 349
19.3 Routing Policy 349
19.4 IP Routing Policy Setup 350
19.5 Policy Route Edit 351

Chapter 20

Bandwidth Management 355

20.1 Bandwidth Management Overview 355

20.2 Bandwidth Classes and Filters 355
20.3 Proportional Bandwidth Allocation 356
20.4 Application-based Bandwidth Management 356
20.5 Subnet-based Bandwidth Management 356
20.6 Application and Subnet-based Bandwidth Management 356
20.7 Scheduler 357

20.7.1 Priority-based Scheduler 357
20.7.2 Fairness-based Scheduler 357
20.7.3 Maximize Bandwidth Usage 357
20.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic 357
20.7.5 Maximize Bandwidth Usage Example 358

20.8 Bandwidth Borrowing 359

20.8.1 Bandwidth Borrowing Example 359

20.9 Maximize Bandwidth Usage With Bandwidth Borrowing 360
20.10 Over Allotment of Bandwidth 361
20.11 Configuring Summary 361
20.12 Configuring Class Setup 363

20.12.1 Bandwidth Manager Class Configuration 364
20.12.2 Bandwidth Management Statistics 367

20.13 Bandwidth Manager Monitor 368

Chapter 21

DNS 371

21.1 DNS Overview 371
21.2 DNS Server Address Assignment 371
21.3 DNS Servers 371
21.4 Address Record 372

21.4.1 DNS Wildcard 372

21.5 Name Server Record 372
21.5.1 Private DNS Server 372

21.6 System Screen 373

21.6.1 Adding an Address Record 375
21.6.2 Inserting a Name Server Record 376

21.7 DNS Cache 377

21.8 Configure DNS Cache 377
21.9 Configuring DNS DHCP 379
21.10 Dynamic DNS 380

21.10.1 DYNDNS Wildcard 380
21.10.2 High Availability 381

21.11 Configuring Dynamic DNS 381

Chapter 22

Remote Management 383

22.1 Remote Management Overview 383

22.1.1 Remote Management Limitations 384
22.1.2 System Timeout 384

22.2 WWW (HTTP and HTTPS) 384
22.3 WWW 385
22.4 HTTPS Example 387

22.4.1 Internet Explorer Warning Messages 387
22.4.2 Netscape Navigator Warning Messages 387
22.4.3 Avoiding the Browser Warning Messages 388
22.4.4 Login Screen 389

22.5 SSH 391
22.6 How SSH Works 391
22.7 SSH Implementation on the ZyWALL 392

22.7.1 Requirements for Using SSH 392

22.8 Configuring SSH 393
22.9 Secure Telnet Using SSH Examples 394

22.9.1 Example 1: Microsoft Windows 394
22.9.2 Example 2: Linux 394

22.10 Secure FTP Using SSH Example 395
22.11 Telnet 396
22.12 Configuring TELNET 396
22.13 FTP 397
22.14 SNMP 398

22.14.1 Supported MIBs 399
22.14.2 SNMP Traps 400
22.14.3 REMOTE MANAGEMENT: SNMP 400

22.15 DNS 401
22.16 Introducing Vantage CNM 402
22.17 Configuring CNM 402

Chapter 23

UPnP 405

23.1 Universal Plug and Play Overview 405

23.1.1 How Do I Know If I'm Using UPnP? 405
23.1.2 NAT Traversal 405
23.1.3 Cautions with UPnP 405
23.1.4 UPnP and ZyXEL 406

23.2 Configuring UPnP 406
23.3 Displaying UPnP Port Mapping 407
23.4 Installing UPnP in Windows Example 408

23.4.1 Installing UPnP in Windows Me 409
23.4.2 Installing UPnP in Windows XP 410

23.5 Using UPnP in Windows XP Example 410

23.5.1 Auto-discover Your UPnP-enabled Network Device 411
23.5.2 Web Configurator Easy Access 412

Chapter 24

ALG Screen 415

24.1 ALG Introduction 415

24.1.1 ALG and NAT 415
24.1.2 ALG and the Firewall 415
24.1.3 ALG and Multiple WAN 416

24.2 FTP 416
24.3 H.323 416
24.4 RTP 416

24.4.1 H.323 ALG Details 416

24.5 SIP 418

24.5.1 STUN 418
24.5.2 SIP ALG Details 418
24.5.3 SIP Signaling Session Timeout 419
24.5.4 SIP Audio Session Timeout 419

24.6 ALG Screen 419

Part V: Reports, Logs and Maintenance 421

Chapter 25

Logs Screens 423

25.1 Configuring View Log 423
25.2 Log Description Example 424

25.2.1 About the Certificate Not Trusted Log 425

25.3 Configuring Log Settings 426
25.4 Configuring Reports 429

25.4.1 Viewing Web Site Hits 431
25.4.2 Viewing Host IP Address 431
25.4.3 Viewing Protocol/Port 432
25.4.4 System Reports Specifications 434

5 Log Descriptions 434
25.6 Syslog Logs 448

Chapter 26

Maintenance 451

26.1 Maintenance Overview 451
26.2 General Setup and System Name 451

26.2.1 General Setup 451

26.3 Configuring Password 452
26.4 Time and Date 453
26.5 Pre-defined NTP Time Server Pools 456

26.5.1 Resetting the Time 456
26.5.2 Time Server Synchronization 456

26.6 Introduction To Transparent Bridging 457
26.7 Transparent Firewalls 458

26.8 Configuring Device Mode (Router) 458

26.9 Configuring Device Mode (Bridge) 460
26.10 F/W Upload Screen 461
26.11 Backup and Restore 463

26.11.1 Backup Configuration 464
26.11.2 Restore Configuration 464
26.11.3 Back to Factory Defaults 465

26.12 Restart Screen 466

Part VI: SMT and Troubleshooting 467

Chapter 27

Introducing the SMT 469

27.1 Introduction to the SMT 469
27.2 Accessing the SMT via the Console Port 469

27.2.1 Initial Screen 469
27.2.2 Entering the Password 470

27.3 Navigating the SMT Interface 470

27.3.1 Main Menu 471
27.3.2 SMT Menus Overview 473

27.4 Changing the System Password 474
27.5 Resetting the ZyWALL 475

Chapter 28

SMT Menu 1 - General Setup 477

28.1 Introduction to General Setup 477
28.2 Configuring General Setup 477

28.2.1 Configuring Dynamic DNS 479

Chapter 29

WAN and Dial Backup Setup 483

29.1 Introduction to WAN, 3G WAN and Dial Backup Setup 483
29.2 WAN Setup 483
29.3 Dial Backup 484

29.3.1 Configuring Dial Backup in Menu 2 484
29.3.2 Advanced WAN Setup 485
29.3.3 Remote Node Profile (Backup ISP) 487
29.3.4 Editing TCP/IP Options 489
29.3.5 Editing Login Script 490
29.3.6 Remote Node Filter 492

29.4 3G WAN 492

29.4.1 3G Modem Setup 492
29.4.2 Remote Node Profile (3G WAN) 493

Chapter 30

LAN Setup 497

30.1 Introduction to LAN Setup 497
30.2 Accessing the LAN Menus 497
30.3 LAN Port Filter Setup 497
30.4 TCP/IP and DHCP Ethernet Setup Menu 498

30.4.1 IP Alias Setup 501

Chapter 31

Internet Access 503

31.1 Introduction to Internet Access Setup 503
31.2 Ethernet Encapsulation 503
31.3 Configuring the PPTP Client 505
31.4 Configuring the PPPoE Client 506
31.5 Basic Setup Complete 507

Chapter 32

DMZ Setup 509

32.1 Configuring DMZ Setup 509
32.2 DMZ Port Filter Setup 509
32.3 TCP/IP Setup 510

32.3.1 IP Address 510
32.3.2 IP Alias Setup 511

Chapter 33

Route Setup 513

33.1 Configuring Route Setup 513
33.2 Route Assessment 513
33.3 Traffic Redirect 514
33.4 Route Failover 515

Chapter 34

Wireless Setup 517

34.1 TCP/IP Setup 517

34.1.1 IP Address 517
34.1.2 IP Alias Setup 518

Chapter 35

Remote Node Setup 521

35.1 Introduction to Remote Node Setup 521
35.2 Remote Node Setup 521
35.3 Remote Node Profile Setup 521

35.3.1 Ethernet Encapsulation 522
35.3.2 PPPoE Encapsulation 523
35.3.3 PPTP Encapsulation 524

35.4 Edit IP 525
35.5 Remote Node Filter 527

Chapter 36

IP Static Route Setup 529

36.1 IP Static Route Setup 529

Chapter 37

Network Address Translation (NAT) 533

37.1 Using NAT 533

37.1.1 SUA (Single User Account) Versus NAT 533
37.1.2 Applying NAT 533

37.2 NAT Setup 535
37.2.1 Address Mapping Sets 536

37.3 Configuring a Server behind NAT 540
37.4 General NAT Examples 543

37.4.1 Internet Access Only 543
37.4.2 Example 2: Internet Access with a Default Server 544
37.4.3 Example 3: Multiple Public IP Addresses With Inside Servers 545
37.4.4 Example 4: NAT Unfriendly Application Programs 548

37.5 Trigger Port Forwarding 550

37.5.1 Two Points To Remember About Trigger Ports 550

Chapter 38

Introducing the ZyWALL Firewall 553

38.1 Using ZyWALL SMT Menus 553
38.1.1 Activating the Firewall 553

Chapter 39

Filter Configuration 555

39.1 Introduction to Filters 555

39.1.1 The Filter Structure of the ZyWALL 556

39.2 Configuring a Filter Set 558

39.2.1 Configuring a Filter Rule 559
39.2.2 Configuring a TCP/IP Filter Rule 560
39.2.3 Configuring a Generic Filter Rule 562

39.3 Example Filter 564
39.4 Filter Types and NAT 566
39.5 Firewall Versus Filters 566

39.5.1 Packet Filtering: 566
39.5.2 Firewall 567

39.6 Applying a Filter 567

39.6.1 Applying LAN Filters 568
39.6.2 Applying DMZ Filters 568
39.6.3 Applying Remote Node Filters 569

Chapter 40

SNMP Configuration 571

40.1 SNMP Configuration 571
40.2 SNMP Traps 572

Chapter 41

System Information & Diagnosis 573

41.1 Introduction to System Status 573
41.2 System Status 573
41.3 System Information and Console Port Speed 575

41.3.1 System Information 575
41.3.2 Console Port Speed 576

41.4 Log and Trace 577

41.4.1 Viewing Error Log 577
41.4.2 Syslog Logging 578
41.4.3 Call-Triggering Packet 581

41.5 Diagnostic 582

41.5.1 WAN DHCP 583

Chapter 42

Firmware and Configuration File Maintenance 585

42.1 Introduction 585
42.2 Filename Conventions 585

42.3 Backup Configuration 586

42.3.1 Backup Configuration 586
42.3.2 Using the FTP Command from the Command Line 587
42.3.3 Example of FTP Commands from the Command Line 587
42.3.4 GUI-based FTP Clients 588

42.3.5 File Maintenance Over WAN 588
42.3.6 Backup Configuration Using TFTP 588
42.3.7 TFTP Command Example 589
42.3.8 GUI-basedTFTPClients 589
42.3.9 Backup Via Console Port 589

42.4Restore Configuration 590

42.4.1 Restore Using FTP 591
42.4.2 Restore Using FTP Session Example 592
42.4.3 Restore Via Console Port 592

42.5 Uploading Firmware and Configuration Files 593

42.5.1 Firmware File Upload 593
42.5.2 Configuration File Upload 594
42.5.3 FTP File Upload Command from the DOS Prompt Example 595
42.5.4 FTP Session Example of Firmware File Upload 595
42.5.5 TFTP File Upload 595
42.5.6 TFTP Upload Command Example 596
42.5.7 Uploading Via Console Port 596
42.5.8 Uploading Firmware File Via Console Port 596
42.5.9 Example Xmodem Firmware Upload Using HyperTerminal 597
42.5.10 Uploading Configuration File Via Console Port 597
42.5.11 Example Xmodem Configuration Upload Using HyperTerminal 598

Chapter 43

System Maintenance Menus 8 to 10 599

43.1 Command Interpreter Mode 599

43.1.1 Command Syntax 600
43.1.2 Command Usage 600

43.2 Call Control Support 601

43.2.1 Budget Management 601
43.2.2 Call History 602

43.3 Time and Date Setting 603

Chapter 44

Remote Management 607

44.1 Remote Management 607
44.1.1 Remote Management Limitations 609

Chapter 45

IP Policy Routing 611

45.1 IP Routing Policy Summary 611
45.2 IP Routing Policy Setup 612
45.2.1 Applying Policy to Packets 614
45.3 IP Policy Routing Example 615

Chapter 46

Call Scheduling 619

46.1 Introduction to Call Scheduling 619

Chapter 47

Troubleshooting 623

47.1 Power, Hardware Connections, and LEDs 623
47.2 ZyWALL Access and Login 624
47.3 Internet Access 626

Part VII: Appendices and Index 629

Appendix A Product Specifications 631
Appendix B Wall-mounting Instructions 639
Appendix C Pop-up Windows, JavaScripts and Java Permissions 641
Appendix D Setting up Your Computer's IP Address 647
Appendix E IP Addresses and Subnetting 663
Appendix F Common Services 671
Appendix G Wireless LANs 675
Appendix H Importing Certificates 691
Appendix | Command Interpreter 701
Appendix J NetBIOS Filter Commands 709
Appendix K Brute-Force Password Guessing Protection 711
Appendix L Legal Information 713
Appendix M Customer Support 717
Index 721

List of Figures

Figure 1 Secure Internet Access via Cable or DSL Modem 52
Figure 2 VPN Application 53
Figure 3 3G WAN Application 53
Figure 4 Front Panel 54
Figure 5 Change Password Screen 56
Figure 6 Replace Certificate Screen 56
Figure 7 Example Xmodem Upload 57
Figure 8 HOME Screen 58
Figure 9 Web Configurator HOME Screen in Router Mode 59
Figure 10 Web Configurator HOME Screen in Bridge Mode 63
Figure 11 HOME > Show Statistics 70
Figure 12 HOME > Show Statistics > Line Chart
Figure 13 HOME > DHCP Table 72
Figure 14 HOME > VPN Status 73
Figure 15 Home > Bandwidth Monitor 74
Figure 16 Wizard Setup Welcome 75
Figure 17 ISP Parameters: Ethernet Encapsulation 76
Figure 18 ISP Parameters: PPPoE Encapsulation 77
Figure 19 ISP Parameters: PPTP Encapsulation 79
Figure 20 Internet Access Wizard: Second Screen 80
Figure 21 Internet Access Setup Complete 81
Figure 22 Internet Access Wizard: Registration 82
Figure 23 Internet Access Wizard: Registration in Progress 83
Figure 24 Internet Access Wizard: Status 83
Figure 25 Internet Access Wizard: Registration Failed 83
Figure 26 Internet Access Wizard: Registered Device 84
Figure 27 Internet Access Wizard: Activated Services 84
Figure 28 VPN Wizard: Gateway Setting 85
Figure 29 VPN Wizard: Network Setting 86
Figure 30 VPN Wizard: IKE Tunnel Setting 88
Figure 31 VPN Wizard: IPSec Setting 89
Figure 32 VPN Wizard: VPN Status 91
Figure 33 VPN Wizard Setup Complete 93
Figure 34 Firewall Rule for VPN 96
Figure 35 SECURITY >VPN >VPN Rules (IKE) 96
Figure 36 SECURITY >VPN >VPN Rules (IKE)> Add Gateway Policy 97
Figure 37 SECURITY >VPN >VPN Rules (IKE):With Gateway Policy Example 98
Figure 38 SECURITY >VPN >VPN Rules (IKE)> Add Network Policy 99

Figure 39 SECURITY > FIREWALL > Rule Summary 100
Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow 101
Figure 41 SECURITY > FIREWALL > Rule Summary: Allow 102
Figure 42 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 102
Figure 43 Tutorial: NETWORK > WAN > WAN 2 (3G WAN) 103
Figure 44 Tutorial: NETWORK > WAN > General 104
Figure 45 Tutorial: Home 105
Figure 46 REGISTRATION 108
Figure 47 REGISTRATION: Registered Device 109
Figure 48 REGISTRATION > Service 110
Figure 49 LAN and WAN 113
Figure 50 NETWORK > LAN 117
Figure 51 NETWORK > LAN > Static DHCP 120
Figure 52 Physical Network & Partitioned Logical Networks 121
Figure 53 NETWORK > LAN > IP Alias 121
Figure 54 NETWORK > LAN > Port Roles 123
Figure 55 Port Roles Change Complete 123
Figure 56 Bridge Loop: Bridge Connected to Wired LAN 125
Figure 57 NETWORK > Bridge 128
Figure 58 NETWORK > Bridge > Port Roles 130
Figure 59 Port Roles Change Complete 130
Figure 60 Least Load First Example 133
Figure 61 Weighted Round Robin Algorithm Example 134
Figure 62 Spillover Algorithm Example 134
Figure 63 NETWORK > WAN General 136
Figure 64 Load Balancing: Least Load First 139
Figure 65 Load Balancing: Weighted Round Robin 140
Figure 66 Load Balancing: Spillover 141
Figure 67 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) 143
Figure 68 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) 147
Figure 69 NETWORK > WAN > WAN 1 (PPTP Encapsulation) 150
Figure 70 NETWORK > WAN > WAN 2 (3G WAN) 154
Figure 71 Traffic Redirect WAN Setup 156
Figure 72 Traffic Redirect LAN Setup 156
Figure 73 NETWORK > WAN > Traffic Redirect 157
Figure 74 NETWORK > WAN > Dial Backup 158
Figure 75 NETWORK > WAN > Dial Backup > Edit 161
Figure 76 NETWORK > DMZ 164
Figure 77 NETWORK > DMZ > Static DHCP 167
Figure 78 NETWORK > DMZ > IP Alias 168
Figure 79 DMZ Public Address Example 170
Figure 80 DMZ Private and Public Address Example 171
Figure 81 NETWORK > DMZ > Port Roles 172

Figure 82 Example of a Wireless Network 173
Figure 83 NETWORK > WLAN 175
Figure 84 NETWORK > WLAN > Static DHCP 178
Figure 85 NETWORK > WLAN > IP Alias 179
Figure 86 WLAN Port Role Example 181
Figure 87 NETWORK > WLAN > Port Roles 181
Figure 88 NETWORK > WLAN > Port Roles: Change Complete 182
Figure 89 NETWORK > WIRELESS CARD 185
Figure 90 Configuring SSID 188
Figure 91 NETWORK > WIRELESS CARD > Security 189
Figure 92 NETWORK > WIRELESS CARD > Security: None 190
Figure 93 NETWORK > WIRELESS CARD > Security: WEP 191
Figure 94 NETWORK > WIRELESS CARD > Security: 802.1x Only 192
Figure 95 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP 193
Figure 96 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX 194
Figure 97 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK 195
Figure 98 NETWORK > WIRELESS CARD > MAC Filter 196
Figure 99 Default Firewall Action 201
Figure 100 SECURITY > FIREWALL > Default Rule (Router Mode) 202
Figure 101 Default Block Traffic From WAN1 to DMZ Example 203
Figure 102 From LAN to VPN Example 205
Figure 103 Block DMZ to VPN Traffic by Default Example 205
Figure 104 From VPN to LAN Example 206
Figure 105 Block VPN to LAN Traffic by Default Example 207
Figure 106 From VPN to VPN Example 208
Figure 107 Block VPN to VPN Traffic by Default Example 208
Figure 108 Blocking All LAN to WAN IRC Traffic Example 209
Figure 109 Limited LAN to WAN IRC Traffic Example 210
Figure 110 Using IP Alias to Solve the Triangle Route Problem 212
Figure 111 SECURITY > FIREWALL > Default Rule (Router Mode) 212
Figure 112 SECURITY > FIREWALL > Default Rule (Bridge Mode) 214
Figure 113 SECURITY > FIREWALL > Rule Summary 216
Figure 114 SECURITY > FIREWALL > Rule Summary > Edit 218
Figure 115 SECURITY > FIREWALL > Anti-Probing 220
Figure 116 Three-Way Handshake 221
Figure 117 SECURITY > FIREWALL > Threshold 222
Figure 118 SECURITY > FIREWALL > Service 224
Figure 119 Firewall Edit Custom Service 225
Figure 120 My Service Firewall Rule Example: Service 226
Figure 121 My Service Firewall Rule Example: Edit Custom Service 227
Figure 122 My Service Firewall Rule Example: Rule Summary 227
Figure 123 My Service Firewall Rule Example: Rule Edit 228
Figure 124 My Service Firewall Rule Example: Rule Configuration 229

Figure 125 My Service Firewall Rule Example: Rule Summary 230
Figure 126 SECURITY > CONTENT FILTER > General 232
Figure 127 Content Filtering Lookup Procedure 234
Figure 128 SECURITY > CONTENT FILTER > Categories 236
Figure 129 SECURITY > CONTENT FILTER > Customization 244
Figure 130 SECURITY > CONTENT FILTER > Cache 247
Figure 131 myZyXEL.com: Login 250
Figure 132 myZyXEL.com: Welcome 250
Figure 133 myZyXEL.com: Service Management 251
Figure 134 Blue Coat: Login 251
Figure 135 Content Filtering Reports Main Screen 252
Figure 136 Blue Coat: Report Home 252
Figure 137 Global Report Screen Example 253
Figure 138 Requested URLs Example 254
Figure 139 Web Page Review Process Screen 255
Figure 140 VPN: Example 257
Figure 141 VPN: IKE SA and IPSec SA 258
Figure 142 Gateway and Network Policies 259
Figure 143 IPSec Fields Summary 259
Figure 144 SECURITY >VPN>VPN Rules (IKE) 260
Figure 145 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal 261
Figure 146 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange 262
Figure 147 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication 262
Figure 148 VPN/NAT Example 265
Figure 149 IPSec High Availability 266
Figure 150 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 268
Figure 151 VPN: Transport and Tunnel Mode Encapsulation 274
Figure 152 SECURITY >VPN >VPN Rules (IKE) > Edit Network Policy 276
Figure 153 SECURITY >VPN >VPN Rules (IKE) >Move Network Policy 280
Figure 154 VPN Rule Configured 281
Figure 155 VPN Dial 281
Figure 156 VPN Tunnel Established 281
Figure 157 VPN Log Example 282
Figure 158 IKE/IPSec Debug Example 283
Figure 159 SECURITY >VPN>VPN Rules (Manual) 285
Figure 160 SECURITY >VPN>VPN Rules (Manual) > Edit 286
Figure 161 SECURITY >VPN >SA Monitor 289
Figure 162 SECURITY >VPN>Global Setting 290
Figure 163 Telecommuters Sharing One VPN Rule Example 292
Figure 164 Telecommuters Using Unique VPN Rules Example 293
Figure 165 VPN for Remote Management Example 294
Figure 166 VPN Topologies 294
Figure 167 Hub-and-spoke VPN Example 295

Figure 168 Certificates on Your Computer 298
Figure 169 Certificate Details 299
Figure 170 Certificate Configuration Overview 299
Figure 171 SECURITY > CERTIFICATES > My Certificates 300
Figure 172 SECURITY > CERTIFICATES > My Certificates > Details 302
Figure 173 SECURITY > CERTIFICATES > My Certificates > Export 305
Figure 174 SECURITY > CERTIFICATES > My Certificates > Import 307
Figure 175 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 307
Figure 176 SECURITY > CERTIFICATES > My Certificates > Create 308
Figure 177 SECURITY > CERTIFICATES > Trusted CAs 310
Figure 178 SECURITY > CERTIFICATES > Trusted CAs > Details 312
Figure 179 SECURITY > CERTIFICATES > Trusted CAs > Import 315
Figure 180 SECURITY > CERTIFICATES > Trusted Remote Hosts 316
Figure 181 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import 317
Figure 182 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details 318
Figure 183 SECURITY > CERTIFICATES > Directory Servers 320
Figure 184 SECURITY > CERTIFICATES > Directory Server > Add 321
Figure 185 SECURITY > AUTHSERVER > Local User Database 324
Figure 186 SECURITY > AUTHSERVER > RADIUS 325
Figure 187 How NAT Works 331
Figure 188 NAT Application With IP Alias 331
Figure 189 Port Restricted Cone NAT Example 332
Figure 190 ADVANCED > NAT > NAT Overview 334
Figure 191 ADVANCED > NAT > Address Mapping 336
Figure 192 ADVANCED > NAT > Address Mapping > Edit 338
Figure 193 Multiple Servers Behind NAT Example 340
Figure 194 Port Translation Example 341
Figure 195 ADVANCED > NAT > Port Forwarding 342
Figure 196 Trigger Port Forwarding Process: Example 343
Figure 197 ADVANCED > NAT > Port Triggering 344
Figure 198 Example of Static Routing Topology 345
Figure 199 ADVANCED >STATIC ROUTE > IP Static Route 346
Figure 200 ADVANCED >STATIC ROUTE > IP Static Route > Edit 347
Figure 201 ADVANCED > POLICY ROUTE > Policy Route Summary 350
Figure 202 Edit IP Policy Route 352
Figure 203 Subnet-based Bandwidth Management Example 356
Figure 204 ADVANCED > BW MGMT > Summary 362
Figure 205 ADVANCED > BW MGMT > Class Setup 363
Figure 206 ADVANCED > BW MGMT > Class Setup > Add Sub-Class 365
Figure 207 ADVANCED > BW MGMT > Class Setup > Statistics 368
Figure 208 ADVANCED > BW MGMT > Monitor 369
Figure 209 Private DNS Server Example 373
Figure 210 ADVANCED > DNS > System DNS 374

Figure 211 ADVANCED > DNS > Add (Address Record) 375
Figure 212 ADVANCED > DNS > Insert (Name Server Record) 376
Figure 213 ADVANCED > DNS > Cache 378
Figure 214 ADVANCED > DNS > DHCP 379
Figure 215 ADVANCED > DNS > DDNS 381
Figure 216 Secure and Insecure Remote Management From the WAN 383
Figure 217 HTTPS Implementation 385
Figure 218 ADVANCED > REMOTE MGMT > WWW 386
Figure 219 Security Alert Dialog Box (Internet Explorer) 387
Figure 220 Security Certificate 1 (Netscape) 388
Figure 221 Security Certificate 2 (Netscape) 388
Figure 222 Example: Lock Denoting a Secure Connection 389
Figure 223 Replace Certificate 390
Figure 224 Device-specific Certificate 390
Figure 225 Common ZyWALL Certificate 391
Figure 226 SSH Communication Over the WAN Example 391
Figure 227 How SSH Works 392
Figure 228 ADVANCED > REMOTE MGMT > SSH 393
Figure 229 SSH Example 1: Store Host Key 394
Figure 230 SSH Example 2: Test 394
Figure 231 SSH Example 2: Log in 395
Figure 232 Secure FTP: Firmware Upload Example 396
Figure 233 ADVANCED > REMOTE MGMT > Telnet 396
Figure 234 ADVANCED > REMOTE MGMT > FTP 397
Figure 235 SNMP Management Model 399
Figure 236 ADVANCED > REMOTE MGMT > SNMP 400
Figure 237 ADVANCED > REMOTE MGMT > DNS 402
Figure 238 ADVANCED > REMOTE MGMT > CNM 403
Figure 239 ADVANCED > UPnP 406
Figure 240 ADVANCED > UPnP > Ports 407
Figure 241 H.323 ALG Example 417
Figure 242 H.323 with Multiple WAN IP Addresses 417
Figure 243 H.323 Calls from the WAN with Multiple Outgoing Calls 418
Figure 244 SIP ALG Example 419
Figure 245 ADVANCED > ALG 420
Figure 246 LOGS > View Log 423
Figure 247 myZyXEL.com: Download Center 425
Figure 248 myZyXEL.com: Certificate Download 426
Figure 249 LOGS > Log Settings 427
Figure 250 LOGS > Reports 430
Figure 251 LOGS > Reports: Web Site Hits Example 431
Figure 252 LOGS > Reports: Host IP Address Example 432
Figure 253 LOGS > Reports: Protocol/Port Example 433

Figure 254 MAINTENANCE > General Setup 452
Figure 255 MAINTENANCE > Password 453
Figure 256 MAINTENANCE > Time and Date 454
Figure 257 Synchronization in Process 456
Figure 258 Synchronization is Successful 457
Figure 259 Synchronization Fail 457
Figure 260 MAINTENANCE > Device Mode (Router Mode) 459
Figure 261 MAINTENANCE > Device Mode (Bridge Mode) 460
Figure 262 MAINTENANCE > Firmware Upload 462
Figure 263 Firmware Upload In Process 462
Figure 264 Network Temporarily Disconnected 463
Figure 265 Firmware Upload Error 463
Figure 266 MAINTENANCE > Backup and Restore 464
Figure 267 Configuration Upload Successful 465
Figure 268 Network Temporarily Disconnected 465
Figure 269 Configuration Upload Error 465
Figure 270 Reset Warning Message 466
Figure 271 MAINTENANCE > Restart 466
Figure 272 Initial Screen 470
Figure 273 Password Screen 470
Figure 274 Main Menu (Router Mode) 471
Figure 275 Main Menu (Bridge Mode) 472
Figure 276 Menu 23: System Password 475
Figure 277 Menu 1: General Setup (Router Mode) 477
Figure 278 Menu 1: General Setup (Bridge Mode) 478
Figure 279 Menu 1.1: Configure Dynamic DNS 479
Figure 280 Menu 1.1.1: DDNS Host Summary 480
Figure 281 Menu 1.1.1: DDNS Edit Host 481
Figure 282 MAC Address Cloning in WAN Setup 483
Figure 283 Menu 2: Dial Backup Setup 485
Figure 284 Menu 2.1: Advanced WAN Setup 486
Figure 285 Menu 11.3: Remote Node Profile (Backup ISP) 487
Figure 286 Menu 11.3.2: Remote Node Network Layer Options 489
Figure 287 Menu 11.3.3: Remote Node Script 491
Figure 288 Menu 11.3.4: Remote Node Filter 492
Figure 289 3G Modem Setup in WAN Setup 493
Figure 290 Menu 11.2: Remote Node Profile (3G WAN) 494
Figure 291 Menu 3: LAN Setup 497
Figure 292 Menu 3.1: LAN Port Filter Setup 498
Figure 293 Menu 3: TCP/IP and DHCP Setup 498
Figure 294 Menu 3.2: TCP/IP and DHCP Ethernet Setup 499
Figure 295 Menu 3.2.1: IP Alias Setup 501
Figure 296 Menu 4: Internet Access Setup (Ethernet) 504

Figure 297 Internet Access Setup (PPTP) 506
Figure 298 Internet Access Setup (PPPoE) 507
Figure 299 Menu 5: DMZ Setup 509
Figure 300 Menu 5.1: DMZ Port Filter Setup 509
Figure 301 Menu 5: DMZ Setup 510
Figure 302 Menu 5.2: TCP/IP and DHCP Ethernet Setup 510
Figure 303 Menu 5.2.1: IP Alias Setup 511
Figure 304 Menu 6: Route Setup 513
Figure 305 Menu 6.1: Route Assessment 513
Figure 306 Menu 6.2: Traffic Redirect 514
Figure 307 Menu 6.3: Route Failover 515
Figure 308 Menu 7: WLAN Setup 517
Figure 309 Menu 7.2: TCP/IP and DHCP Ethernet Setup 518
Figure 310 Menu 7.2.1: IP Alias Setup 519
Figure 311 Menu 11: Remote Node Setup 521
Figure 312 Menu 11.1: Remote Node Profile for Ethernet Encapsulation 522
Figure 313 Menu 11.1: Remote Node Profile for PPPoE Encapsulation 523
Figure 314 Menu 11.1: Remote Node Profile for PPTP Encapsulation 525
Figure 315 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation 526
Figure 316 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) 528
Figure 317 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) 528
Figure 318 Menu 12: IP Static Route Setup 530
Figure 319 Menu 12. 1: Edit IP Static Route 530
Figure 320 Menu 4: Applying NAT for Internet Access 534
Figure 321 Menu 11.1.2: Applying NAT to the Remote Node 534
Figure 322 Menu 15: NAT Setup 535
Figure 323 Menu 15.1: Address Mapping Sets 536
Figure 324 Menu 15.1.255: SUA Address Mapping Rules 536
Figure 325 Menu 15.1.1: First Set 538
Figure 326 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set 539
Figure 327 Menu 15.2: NAT Server Sets 540
Figure 328 Menu 15.2.x: NAT Server Sets 541
Figure 329 15.2.x.x: NAT Server Configuration 541
Figure 330 Menu 15.2.1: NAT Server Setup 542
Figure 331 Server Behind NAT Example 543
Figure 332 NAT Example 1 543
Figure 333 Menu 4: Internet Access & NAT Example 544
Figure 334 NAT Example 2 544
Figure 335 Menu 15.2.1: Specifying an Inside Server 545
Figure 336 NAT Example 3 546
Figure 337 Example 3: Menu 11.1.2 546
Figure 338 Example 3: Menu 15.1.1.1 547
Figure 339 Example 3: Final Menu 15.1.1 547

Figure 340 Example 3: Menu 15.2.1 548
Figure 341 NAT Example 4 548
Figure 342 Example 4: Menu 15.1.1.1: Address Mapping Rule 549
Figure 343 Example 4: Menu 15.1.1: Address Mapping Rules 549
Figure 344 Menu 15.3.1: Trigger Port Setup 551
Figure 345 Menu 21: Filter and Firewall Setup 553
Figure 346 Menu 21.2: Firewall Setup 554
Figure 347 Outgoing Packet Filtering Process 555
Figure 348 Filter Rule Process 557
Figure 349 Menu 21: Filter and Firewall Setup 558
Figure 350 Menu 21.1: Filter Set Configuration 558
Figure 351 Menu 21.1.1.1: TCP/IP Filter Rule 560
Figure 352 Executing an IP Filter 562
Figure 353 Menu 21.1.1.1: Generic Filter Rule 563
Figure 354 Telnet Filter Example 564
Figure 355 Example Filter: Menu 21.1.3.1 565
Figure 356 Example Filter Rules Summary: Menu 21.1.3 565
Figure 357 Protocol and Device Filter Sets 566
Figure 358 Filtering LAN Traffic 568
Figure 359 Filtering DMZ Traffic 568
Figure 360 Filtering Remote Node Traffic 569
Figure 361 Menu 22: SNMP Configuration 571
Figure 362 Menu 24: System Maintenance 573
Figure 363 Menu 24.1: System Maintenance: Status 574
Figure 364 Menu 24.2: System Information and Console Port Speed 575
Figure 365 Menu 24.2.1: System Maintenance: Information 576
Figure 366 Menu 24.2.2: System Maintenance: Change Console Port Speed 577
Figure 367 Menu 24.3: System Maintenance: Log and Trace 577
Figure 368 Examples of Error and Information Messages 578
Figure 369 Menu 24.3.2: System Maintenance: Syslog Logging 578
Figure 370 Call-Triggering Packet Example 582
Figure 371 Menu 24.4: System Maintenance: Diagnostic 583
Figure 372 WAN & LAN DHCP 583
Figure 373 Telnet into Menu 24.5 587
Figure 374 FTP Session Example 587
Figure 375 System Maintenance: Backup Configuration 590
Figure 376 System Maintenance: Starting Xmodem Download Screen 590
Figure 377 Backup Configuration Example 590
Figure 378 Successful Backup Confirmation Screen 590
Figure 379 Telnet into Menu 24.6 591
Figure 380 Restore Using FTP Session Example 592
Figure 381 System Maintenance:Restore Configuration 592
Figure 382 System Maintenance: Starting Xmodem Download Screen 592

Figure 383 Restore Configuration Example 593
Figure 384 Successful Restoration Confirmation Screen 593
Figure 385 Telnet Into Menu 24.7.1: Upload System Firmware 594
Figure 386 Telnet Into Menu 24.7.2: System Maintenance 594
Figure 387 FTP Session Example of Firmware File Upload 595
Figure 388 Menu 24.7.1 As Seen Using the Console Port 597
Figure 389 Example Xmodem Upload 597
Figure 390 Menu 24.7.2 As Seen Using the Console Port 598
Figure 391 Example Xmodem Upload 598
Figure 392 Command Mode in Menu 24 599
Figure 393 Valid Commands 600
Figure 394 Call Control 601
Figure 395 Budget Management 602
Figure 396 Call History 603
Figure 397 Menu 24: System Maintenance 604
Figure 398 Menu 24.10 System Maintenance: Time and Date Setting 604
Figure 399 Menu 24.11 - Remote Management Control 608
Figure 400 Menu 25: Sample IP Routing Policy Summary 611
Figure 401 Menu 25.1: IP Routing Policy Setup 613
Figure 402 Menu 25.1.1: IP Routing Policy Setup 615
Figure 403 Example of IP Policy Routing 616
Figure 404 IP Routing Policy Example 1 616
Figure 405 IP Routing Policy Example 2 617
Figure 406 Schedule Setup 619
Figure 407 Schedule Set Setup 620
Figure 408 Applying Schedule Set(s) to a Remote Node (PPPoE) 621
Figure 409 Applying Schedule Set(s) to a Remote Node (PPTP) 622
Figure 410 Console/Dial Backup Cable DB-9 End Pin Layout 636
Figure 411 Wall-mounting Example 640
Figure 412 Pop-up Blocker 641
Figure 413 Internet Options 642
Figure 414 Internet Options 643
Figure 415 Pop-up Blocker Settings 643
Figure 416 Internet Options 644
Figure 417 Security Settings - Java Scripting 645
Figure 418 Security Settings - Java 645
Figure 419 Java (Sun) 646
Figure 420 Windows 95/98/Me: Network: Configuration 648
Figure 421 Windows 95/98/Me: TCP/IP Properties: IP Address 649
Figure 422 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 650
Figure 423 Windows XP: Start Menu 651
Figure 424 Windows XP: Control Panel 651
Figure 425 Windows XP: Control Panel: Network Connections: Properties 652

Figure 426 Windows XP: Local Area Connection Properties 652
Figure 427 Windows XP: Internet Protocol (TCP/IP) Properties 653
Figure 428 Windows XP: Advanced TCP/IP Properties 654
Figure 429 Windows XP: Internet Protocol (TCP/IP) Properties 655
Figure 430 Macintosh OS 8/9: Apple Menu 656
Figure 431 Macintosh OS 8/9: TCP/IP 656
Figure 432 Macintosh OS X: Apple Menu 657
Figure 433 Macintosh OS X: Network 658
Figure 434 Red Hat 9.0: KDE: Network Configuration: Devices 659
Figure 435 Red Hat 9.0: KDE: Ethernet Device: General 659
Figure 436 Red Hat 9.0: KDE: Network Configuration: DNS 660
Figure 437 Red Hat 9.0: KDE: Network Configuration: Activate 660
Figure 438 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 661
Figure 439 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 661
Figure 440 Red Hat 9.0: DNS Settings in resolv.conf 661
Figure 441 Red Hat 9.0: Restart Ethernet Card 661
Figure 442 Red Hat 9.0: Checking TCP/IP Properties 662
Figure 443 Peer-to-Peer Communication in an Ad-hoc Network 675
Figure 444 Basic Service Set 676
Figure 445 Infrastructure WLAN 677
Figure 446 RTS/CTS 678
Figure 447 WPA(2) with RADIUS Application Example 685
Figure 448 WPA(2)-PSK Authentication 686
Figure 449 Roaming Example 687
Figure 450 Security Certificate 691
Figure 451 Login Screen 692
Figure 452 Certificate General Information before Import 692
Figure 453 Certificate Import Wizard 1 693
Figure 454 Certificate Import Wizard 2 693
Figure 455 Certificate Import Wizard 3 694
Figure 456 Root Certificate Store 694
Figure 457 Certificate General Information after Import 695
Figure 458 ZyWALL Trusted CA Screen 696
Figure 459 CA Certificate Example 697
Figure 460 Personal Certificate Import Wizard 1 697
Figure 461 Personal Certificate Import Wizard 2 698
Figure 462 Personal Certificate Import Wizard 3 698
Figure 463 Personal Certificate Import Wizard 4 699
Figure 464 Personal Certificate Import Wizard 5 699
Figure 465 Personal Certificate Import Wizard 6 699
Figure 466 Access the ZyWALL Via HTTPS 700
Figure 467 SSL Client Authentication 700
Figure 468 ZyWALL Secure Login Screen 700

Figure 469 Displaying Log Categories Example 702
Figure 470 Displaying Log Parameters Example 702
Figure 471 Routing Command Example 704
Figure 472 Backup Gateway 705
Figure 473 Managing the Bandwidth of an IPSec SA 706
Figure 474 Managing the Bandwidth of an IKE SA 706
Figure 475 Routing Command Example 707

List of Tables

Table 1 Front Panel Lights 54
Table 2 Title Bar: Web Configurator Icons 58
Table 3 Web Configurator HOME Screen in Router Mode 59
Table 4 Web Configurator HOME Screen in Bridge Mode 63
Table 5 Bridge and Router Mode Features Comparison 65
Table 6 Screens Summary 66
Table 7 HOME > Show Statistics 70
Table 8 HOME > Show Statistics > Line Chart
Table 9 HOME > DHCP Table 72
Table 10 HOME > VPN Status 73
Table 11 ADVANCED > BW MGMT > Monitor
Table 12 ISP Parameters: Ethernet Encapsulation 76
Table 13 ISP Parameters: PPPoE Encapsulation 78
Table 14 ISP Parameters: PPTP Encapsulation 79
Table 15 Internet Access Wizard: Registration 82
Table 16 VPN Wizard: Gateway Setting 85
Table 17 VPN Wizard: Network Setting 86
Table 18 VPN Wizard: IKE Tunnel Setting 88
Table 19 VPN Wizard: IPSec Setting 90
Table 20 VPN Wizard: VPN Status 91
Table 21 REGISTRATION 108
Table 22 REGISTRATION > Service 110
Table 23 NETWORK > LAN 117
Table 24 NETWORK > LAN > Static DHCP 120
Table 25 NETWORK > LAN > IP Alias 122
Table 26 NETWORK > LAN > Port Roles 123
Table 27 STP Path Costs 126
Table 28 STP Port States 127
Table 29 NETWORK > Bridge 128
Table 30 NETWORK > Bridge > Port Roles 130
Table 31 Least Load First: Example 1 133
Table 32 Least Load First: Example 2 133
Table 33 NETWORK > WAN General 137
Table 34 Load Balancing: Least Load First 139
Table 35 Load Balancing: Weighted Round Robin 140
Table 36 Load Balancing: Spillover 141
Table 37 Private IP Address Ranges 141
Table 38 Example of Network Properties for LAN Servers with Fixed IP Addresses 142

Table 39 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) 144
Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) 147
Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation) 150
Table 42 2G, 2.5G, 2.75G and 3G of Wireless Technologies 153
Table 43 NETWORK > WAN > WAN 2 (3G WAN) 154
Table 44 NETWORK > WAN > Traffic Redirect 157
Table 45 NETWORK > WAN > Dial Backup 158
Table 46 NETWORK > WAN > Dial Backup > Edit 162
Table 47 NETWORK > DMZ 164
Table 48 NETWORK > DMZ > Static DHCP 167
Table 49 NETWORK > DMZ > IP Alias 168
Table 50 NETWORK > DMZ > Port Roles 172
Table 51 NETWORK > WLAN 175
Table 52 NETWORK > WLAN > Static DHCP 178
Table 53 NETWORK > WLAN > IP Alias 179
Table 54 NETWORK > WLAN > Port Roles 182
Table 55 Types of Encryption for Each Type of Authentication 184
Table 56 NETWORK > WIRELESS CARD 186
Table 57 Configuring SSID 188
Table 58 Security Modes 189
Table 59 NETWORK > WIRELESS CARD > Security 189
Table 60 NETWORK > WIRELESS CARD > Security: None 190
Table 61 NETWORK > WIRELESS CARD > Security: WEP 191
Table 62 NETWORK > WIRELESS CARD > Security: 802.1x Only 192
Table 63 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP 193
Table 64 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX 194
Table 65 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK 195
Table 66 NETWORK > WIRELESS CARD > MAC Filter 197
Table 67 Blocking All LAN to WAN IRC Traffic Example 210
Table 68 Limited LAN to WAN IRC Traffic Example 210
Table 69 SECURITY > FIREWALL > Default Rule (Router Mode) 213
Table 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) 215
Table 71 SECURITY > FIREWALL > Rule Summary 216
Table 72 SECURITY > FIREWALL > Rule Summary > Edit 219
Table 73 SECURITY > FIREWALL > Anti-Probing 221
Table 74 SECURITY > FIREWALL > Threshold 223
Table 75 SECURITY > FIREWALL > Service 224
Table 76 SECURITY > FIREWALL > Service > Add 226
Table 77 SECURITY > CONTENT FILTER > General 232
Table 78 SECURITY > CONTENT FILTER > Categories 236
Table 79 SECURITY > CONTENT FILTER > Customization 244
Table 80 SECURITY > CONTENT FILTER > Cache 247
Table 81 SECURITY >VPN>VPN Rules (IKE) 260

Table 82 VPN Example: Matching ID Type and Content 263
Table 83 VPN Example: Mismatching ID Type and Content 263
Table 84 SECURITY >VPN >VPN Rules (IKE) > Edit Gateway Policy 269
Table 85 SECURITY >VPN >VPN Rules (IKE) > Edit Network Policy 277
Table 86 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 280
Table 87 SECURITY >VPN>VPN Rules (Manual) 285
Table 88 SECURITY >VPN >VPN Rules (Manual) > Edit 287
Table 89 SECURITY >VPN >SA Monitor 289
Table 90 SECURITY >VPN > Global Setting 290
Table 91 Telecommuters Sharing One VPN Rule Example 292
Table 92 Telecommuters Using Unique VPN Rules Example 293
Table 93 SECURITY > CERTIFICATES > My Certificates 300
Table 94 SECURITY > CERTIFICATES > My Certificates > Details 302
Table 95 SECURITY > CERTIFICATES > My Certificates > Export 305
Table 96 SECURITY > CERTIFICATES > My Certificates > Import 307
Table 97 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 307
Table 98 SECURITY > CERTIFICATES > My Certificates > Create 308
Table 99 SECURITY > CERTIFICATES > Trusted CAs 311
Table 100 SECURITY > CERTIFICATES > Trusted CAs > Details 312
Table 101 SECURITY > CERTIFICATES > Trusted CAs Import 315
Table 102 SECURITY > CERTIFICATES > Trusted Remote Hosts 316
Table 103 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import 317
Table 104 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details 319
Table 105 SECURITY > CERTIFICATES > Directory Servers 321
Table 106 SECURITY > CERTIFICATES > Directory Server > Add 322
Table 107 SECURITY > AUTH SERVER > Local User Database 325
Table 108 SECURITY > AUTHSERVER > RADIUS 325
Table 109 NAT Definitions 329
Table 110 NAT Mapping Types 333
Table 111 ADVANCED > NAT > NAT Overview 334
Table 112 ADVANCED > NAT > Address Mapping 336
Table 113 ADVANCED > NAT > Address Mapping > Edit 338
Table 114 Services and Port Numbers 339
Table 115 ADVANCED > NAT > Port Forwarding 342
Table 116 ADVANCED > NAT > Port Triggering 344
Table 117 ADVANCED >STATIC ROUTE > IP Static Route 346
Table 118 ADVANCED >STATIC ROUTE > IP Static Route > Edit 347
Table 119 ADVANCED > POLICY ROUTE > Policy Route Summary 351
Table 120 ADVANCED > POLICY ROUTE > Edit 352
Table 121 Application and Subnet-based Bandwidth Management Example 356
Table 122 Maximize Bandwidth Usage Example 358
Table 123 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example 358
Table 124 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example 359

Table 125 Bandwidth Borrowing Example 360
Table 126 Over Allotment of Bandwidth Example 361
Table 127 ADVANCED > BW MGMT > Summary 362
Table 128 ADVANCED > BW MGMT > Class Setup 363
Table 129 ADVANCED > BW MGMT > Class Setup > Add Sub-Class 365
Table 130 Services and Port Numbers 367
Table 131 ADVANCED > BW MGMT > Class Setup > Statistics 368
Table 132 ADVANCED > BW MGMT > Monitor 369
Table 133 ADVANCED > DNS > System DNS 374
Table 134 ADVANCED > DNS > Add (Address Record) 376
Table 135 ADVANCED > DNS > Insert (Name Server Record) 377
Table 136 ADVANCED > DNS > Cache 378
Table 137 ADVANCED > DNS > DHCP 379
Table 138 ADVANCED > DNS > DDNS 381
Table 139 ADVANCED > REMOTE MGMT > WWW 386
Table 140 ADVANCED > REMOTE MGMT > SSH 393
Table 141 ADVANCED > REMOTE MGMT > Telnet 397
Table 142 ADVANCED > REMOTE MGMT > FTP 398
Table 143 SNMP Traps 400
Table 144 ADVANCED > REMOTE MGMT > SNMP 401
Table 145 ADVANCED > REMOTE MGMT > DNS 402
Table 146 ADVANCED > REMOTE MGMT > CNM 403
Table 147 ADVANCED > UPnP 406
Table 148 ADVANCED > UPnP > Ports 407
Table 149 ADVANCED > ALG 420
Table 150 LOGS > View Log 424
Table 151 Log Description Example 424
Table 152 LOGS > Log Settings 428
Table 153 LOGS > Reports 430
Table 154 LOGS > Reports: Web Site Hits Report 431
Table 155 LOGS > Reports: Host IP Address 432
Table 156 LOGS > Reports: Protocol/ Port 433
Table 157 Report Specifications 434
Table 158 System Maintenance Logs 434
Table 159 System Error Logs 436
Table 160 Access Control Logs 436
Table 161 TCP Reset Logs 437
Table 162 Packet Filter Logs 437
Table 163 ICMP Logs 437
Table 164 CDR Logs 438
Table 165 PPP Logs 438
Table 166 UPnP Logs 438
Table 167 Content Filtering Logs 439

Table 168 Attack Logs 439
Table 169 Remote Management Logs 441
Table 170 IPSec Logs 441
Table 171 IKE Logs 442
Table 172 PKI Logs 445
Table 173 Certificate Path Verification Failure Reason Codes 446
Table 174 ACL Setting Notes 446
Table 175 ICMP Notes 447
Table 176 Syslog Logs 448
Table 177 RFC-2408 ISAKMP Payload Types 449
Table 178 MAINTENANCE > General Setup 452
Table 179 MAINTENANCE > Password 453
Table 180 MAINTENANCE > Time and Date 454
Table 181 MAC-address-to-port Mapping Table 457
Table 182 MAINTENANCE > Device Mode (Router Mode) 459
Table 183 MAINTENANCE > Device Mode (Bridge Mode) 460
Table 184 MAINTENANCE > Firmware Upload 462
Table 185 Restore Configuration 464
Table 186 Main Menu Commands 470
Table 187 Main Menu Summary 472
Table 188 SMT Menus Overview 473
Table 189 Menu 1: General Setup (Router Mode) 477
Table 190 Menu 1: General Setup (Bridge Mode) 478
Table 191 Menu 1.1: Configure Dynamic DNS 479
Table 192 Menu 1.1.1: DDNS Host Summary 480
Table 193 Menu 1.1.1: DDNS Edit Host 481
Table 194 MAC Address Cloning in WAN Setup 484
Table 195 Menu 2: Dial Backup Setup 485
Table 196 Advanced WAN Port Setup: AT Commands Fields 486
Table 197 Advanced WAN Port Setup: Call Control Parameters 487
Table 198 Menu 11.3: Remote Node Profile (Backup ISP) 488
Table 199 Menu 11.3.2: Remote Node Network Layer Options 489
Table 200 Menu 11.3.3: Remote Node Script 491
Table 201 3G Modem Setup in WAN Setup 493
Table 202 Menu 11.2: Remote Node Profile (3G WAN) 494
Table 203 Menu 3.2: DHCP Ethernet Setup Fields 499
Table 204 Menu 3.2: LAN TCP/IP Setup Fields 500
Table 205 Menu 3.2.1: IP Alias Setup 501
Table 206 Menu 4: Internet Access Setup (Ethernet) 504
Table 207 New Fields in Menu 4 (PPTP) Screen 506
Table 208 New Fields in Menu 4 (PPPoE) screen 507
Table 209 Menu 6.1: Route Assessment 514
Table 210 Menu 6.2: Traffic Redirect 514

Table 211 Menu 6.3: Route Failover 515
Table 212 Menu 11.1: Remote Node Profile for Ethernet Encapsulation 522
Table 213 Fields in Menu 11.1 (PPPoE Encapsulation Specific) 524
Table 214 Menu 11.1: Remote Node Profile for PPTP Encapsulation 525
Table 215 Remote Node Network Layer Options Menu Fields 526
Table 216 Menu 12. 1: Edit IP Static Route 530
Table 217 Applying NAT in Menus 4 & 11.1.2 535
Table 218 SUA Address Mapping Rules 537
Table 219 Fields in Menu 15.1.1 538
Table 220 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set 540
Table 221 15.2.x.x: NAT Server Configuration 542
Table 222 Menu 15.3.1: Trigger Port Setup 551
Table 223 Abbreviations Used in the Filter Rules Summary Menu 559
Table 224 Rule Abbreviations Used 559
Table 225 Menu 21.1.1.1: TCP/IP Filter Rule 560
Table 226 Generic Filter Rule Menu Fields 563
Table 227 SNMP Configuration Menu Fields 571
Table 228 SNMP Traps 572
Table 229 System Maintenance: Status Menu Fields 574
Table 230 Fields in System Maintenance: Information 576
Table 231 System Maintenance Menu Syslog Parameters 578
Table 232 System Maintenance Menu Diagnostic 584
Table 233 Filename Conventions 586
Table 234 General Commands for GUI-based FTP Clients 588
Table 235 General Commands for GUI-based TFTP Clients 589
Table 236 Valid Commands 600
Table 237 Budget Management 602
Table 238 Call History 603
Table 239 Menu 24.10 System Maintenance: Time and Date Setting 605
Table 240 Menu 24.11 - Remote Management Control 608
Table 241 Menu 25: Sample IP Routing Policy Summary 611
Table 242 IP Routing Policy Setup 612
Table 243 Menu 25.1: IP Routing Policy Setup 613
Table 244 Menu 25.1.1: IP Routing Policy Setup 615
Table 245 Schedule Set Setup 620
Table 246 Hardware Specifications 631
Table 247 Firmware Specifications 631
Table 248 Feature Specifications 633
Table 249 Performance 633
Table 250 Console Cable Pin Assignments 636
Table 251 Console Cable Pin Assignments 636
Table 252 Ethernet Cable Pin Assignments 636
Table 253 Classes of IP Addresses 663

Table 254 Allowed IP Address Range By Class 664
Table 255 "Natural" Masks 665
Table 256 Alternative Subnet Mask Notation 665
Table 257 Two Subnets Example 666
Table 258 Subnet 1 666
Table 259 Subnet 2 666
Table 260 Subnet 1 667
Table 261 Subnet 2 667
Table 262 Subnet 3 668
Table 263 Subnet 4 668
Table 264 Eight Subnets 668
Table 265 Class C Subnet Planning 668
Table 266 Class B Subnet Planning 669
Table 267 Commonly Used Services 671
Table 268 IEEE 802.11g 679
Table 269 Wireless Security Levels 680
Table 270 Comparison of EAP Authentication Types 683
Table 271 Wireless Security Relational Matrix 686
Table 272 NetBIOS Filter Default Settings 710
Table 273 Brute-Force Password Guessing Protection Commands 711

PART I

Introduction

Getting to Know Your ZyWALL (51)

Introducing the Web Configurator (55)

Wizard Setup (75)

Tutorial (95)

Registration (107)

Getting to Know Your ZyWALL

This chapter introduces the main features and applications of the ZyWALL.

1.1 ZyWALL Internet Security Appliance Overview

The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyWALL's De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers. The ZyWALL is designed for small and medium sized business that need the increased throughput and reliability of dual WAN interfaces and load balancing. The ZyWALL provide the option to change port roles from LAN to DMZ.

You can also deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration.

The ZyWALL provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.

The ZyWALL has a built-in wireless card that allows IEEE 802.11a, IEEE 802.11b or IEEE 802.11g compatible clients to securely communicate with the ZyWALL and access the wired network behind it. You can use the wireless card as part of the LAN, DMZ or WLAN.

Note: Only use firmware for your ZyWALL's specific model.

See Appendix A on page 245 for a complete list of features.

1.2 Ways to Manage the ZyWALL

Use any of the following methods to manage the ZyWALL.

  • Web Configurator. This is recommended for everyday management of the ZyWALL using a (supported) web browser.
  • Command Line Interface. Line commands are mostly used for troubleshooting by service engineers.
  • SMT. System Management Terminal is a text-based configuration menu that you can use to configure your device.
  • FTP for firmware upgrades and configuration backup/restore.

  • SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User's Guide.

  • Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server.

1.3 Good Habits for Managing the ZyWALL

Do the following things regularly to make the ZyWALL more secure and to manage the ZyWALL more effectively.

  • Change the password. Use a password that's not easy to guess and that consists of different types of characters, such as numbers and letters.
  • Write down the password and put it in a safe place.
  • Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyWALL to its factory default settings. If you backed up an earlier configuration file, you would not have to totally reconfigure the ZyWALL. You could simply restore your last configuration.

1.4 Applications for the ZyWALL

Here are some examples of what you can do with your ZyWALL.

1.4.1 Secure Broadband Internet Access via Cable or DSL Modem

For Internet access, connect the WAN Ethernet port to your existing Internet access gateway (company network, or your cable or DSL modem for example). Connect computers or servers to the LAN, DMZ or WLAN ports for shared Internet access.

The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.

ZYXEL ZYWALL 2 WG - Secure Broadband Internet Access via Cable or DSL Modem - 1
Figure 1 Secure Internet Access via Cable or DSL Modem

1.4.2 VPN Application

ZyWALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites.

ZYXEL ZYWALL 2 WG - VPN Application - 1
Figure 2 VPN Application

1.4.3 3G WAN Application

Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station. See Section 8.12 on page 152 for more information about 3G.

With both the primary WAN (physical WAN port) and 3G WAN connections enabled, you can use load balancing to improve quality of service and maximize bandwidth utilization or set one of the WAN connections as a backup.

ZYXEL ZYWALL 2 WG - 3G WAN Application - 1
Figure 3 3G WAN Application

1.4.4 Front Panel Lights

ZYXEL ZYWALL 2 WG - Front Panel Lights - 1
Figure 4 Front Panel

The following table describes the lights.

Table 1 Front Panel Lights

LEDCOLORSTATUSDESCRIPTION
PWROffThe ZyWALL is turned off.
GreenOnThe ZyWALL is ready and running.
FlashingThe ZyWALL is restarting.
RedOnThe power to the ZyWALL is too low.
LAN/DMZ 10/100OffThe LAN/DMZ is not connected.
GreenOnThe ZyWALL has a successful 10Mbps Ethernet connection.
FlashingThe 10M LAN is sending or receiving packets.
OrangeOnThe ZyWALL has a successful 100Mbps Ethernet connection.
FlashingThe 100M LAN is sending or receiving packets.
WANOffThe WAN connection is not ready, or has failed.
GreenOnThe ZyWALL has a successful 10Mbps WAN connection.
FlashingThe 10M WAN is sending or receiving packets.
OrangeOnThe ZyWALL has a successful 100Mbps WAN connection.
FlashingThe 100M WAN is sending or receiving packets.
AUXGreenOffThe backup port is not connected.
OnThe backup port is connected.
FlashingThe backup port is sending or receiving packets.
WLANGreenOffThe wireless LAN is not ready, or has failed.
OnThe wireless LAN is ready.
FlashingThe wireless LAN is sending or receiving packets.
CARDOffThere is no 3G card inserted in the ZyWALL.
GreenOnA 3G card is inserted and detected by the ZyWALL.
OrangeOnThe 3G WAN connection is ready.
FlashingThe 3G WAN is sending or receiving packets.

Introducing the Web Configurator

This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens.

2.1 Web Configurator Overview

The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.

In order to use the web configurator you need to allow:

  • Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.
  • JavaScripts (enabled by default).
  • Java permissions (enabled by default).

See Appendix C on page 641 if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator.

2.2 Accessing the ZyWALL Web Configurator

ZYXEL ZYWALL 2 WG - Accessing the ZyWALL Web Configurator - 1

By default, the packets from WLAN to WLAN/ZyWALL are dropped and users cannot configure the ZyWALL wirelessly.

1 Make sure your ZyWALL hardware is properly connected and prepare your computer/computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser.
3 Type "192.168.1.1" as the URL.
4 Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login.

5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.

ZYXEL ZYWALL 2 WG - Accessing the ZyWALL Web Configurator - 2
Figure 5 Change Password Screen

6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL's MAC address that will be specific to this device.

ZYXEL ZYWALL 2 WG - Accessing the ZyWALL Web Configurator - 3

If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.

ZYXEL ZYWALL 2 WG - Accessing the ZyWALL Web Configurator - 4
Figure 6 Replace Certificate Screen

7 You should now see the HOME screen (see Figure 9 on page 59).

ZYXEL ZYWALL 2 WG - Accessing the ZyWALL Web Configurator - 5

The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you.

2.3 Resetting the ZyWALL

If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234, also.

2.3.1 Procedure To Use The Reset Button

Make sure the SYS LED is on (not blinking) before you begin this procedure.

1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
2 Turn the ZyWALL off.
3 While pressing the RESET button, turn the ZyWALL on.
4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyWALL is now restarting.
5 Release the RESET button and wait for the ZyWALL to finish restarting.

1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the ZyWALL again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode.
3 Enter "y" at the prompt below to go into debug mode.
4 Enter "atlc" after "Enter Debug Mode" message.
5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. This is an example Xmodem configuration upload using HyperTerminal.

ZYXEL ZYWALL 2 WG - Procedure To Use The Reset Button - 1
Figure 7 Example Xmodem Upload

6 After successful firmware upload, enter "atgo" to restart the router.

2.4 Navigating the ZyWALL Web Configurator

The following summarizes how to navigate the web configurator from the HOME screen.

ZYXEL ZYWALL 2 WG - Navigating the ZyWALL Web Configurator - 1
Figure 8 HOME Screen

As illustrated above, the main screen is divided into these parts:

A - title bar
- B - navigation panel
C - main window
- D - status bar

2.4.1 Title Bar

The title bar provides some icons in the upper right corner.

The icons provide the following functions.

Table 2 Title Bar: Web Configurator Icons

ICONDESCRIPTION
Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3 on page 75 for more information.
HELP?Help: Click this icon to open the help page for the current screen.

2.4.2 Main Window

The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document.

Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE > Device Mode screen.

2.4.3 HOME Screen: Router Mode

The following screen displays when the ZyWALL is set to router mode. This screen displays general status information about the ZyWALL. The ZyWALL is set to router mode by default.

WAN 2 refers to the 3G card on the supported ZyWALL in router mode.

ZYXEL ZYWALL 2 WG - HOME Screen: Router Mode - 1
Figure 9 Web Configurator HOME Screen in Router Mode

The following table describes the labels in this screen.

Table 3 Web Configurator HOME Screen in Router Mode

LABELDESCRIPTION
Automatic Refresh IntervalSelect a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
RefreshClick this button to update the status screen statistics immediately.
System Information
System NameThis is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
ModelThis is the model name of your ZyWALL.
Bootbase VersionThis is the bootbase version and the date created.
Firmware VersionThis is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Up TimeThis field displays how long the ZyWALL has been running since it last started up. The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 57).
System TimeThis field displays your ZyWALL's present date (in yyyy-mm-dd format) and time (in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field label to go to the screen where you can modify the ZyWALL's date and time settings.
Device ModeThis displays whether the ZyWALL is functioning as a router or a bridge. Click the field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
FirewallThis displays whether or not the ZyWALL's firewall is activated. Click the field label to go to the screen where you can turn the firewall on or off.
System Resources
FlashThe first number shows how many megabytes of the flash the ZyWALL is using.
MemoryThe first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall. The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar turns from green to red when the maximum is being approached.
SessionsThe first number shows how many sessions are currently open on the ZyWALL. This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or Initiated from the ZyWALL. The second number is the maximum number of sessions that can be open at one time. The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.
CPUThis field displays what percentage of the ZyWALL's processing ability is currently used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.
InterfacesThis is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists. Hold your cursor over an interface's label to display the interface's MAC Address. Click an interface's label to go to the screen where you can configure settings for that interface.
StatusFor the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full-duplex refers to a device's ability to send and receive simultaneously, while half-duplex indicates that traffic can flow in only one direction at a time. The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect.For the WAN interface(s) and the Dial Backup port, it displays the port speed and duplex setting if you're using Ethernet encapsulation or the remote node name (configured through the SMT) for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you're using PPPoE encapsulation.
IP/NetmaskThis shows the port's IP address and subnet mask.
IP AssignmentFor the WAN, if the ZyWALL gets its IP address automatically from an ISP, this displays DHCP client when you're using Ethernet encapsulation and IPCP Client when you're using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address.For the LAN, WLAN or DMZ, DHCP server displays when the ZyWALL is set to automatically give IP address information to the computers connected to the LAN. DHCP relay displays when the ZyWALL is set to forward IP address assignment requests to another DHCP server. Static displays if the LAN port is using a manually entered static (fixed) IP address. In this case, you must have another DHCP server on your LAN, or else the computers must be manually configured. For the dial backup port, this shows N/A when dial backup is disabled and IPCP client when dial backup is enabled.
RenewIf you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP, click Renew to release the WAN port's dynamically assigned IP address and get the IP address afresh. Click Dial to dial up the PPTP, PPPoE or dial backup connection. Click Drop to disconnect the PPTP, PPPoE, 3G WAN or dial backup connection.
Security Services
Content Filter Expiration DateThis is the date the category-based content filtering service subscription expires. Click the field label to go to the screen where you can update your service subscription.
Web Site LinkedThis displays how many web site hits the ZyWALL has blocked since it last started up. N/A displays when the service subscription has expired.
3G WAN Interface StatusThe fields below shows up on the ZyWALL with a 3G card inserted.
3G Connection StatusThis displays WAN2 (the remote node name configured through the SMT) when the 3G connection is up.This displays Down when the 3G connection is down or not activated.This displays Idle when the 3G connection is idle.This displays Init when the ZyWALL is initializing the 3G card.This displays Drop when the ZyWALL is dropping a call.This also displays whether the ZyWALL is connected to a UMTS/HSDPA network or GPRS/EDGE network.
Service ProviderThis displays the name of your network service provider or Limited Service when the signal strength is too low.
Signal StrengthThis displays the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider's base station.
Connection Up TimeThis displays how long the 3G connection has been up.
Tx BytesThis displays the total number of data frames transmitted.
Rx BytesThis displays the total number of data frames received.
3G Card ManufacturerThis displays the manufacturer of your 3G card.
3G Card ModelThis displays the model name of your 3G card.
3G Card Firmware RevisionThis displays the version of the firmware currently used in the 3G card.
3G Card IMEIThis displays the International Mobile Equipment Number (IMEI) which is the serial number of the 3G wireless card. IMEI is a unique 15-digit number used to identify a mobile device.
SIM Card IMSIThis displays the International Mobile Subscriber Identity (IMSI) stored in the SIM (Subscriber Identity Module) card. The SIM card is installed in a mobile device and used for authenticating a customer to the carrier network. IMSI is a unique 15-digit number used to identify a user on a network.
Latest AlertsThis table displays the five most recent alerts recorded by the ZyWALL. You can see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.
Date/TimeThis is the date and time the alert was recorded.
MessageThis is the reason for the alert.
System Status
Port StatisticsClick Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port.
DHCP TableClick DHCP Table to show current DHCP client information.
VPNClick VPN to display the active VPN connections.
BandwidthClick Bandwidth to view the ZyWALL's bandwidth usage and allotments.

2.4.4 HOME Screen: Bridge Mode

The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.

In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.

You can use the firewall and VPN in bridge mode. See the user's guide for a list of other features that are available in bridge mode.

ZYXEL ZYWALL 2 WG - HOME Screen: Bridge Mode - 1
Figure 10 Web Configurator HOME Screen in Bridge Mode

The following table describes the labels in this screen.

Table 4 Web Configurator HOME Screen in Bridge Mode

LABELDESCRIPTION
Automatic Refresh IntervalSelect a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
RefreshClick this button to update the screen's statistics immediately.
System Information
System NameThis is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL.
ModelThis is the model name of your ZyWALL.
Bootbase VersionThis is the bootbase version and the date created.
Firmware VersionThis is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Up TimeThis field displays how long the ZyWALL has been running since it last started up. The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 57).
System TimeThis field displays your ZyWALL's present date (in yyyy-mm-dd format) and time (in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field label to go to the screen where you can modify the ZyWALL's date and time settings.
Device ModeThis displays whether the ZyWALL is functioning as a router or a bridge. Click the field label to go to the screen where you can configure the ZyWALL as a router or a bridge.
FirewallThis displays whether or not the ZyWALL's firewall is activated. Click the field label to go to the screen where you can turn the firewall on or off.
System Resources
FlashThe first number shows how many megabytes of the flash the ZyWALL is using.
MemoryThe first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyxEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.The second number shows the ZyWALL's total heap memory (in megabytes). The bar displays what percent of the ZyWALL's heap memory is in use. The bar turns from green to red when the maximum is being approached.
SessionsThe first number shows how many sessions are currently open on the ZyWALL. This includes all sessions that are currently traversing the ZyWALL, terminating at the ZyWALL or initiated from the ZyWALLThe second number is the maximum number of sessions that can be open at one time.The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.
CPUThis field displays what percentage of the ZyWALL's processing ability is currently used. When this percentage is close to 100%, the ZyWALL is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using bandwidth management.
Network Status
IP/Netmask AddressThis is the IP address and subnet mask of your ZyWALL in dotted decimal notation.
Gateway IP AddressThis is the gateway IP address.
Rapid Spanning Tree ProtocolThis shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The following labels or values relative to RSTP do not apply when RSTP is disabled.
Bridge PriorityThis is the bridge priority of the ZyWALL. The bridge (or switch) with the lowest bridge priority value in the network is the root bridge (the base of the spanning tree).
Bridge Hello TimeThis is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.
Bridge Max AgeThis is the predefined interval that a bridge waits to get a Hello message (BPDU) from the root bridge.
Forward DelayThis is the forward delay interval.
Bridge PortThis is the port type. Port types are: WAN, LAN, Wireless Card, DMZ and WLAN Interface.
Port StatusFor the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and duplex setting. For the WAN port, it displays Down when the link is not ready or has failed. For the wireless card, it displays the transmission rate when WLAN is enabled or Down when WLAN is disabled.
RSTP StatusThis is the RSTP status of the corresponding port.
RSTP ActiveThis shows whether or not RSTP is active on the corresponding port.
RSTP PriorityThis is the RSTP priority of the corresponding port.
RSTP Path CostThis is the cost of transmitting a frame from the root bridge to the corresponding port.
Security Services
Content Filter Expiration DateThis is the date the category-based content filtering service subscription expires. Click the field label to go to the screen where you can update your service subscription.
Web Site BlockedThis displays how many web site hits the ZyWALL has blocked since it last started up. N/A displays when the service subscription has expired.
Latest AlertsThis table displays the five most recent alerts recorded by the ZyWALL. You can see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.
Date/TimeThis is the date and time the alert was recorded.
MessageThis is the reason for the alert.
System Status
Port StatisticsClick Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port.
VPNClick VPN to display the active VPN connections.
BandwidthClick Bandwidth to view the ZyWALL's bandwidth usage and allotments.

2.4.5 Navigation Panel

After you enter the password, use the sub-menus on the navigation panel to configure ZyWALL features.

The following table lists the features available for each device mode.

Table 5 Bridge and Router Mode Features Comparison

FEATUREBRIDGE MODEROUTER MODE
Internet Access WizardO
VPN WizardOO
DHCP TableO
System StatisticsOO
RegistrationOO
LANO
WANO
DMZO
BridgeO
WLANO
Wireless CardOO
FirewallOO
Content FilterOO

Table 5 Bridge and Router Mode Features Comparison

FEATUREBRIDGE MODEROUTER MODE
VPNOO
CertificatesOO
Authentication ServerOO
NATO
Static RouteO
Policy RouteO
Bandwidth ManagementOO
DNSO
Remote ManagementOO
UPnPO
ALGOO
LogsOO
MaintenanceOO

Table Key: An O in a mode's column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.

The following table describes the sub-menus.

Table 6 Screens Summary

LINKTABFUNCTION
HOMEThis screen shows the ZyWALL's general device and network status information. Use this screen to access the wizards, statistics and DHCP table.
REGISTRATIONRegistrationUse this screen to register your ZyWALL and activate the trial service subscriptions.
ServiceUse this to manage and update the service status and license information.
NETWORK
LANLANUse this screen to configure LAN DHCP and TCP/IP settings.
Static DHCPUse this screen to assign fixed IP addresses on the LAN.
IP AliasUse this screen to partition your LAN interface into subnets.
Port RolesUse this screen to change the LAN/DMZ/WLAN port roles.
BRIDGEBridgeUse this screen to change the bridge settings on the ZyWALL.
Port RolesUse this screen to change the LAN/DMZ/WLAN port roles on the ZyWALL.
WANGeneralThis screen allows you to configure load balancing, route priority and traffic redirect properties.
WAN1Use this screen to configure the WAN1 connection for Internet access.
WAN2Use this screen to configure the WAN2 connection for Internet access.
Traffic RedirectUse this screen to configure your traffic redirect properties and parameters.
Dial BackupUse this screen to configure the backup WAN dial-up connection.
DMZDMZUse this screen to configure your DMZ connection.
Static DHCPUse this screen to assign fixed IP addresses on the DMZ.
IP AliasUse this screen to partition your DMZ interface into subnets.
Port RolesUse this screen to change the LAN/DMZ/WLAN port roles on the ZyWALL.
WLANWLANUse this screen to configure your WLAN connection.
Static DHCPUse this screen to assign fixed IP addresses on the WLAN.
IP AliasUse this screen to partition your WLAN interface into subnets.
Port RolesUse this screen to change the LAN/DMZ/WLAN port roles on the ZyWALL.
WIRELESS CARDWireless CardUse this screen to configure the wireless LAN settings.
SecurityUse this screen to configure the WLAN security settings.
MAC FilterUse this screen to change MAC filter settings on the ZyWALL
SECURITY
FIREWALLDefault RuleUse this screen to activate/deactivate the firewall and the direction of network traffic to which to apply the rule
Rule SummaryThis screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule.
Anti-ProbingUse this screen to change your anti-probing settings.
ThresholdUse this screen to configure the threshold for DoS attacks.
ServiceUse this screen to configure custom services.
CONTENT FILTERGeneralThis screen allows you to enable content filtering and block certain web features.
CategoriesUse this screen to select which categories of web pages to filter out, as well as to register for external database content filtering and view reports.
CustomizationUse this screen to customize the content filter list.
CacheUse this screen to view and configure the ZyWALL's URL caching.
VPNVPN Rules (IKE)Use this screen to configure VPN connections using IKE key management and view the rule summary.
VPN Rules (Manual)Use this screen to configure VPN connections using manual key management and view the rule summary.
SA MonitorUse this screen to display and manage active VPN connections.
Global SettingUse this screen to configure the IPSec timer settings.
CERTIFICATESMy CertificatesUse this screen to view a summary list of certificates and manage certificates and certification requests.
Trusted CAsUse this screen to view and manage the list of the trusted CAs.
Trusted Remote HostsUse this screen to view and manage the certificates belonging to the trusted remote hosts.
Directory ServersUse this screen to view and manage the list of the directory servers.
AUTH SERVERLocal User DatabaseUse this screen to configure the local user account(s) on the ZyWALL.
RADIUSConfigure this screen to use an external server to authenticate wireless and/or VPN users.
ADVANCED
NATNAT OverviewUse this screen to enable NAT.
Address MappingUse this screen to configure network address translation mapping rules.
Port ForwardingUse this screen to configure servers behind the ZyWALL.
Port TriggeringUse this screen to change your ZyWALL's port triggering settings.
STATIC ROUTEIP Static RouteUse this screen to configure IP static routes.
POLICY ROUTEPolicy Route SummaryUse this screen to view a summary list of all the policies and configure policies for use in IP policy routing.
BW MGMTSummaryUse this screen to enable bandwidth management on an interface.
Class SetupUse this screen to set up the bandwidth classes.
MonitorUse this screen to view the ZyWALL's bandwidth usage and allotments.
DNSSystemUse this screen to configure the address and name server records.
CacheUse this screen to configure the DNS resolution cache.
DHCPUse this screen to configure LAN/DMZ/WLAN DNS information.
DDNSUse this screen to set up dynamic DNS.
REMOTE MGMTWWWUse this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL.
SSHUse this screen to configure through which interface(s) and from which IP address(es) users can use Secure Shell to manage the ZyWALL.
TELNETUse this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the ZyWALL.
FTPUse this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyWALL.
SNMPUse this screen to configure your ZyWALL's settings for Simple Network Management Protocol management.
DNSUse this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the ZyWALL.
CNMUse this screen to configure and allow your ZyWALL to be managed by the Vantage CNM server.
UPnPUPnPUse this screen to enable UPnP on the ZyWALL.
PortsUse this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL.
ALGALGUse this screen to allow certain applications to pass through the ZyWALL.
LOGSView LogUse this screen to view the logs for the categories that you selected.
Log SettingsUse this screen to change your ZyWALL's log settings.
ReportsUse this screen to have the ZyWALL record and display the network usage reports.
MAINTENANCEGeneralThis screen contains administrative.
PasswordUse this screen to change your password.
Time and DateUse this screen to change your ZyWALL's time and date.
Device ModeUse this screen to configure and have your ZyWALL work as a router or a bridge.
F/W UploadUse this screen to upload firmware to your ZyWALL
Backup & RestoreUse this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL.
RestartThis screen allows you to reboot the ZyWALL without turning the power off.
LOGOUTClick this label to exit the web configurator.

2.4.6 Port Statistics

Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Poll Interval(s) field is configurable. Not all items described are available on all models.

ZYXEL ZYWALL 2 WG - Port Statistics - 1
Figure 11 HOME > Show Statistics

The following table describes the labels in this screen.

Table 7 HOME > Show Statistics

LABELDESCRIPTION
Click the icon to display the chart of throughput statistics.
PortThese are the ZyWALL's interfaces.
StatusFor the WAN interface(s) and the Dial Backup port, this displays the port speed and duplex setting if you're using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you're using PPPoE encapsulation. Dial backup is not available in bridge mode. For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. For the WLAN card, this displays the transmission rate when WLAN is enabled or Down when WLAN is disabled.
TxPktsThis is the number of transmitted packets on this port.
RxPktsThis is the number of received packets on this port.
Tx B/sThis displays the transmission speed in bytes per second on this port.
Rx B/sThis displays the reception speed in bytes per second on this port.
Up TimeThis is the total amount of time the line has been up.
System Up TimeThis is the total time the ZyWALL has been on.
Automatic Refresh IntervalSelect a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
RefreshClick this button to update the screen's statistics immediately.

2.4.7 Show Statistics: Line Chart

Click the icon in the Show Statistics screen. This screen shows you a line chart of each port's throughput statistics.

ZYXEL ZYWALL 2 WG - Show Statistics: Line Chart - 1
Figure 12 HOME > Show Statistics > Line Chart

The following table describes the labels in this screen.

Table 8 HOME > Show Statistics > Line Chart

LABELDESCRIPTION
Click the icon to go back to the Show Statistics screen.
PortSelect the check box(es) to display the throughput statistics of the corresponding interface(s).
B/sSpecify the direction of the traffic for which you want to show throughput statistics in this table. Select Tx to display transmitted traffic throughput statistics and the amount of traffic (in bytes). Select Rx to display received traffic throughput statistics and the amount of traffic (in bytes).
Throughput RangeSet the range of the throughput (in B/s, KB/s or MB/s) to display. Click Set Range to save this setting back to the ZyWALL.

2.4.8 DHCP Table Screen

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.

Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL's DHCP server.

ZYXEL ZYWALL 2 WG - DHCP Table Screen - 1
Figure 13 HOME > DHCP Table

The following table describes the labels in this screen.

Table 9 HOME > DHCP Table

LABELDESCRIPTION
InterfaceSelect LAN, DMZ or WLAN to show the current DHCP client information for the specified interface.
#This is the index number of the host computer.
IP AddressThis field displays the IP address relative to the # field listed above.
Host NameThis field displays the computer host name.
MAC AddressThe MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.
ReserveSelect the check box in the heading row to automatically select all check boxes or select the check box(es) in each entry to have the ZyWALL always assign the selected entry(ies)'s IP address(es) to the corresponding MAC address(es) (and host name(s)). You can select up to 128 entries in this table. After you click Apply, the MAC address and IP address also display in the corresponding LAN, DMZ or WLAN Static DHCP screen (where you can edit them).
RefreshClick Refresh to reload the DHCP table.

2.4.9 VPN Status

Click VPN in the HOME screen. This screen displays read-only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel.

ZYXEL ZYWALL 2 WG - VPN Status - 1
Figure 14 HOME >VPN Status

The following table describes the labels in this screen.

LABELDESCRIPTION
#This is the security association index number.
NameThis field displays the identification name for this VPN policy.
Local NetworkThis field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Remote NetworkThis field displays IP address (in a range) of computers on the remote network behind the remote IPSec router.
EncapsulationThis field displays Tunnel or Transport mode.
IPSec AlgorithmThis field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Automatic Refresh IntervalSelect a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
RefreshClick this button to update the screen's statistics immediately.

2.4.10 Bandwidth Monitor

Click Bandwidth in the HOME screen to display the bandwidth monitor. This screen displays the device's bandwidth usage and allotments.

ZYXEL ZYWALL 2 WG - Bandwidth Monitor - 1
Figure 15 Home > Bandwidth Monitor

The following table describes the labels in this screen.

Table 11 ADVANCED > BW MGMT > Monitor

LABELDESCRIPTION
InterfaceSelect an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
ClassThis field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes. If you do not enable maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes. A
Budget (kbps)This field displays the amount of bandwidth allocated to the bandwidth class.
Current Usage (kbps)This field displays the amount of bandwidth that each bandwidth class is using.
Automatic Refresh IntervalSelect a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
RefreshClick this button to update the screen's statistics immediately.

A. If you allocate all the root class's bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).

Wizard Setup

This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode.

3.1 Wizard Setup Overview

The web configurator's setup wizards help you configure Internet and VPN connection settings.

In the HOME screen, click the Wizard icon to open the Wizard Setup Welcome screen. The following summarizes the wizards you can select:

  • Internet Access Setup

Click this link to open a wizard to set up an Internet connection for WAN 1 (the WAN port) on the ZyWALL (in router mode).

  • VPN Setup

Use VPN SETUP to configure a VPN connection that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. See Section 3.3 on page 84.

ZYXEL ZYWALL 2 WG - Wizard Setup Overview - 1
Figure 16 Wizard Setup Welcome

3.2 Internet Access

The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don't have that information.

3.2.1 ISP Parameters

The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.

The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field.

3.2.1.1 Ethernet

For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number.

Choose Ethernet when the WAN port is used as a regular Ethernet.

ZYXEL ZYWALL 2 WG - Ethernet - 1
Figure 17 ISP Parameters: Ethernet Encapsulation

The following table describes the labels in this screen.

Table 12 ISP Parameters: Ethernet Encapsulation

LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationYou must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
WAN IP Address Assignment
IP Address AssignmentSelect Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.

Table 12 ISP Parameters: Ethernet Encapsulation

LABELDESCRIPTION
My WAN IP AddressEnter your WAN IP address in this field.
My WAN IP Subnet MaskEnter the IP subnet mask in this field.
Gateway IP AddressEnter the gateway IP address in this field.
First DNS Server Second DNS ServerEnter the DNS server's IP address(es) in the field(s) to the right.Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
BackClick Back to return to the previous wizard screen.
ApplyClick Apply to save your changes and go to the next screen.

3.2.1.2 PPPoE Encapsulation

Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.

ZYXEL ZYWALL 2 WG - PPPoE Encapsulation - 1
Figure 18 ISP Parameters: PPPoE Encapsulation

The following table describes the labels in this screen.

Table 13 ISP Parameters: PPPoE Encapsulation

LABELDESCRIPTION
ISP Parameter for Internet Access
EncapsulationChoose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection.
Service NameType the name of your service provider.
User NameType the user name given to you by your ISP.
PasswordType the password associated with the user name above.
Retype to ConfirmType your password again for confirmation.
Nailed-UpSelect Nailed-Up if you do not want the connection to time out.
Idle TimeoutType the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds.
WAN IP Address Assignment
IP Address AssignmentSelect Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
My WAN IP AddressEnter your WAN IP address in this field.
First DNS Server Second DNS ServerEnter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
BackClick Back to return to the previous wizard screen.
ApplyClick Apply to save your changes and go to the next screen.

3.2.1.3 PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.

PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet.

ZYXEL ZYWALL 2 WG - PPTP Encapsulation - 1

The ZyWALL supports one PPTP server connection at any given time.

ZYXEL ZYWALL 2 WG - PPTP Encapsulation - 2
Figure 19 ISP Parameters: PPTP Encapsulation

The following table describes the labels in this screen.

Table 14 ISP Parameters: PPTP Encapsulation

LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationSelect PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
User NameType the user name given to you by your ISP.
PasswordType the password associated with the User Name above.
Retype to ConfirmType your password again for confirmation.
Nailed-UpSelect Nailed-Up if you do not want the connection to time out.
Idle TimeoutType the time in seconds that elapses before the router automatically disconnects from the PPTP server.
PPTP Configuration
My IP AddressType the (static) IP address assigned to you by your ISP.

Table 14 ISP Parameters: PPTP Encapsulation

LABELDESCRIPTION
My IP Subnet MaskType the subnet mask assigned to you by your ISP (if given).
Server IP AddressType the IP address of the PPTP server.
Connection ID/ NameEnter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your xDSL modem.
WAN IP Address Assignment
IP Address AssignmentSelect Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static.
My WAN IP AddressEnter your WAN IP address in this field.
First DNS Server Second DNS ServerEnter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
BackClick Back to return to the previous wizard screen.
ApplyClick Apply to save your changes and go to the next screen.

3.2.2 Internet Access Wizard: Second Screen

Click Next to go to the screen where you can register your ZyWALL and activate the free content filtering trial application. Otherwise, click Skip to display the congratulations screen and click Close to complete the Internet access setup.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Second Screen - 1
Figure 20 Internet Access Wizard: Second Screen

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Second Screen - 2
Figure 21 Internet Access Setup Complete

3.2.3 Internet Access Wizard: Registration

If you clicked Next in the previous screen (see Figure 20 on page 80), the following screen displays.

Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, antispam, anti-virus and IDP.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Registration - 1

If you want to activate a standard service with your iCard's PIN number (license key), use the REGISTRATION > Service screen.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Registration - 2
Figure 22 Internet Access Wizard: Registration

The following table describes the labels in this screen.

Table 15 Internet Access Wizard: Registration

LABELDESCRIPTION
Device RegistrationIf you select Existing myZyXEL.com account, only the User Name and Password fields are available.
New myZyXEL.com accountIf you haven't created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.
Existing myZyXEL.com accountIf you already have an account at myZyXEL.com, select this option and enter your user name and password in the fields below to register your ZyWALL.
UserIDEnter a user name for your myZyXEL.com account. The name should be from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed.
CheckClick this button to check with the myZyXEL.com database to verify the user name you entered has not been used.
PasswordEnter a password of between six and 20 alphanumeric characters (and the underscore). Spaces are not allowed.
Confirm PasswordEnter the password again for confirmation.
E-Mail AddressEnter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces.
CountrySelect your country from the drop-down box list.
BackClick Back to return to the previous screen.
NextClick Next to continue.

After you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Registration - 3
Figure 23 Internet Access Wizard: Registration in Progress

3.2.4 Internet Access Wizard: Status

This screen shows your device registration and service subscription status. Click Close to leave the wizard screen when the registration and activation are done.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Status - 1
Figure 24 Internet Access Wizard: Status

The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Status - 2
Figure 25 Internet Access Wizard: Registration Failed

3.2.5 Internet Access Wizard: Service Activation

If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Service Activation - 1
Figure 26 Internet Access Wizard: Registered Device

ZYXEL ZYWALL 2 WG - Internet Access Wizard: Service Activation - 2
Figure 27 Internet Access Wizard: Activated Services

3.3 VPN Wizard Gateway Setting

Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel.

Click VPN Setup in the Wizard Setup Welcome screen (Figure 16 on page 75) to open the VPN configuration wizard. The first screen displays as shown next.

ZYXEL ZYWALL 2 WG - VPN Wizard Gateway Setting - 1
Figure 28 VPN Wizard: Gateway Setting

The following table describes the labels in this screen.

Table 16 VPN Wizard: Gateway Setting

LABELDESCRIPTION
Gateway Policy Property
NameType up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
My ZyWALLWhen the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0.The following applies if the My ZyWALL field is configured as 0.0.0.0:When the WAN interface operation mode is set to Active/Passive, the ZyWALL uses the IP address (static or dynamic) of the WAN interface that is in use.When the WAN interface operation mode is set to Active/Active, the ZyWALL uses the IP address (static or dynamic) of the primary (highest priority) WAN interface to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up. If the corresponding WAN1 or WAN2 connection goes down, the ZyWALL uses the IP address of the other WAN interface.If both WAN connections go down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. See the chapter on WAN for details on dial backup and traffic redirect.When the ZyWALL is in bridge mode, this field is read-only and displays the ZyWALL's IP address.
Remote Gateway AddressEnter the WAN IP address or domain name of the remote IPSec router (secure gateway) in the field below to identify the remote IPSec router by its IP address or a domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.
BackClick Back to return to the previous screen.
NextClick Next to continue.

3.4 VPN Wizard Network Setting

Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel.

Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.

ZYXEL ZYWALL 2 WG - VPN Wizard Network Setting - 1
Figure 29 VPN Wizard: Network Setting

The following table describes the labels in this screen.

Table 17 VPN Wizard: Network Setting

LABELDESCRIPTION
Network Policy Property
ActiveIf the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
NameType up to 32 characters to identify this VPN network policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Network Policy Setting
Local NetworkLocal IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.

Table 17 VPN Wizard: Network Setting

LABELDESCRIPTION
Starting IP AddressWhen the Local Network field is configured to Single, enter a (static) IP address on the LAN behind your ZyWALL. When the Local Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/ Subnet MaskWhen the Local Network field is configured to Single, this field is N/A. When the Local Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
Remote NetworkRemote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Starting IP AddressWhen the Remote Network field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Network field is configured to Subnet, enter a (static) IP address on the network behind the remote IPSec router
Ending IP Address/ Subnet MaskWhen the Remote Network field is configured to Single, this field is N/A. When the Remote Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Network field is configured to Subnet, enter a subnet mask on the network behind the remote IPSec router.
BackClick Back to return to the previous screen.
NextClick Next to continue.

3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.

ZYXEL ZYWALL 2 WG - VPN Wizard IKE Tunnel Setting (IKE Phase 1) - 1
Figure 30 VPN Wizard: IKE Tunnel Setting

The following table describes the labels in this screen.

Table 18 VPN Wizard: IKE Tunnel Setting

LABELDESCRIPTION
Negotiation ModeSelect Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode.
Encryption AlgorithmWhen DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES.
Authentication AlgorithmMD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Key GroupYou must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
SA Life Time (Seconds)Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Pre-Shared KeyType your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself.Both ends of the VPN tunnel must use the same pre-shared key. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
BackClick Back to return to the previous screen.
NextClick Next to continue.

3.6 VPN Wizard IPSec Setting (IKE Phase 2)

Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.

ZYXEL ZYWALL 2 WG - VPN Wizard IPSec Setting (IKE Phase 2) - 1
Figure 31 VPN Wizard: IPSec Setting

The following table describes the labels in this screen.

Table 19 VPN Wizard: IPSec Setting

LABELDESCRIPTION
Encapsulation ModeTunnel is compatible with NAT, Transport is not.Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.Tunnel mode is fundamentally an IP tunnel with authentication and encryption.Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
IPSec ProtocolSelect the security protocols used for an SA.Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Encryption AlgorithmWhen DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
Authentication AlgorithmMD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
SA Life Time (Seconds)Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds.A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Perfect Forward Secret (PFS)Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure.Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).
BackClick Back to return to the previous screen.
NextClick Next to continue.

3.7 VPN Wizard Status Summary

This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct.

ZYXEL ZYWALL 2 WG - VPN Wizard Status Summary - 1
Figure 32 VPN Wizard:VPN Status

The following table describes the labels in this screen.

Table 20 VPN Wizard:VPN Status

LABELDESCRIPTION
Gateway Policy Property
NameThis is the name of this VPN gateway policy.
Gateway Policy Setting
My ZyWALLThis is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL's IP address in bridge mode.
Remote Gateway AddressThis is the IP address or the domain name used to identify the remote IPSec router.
Network Policy Property
ActiveThis displays whether this VPN network policy is enabled or not.
NameThis is the name of this VPN network policy.
Network Policy Setting
Local Network
Starting IP AddressThis is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/Subnet MaskWhen the local network is configured for a single IP address, this field is N/A.When the local network is configured for a range IP address, this is the end(static) IP address, in a range of computers on the LAN behind your ZyWALL.When the local network is configured for a subnet, this is a subnet mask on the LAN behind your ZyWALL.
Remote Network
Starting IP AddressThis is a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/Subnet MaskWhen the remote network is configured for a single IP address, this field is N/A.When the remote network is configured for a range IP address, this is the end(static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote network is configured for a subnet, this is a subnet mask on the network behind the remote IPSec router.
IKE Tunnel Setting(IKE Phase 1)
Negotiation ModeThis shows Main Mode or Aggressive Mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encryption AlgorithmThis is the method of data encryption. Options can be DES, 3DES or AES.
Authentication AlgorithmMD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
Key GroupThis is the key group you chose for phase 1 IKE setup.
SA Life Time(Seconds)This is the length of time before an IKE SA automatically renegotiates.
Pre-Shared KeyThis is a pre-shared key identifying a communicating party during a phase 1 IKE negotiation.
IPSec Setting (IKE Phase 2)
Encapsulation ModeThis shows Tunnel mode or Transport mode.
IPSec ProtocolESP or AH are the security protocols used for an SA.
Encryption AlgorithmThis is the method of data encryption. Options can be DES, 3DES, AES or NULL.
Authentication AlgorithmMD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
SA Life Time(Seconds)This is the length of time before an IKE SA automatically renegotiates.
Perfect Forward Secret (PFS)Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. Otherwise, DH1 or DH2 are selected to enable PFS.
BackClick Back to return to the previous screen.
FinishClick Finish to complete and save the wizard setup.

3.8 VPN Wizard Setup Complete

Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule.

ZYXEL ZYWALL 2 WG - VPN Wizard Setup Complete - 1
Figure 33 VPN Wizard Setup Complete

Tutorial

This chapter describes how to apply security settings to VPN traffic and how to set up a 3G WAN connection.

4.1 Security Settings for VPN Traffic

The ZyWALL can apply the firewall and content filtering to the traffic going to or from the ZyWALL's VPN tunnels. The ZyWALL applies the security settings to the traffic before encrypting VPN traffic that it sends out or after decrypting received VPN traffic.

ZYXEL ZYWALL 2 WG - Security Settings for VPN Traffic - 1

The security settings apply to VPN traffic going to or from the ZyWALL's VPN tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic).

You can turn on content filtering for all of the ZyWALL's VPN traffic (regardless of its direction of travel). You can apply firewall security to VPN traffic based on its direction of travel. The following examples show how you do this for the firewall.

4.2 Firewall Rule for VPN Example

The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules forVPN packets.

Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind device A. You could configure a VPN rule to allow the network behind device B to access your LAN FTP server through a VPN tunnel. Now, if you don't want other services like chat or e-mail going to the FTP server, you can configure firewall rules that allow only FTP traffic to come from VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule so that only the network behind device B can access the FTP server through a VPN tunnel (not other remote networks that have VPN tunnels with the ZyWALL).

ZYXEL ZYWALL 2 WG - Firewall Rule for VPN Example - 1
Figure 34 Firewall Rule for VPN

4.2.1 Configuring the VPN Rule

This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B.

1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon.

ZYXEL ZYWALL 2 WG - Configuring the VPN Rule - 1
Figure 35 SECURITY > VPN > VPN Rules (IKE)

2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply.

Figure 36 SECURITY >VPN>VPN Rules (IKE)>Add Gateway Policy
ZYXEL ZYWALL 2 WG - Configuring the VPN Rule - 2
3 Click the Add Network Policy icon.

ZYXEL ZYWALL 2 WG - Configuring the VPN Rule - 3
Figure 37 SECURITY >VPN >VPN Rules (IKE):With Gateway Policy Example

4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers. This is due to the following reasons.

  • While FTP uses a control session on port 20, the port for the data session is not fixed. So this example uses the firewall's FTP application layer gateway (ALG) to handle this instead of specifying port numbers in this VPN network policy.
  • The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers.

ZYXEL ZYWALL 2 WG - Configuring the VPN Rule - 4
Figure 38 SECURITY >VPN >VPN Rules (IKE)> Add Network Policy

4.2.2 Configuring the Firewall Rules

Suppose you have several VPN tunnels but you only want to allow device B's network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions.

4.2.2.1 Firewall Rule to Allow Access Example

Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server.

1 Click Security > Firewall > Rule Summary.
2 Select VPN to LAN as the packet direction and click Insert.

ZYXEL ZYWALL 2 WG - Firewall Rule to Allow Access Example - 1
Figure 39 SECURITY > FIREWALL > Rule Summary

3 Configure the rule as follows and click Apply. The source addresses are the VPN rule's remote network and the destination address is the LAN FTP server.

Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow
ZYXEL ZYWALL 2 WG - Firewall Rule to Allow Access Example - 2
4 The rule displays in the summary list of VPN to LAN firewall rules.

ZYXEL ZYWALL 2 WG - Firewall Rule to Allow Access Example - 3
Figure 41 SECURITY > FIREWALL > Rule Summary: Allow

4.2.2.2 Default Firewall Rule to Block Other Access Example

Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.

1 Click SECURITY > FIREWALL > Default Rule.
2 Configure the screen as follows and click Apply.

ZYXEL ZYWALL 2 WG - Default Firewall Rule to Block Other Access Example - 1
Figure 42 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN

4.3 How to Set up a 3G WAN Connection

This section shows you how to configure and set up a 3G WAN connection on the ZyWALL. In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) for Internet access at the same time.

4.3.1 Configuring 3G WAN Settings

You should already have an activated user account and network accessing information from the service provider.

1 Click NETWORK > WAN > WAN 2 on the ZyWALL.
2 Enter the APN, user name, password, PIN code and phone number that are provided by your service provider. If your service provider didn't provide them, contact your service provider.
3 Select the authentication type used by your service provider. If it was not given, leave the field at the default.
4 If your service provider gave you an IP address for a 3G connection, select Use Fixed IP Address and enter it in the My WAN IP Address field. Otherwise, select Get Automatically from ISP.
5 Click Apply.

ZYXEL ZYWALL 2 WG - Configuring 3G WAN Settings - 1
Figure 43 Tutorial: NETWORK > WAN > WAN 2 (3G WAN)

4.3.2 Configuring Load Balancing

In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) at the same time. You also balance the load between the two WAN interfaces using weighted round-robin method.

1 Click NETWORK > WAN > WAN 2.
2 Set the WAN operation mode to active/active and select Weighted Round-Robin in the Load Balancing Algorithm field.
3 Enter 6 as the weight for WAN 1 and 4 for WAN 2.
4 Click Apply.

ZYXEL ZYWALL 2 WG - Configuring Load Balancing - 1
Figure 44 Tutorial: NETWORK > WAN > General

4.3.3 Inserting a 3G Card

To enable and use the 3G WAN connection, you need to insert a 3G card in the ZyWALL.

ZYXEL ZYWALL 2 WG - Inserting a 3G Card - 1

At the time of writing, you can only use the Sierra AC850/860 3G wireless card in the ZyWALL.

1 Make sure the ZyWALL is off before inserting or removing a card (to avoid damage).
2 Remove the wireless card or Turbo card from the ZyWALL if you have inserted one before.
3 Slide the connector end of the 3G card into the slot.
4 Power on the ZyWALL.

4.3.4 Checking WAN Connections

1 Go to the web configurator's Home screen.

2 In the network status table, make sure the status for WAN 1 and WAN 2 is not Down and there is an IP address. If the WAN 2 connection is not up, make sure you have entered the correct information in the WAN 2 screen and the signal strength to the service provider's base station is not too low and can connect to a network.

ZYXEL ZYWALL 2 WG - Checking WAN Connections - 1
Figure 45 Tutorial: Home

Registration

5.1 myZyXEL.com overview

myZyXEL.com is ZyXEL's online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL.

ZYXEL ZYWALL 2 WG - myZyXEL.com overview - 1

You need to create an account before you can register your device and activate the services at myZyXEL.com.

You can directly create a myZyXEL.com account, register your ZyWALL and activate a service using the REGISTRATION screen. Alternatively, go to http://www.myZyXEL.com with the ZyWALL's serial number and LAN MAC address to register it. Refer to the web site's on-line help for details.

ZYXEL ZYWALL 2 WG - myZyXEL.com overview - 2

To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL.

5.1.1 Content Filtering Subscription Service

The ZyWALL can use the content filtering subscription service. Content filtering allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content. Your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories. See the chapter about content filtering for more information.

ZYXEL ZYWALL 2 WG - Content Filtering Subscription Service - 1

To use a subscription service, you have to register and activate the corresponding service at myZyXEL.com (through the ZyWALL).

5.2 Registration

To register your ZyWALL with myZyXEL.com and activate the content filtering service, click REGISTRATION in the navigation panel to open the screen as shown next.

ZYXEL ZYWALL 2 WG - Registration - 1
Figure 46 REGISTRATION

The following table describes the labels in this screen.

Table 21 REGISTRATION

LABELDESCRIPTION
Device RegistrationIf you select Existing myZyXEL.com account, only the User Name and Password fields are available.
New myZyXEL.com accountIf you haven't created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.
Existing myZyXEL.com accountIf you already have an account at myZyXEL.com, select this option and enter your user name and password in the fields below to register your ZyWALL.
User NameEnter a user name for your myZyXEL.com account. The name should be from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed.
CheckClick this button to check with the myZyXEL.com database to verify the user name you entered has not been used.
PasswordEnter a password of between six and 20 alphanumeric characters (and the underscore). Spaces are not allowed.
Confirm PasswordEnter the password again for confirmation.
E-Mail AddressEnter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces.
CountrySelect your country from the drop-down box list.
Service ActivationYou can try trial service subscription. After the trial expires, you can buy an iCard and enter the license key in the REGISTRATION Service screen to extend the service.
Content Filtering 1-month TrialSelect the check box to activate a trial. The trial period starts the day you activate the trial.

Table 21 REGISTRATION

LABELDESCRIPTION
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

ZYXEL ZYWALL 2 WG - Registration - 2

If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status.

ZYXEL ZYWALL 2 WG - Registration - 3
Figure 47 REGISTRATION: Registered Device

5.3 Service

After you activate a trial, you can also use the Service screen to register and enter your iCard's PIN number (license key). Click REGISTRATION > Service to open the screen as shown next.

ZYXEL ZYWALL 2 WG - Service - 1

If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register, click the Service License Refresh button to update license information.

ZYXEL ZYWALL 2 WG - Service - 2
Figure 48 REGISTRATION > Service

The following table describes the labels in this screen.

Table 22 REGISTRATION > Service

LABELDESCRIPTION
Service Management
ServiceThis field displays the service name available on the ZyWALL.
StatusThis field displays whether a service is activated (Active) or not (Inactive).
Registration TypeThis field displays whether you applied for a trial application (Trial) or registered a service with your iCard's PIN number (Standard).
Expiration DayThis field displays the date your service expires.
License Upgrade
License KeyEnter your iCard's PIN number and click Update to activate or extend a standard service subscription. If a standard service subscription runs out, you need to buy a new iCard (specific to your ZyWALL) and enter the new PIN number to extend the service.
Service License RefreshClick this button to renew service license information (such as the license key, registration status and expiration day).

PART II

Network

LAN Screens (113)

Bridge Screens (125)

WAN Screens (131)

DMZ Screens (163)

Wireless LAN (173)

LAN Screens

This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode.

6.1 LAN, WAN and the ZyWALL

A network is a shared communication system to which many computers are attached.

The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL's LAN ports.

The Wide Area Network (WAN) is another network (most likely the Internet) that you connect to the ZyWALL's WAN port. See Chapter 8 on page 131 for how to use the WAN screens to set up your WAN connection.

The LAN and the WAN are two separate networks. The ZyWALL controls the traffic that goes between them. The following graphic gives an example.

ZYXEL ZYWALL 2 WG - LAN, WAN and the ZyWALL - 1
Figure 49 LAN and WAN

6.2 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the ZyWALL. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. If you select 192.168.1.0 as the network number; it covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyWALL, but make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise.

6.2.1 Private IP Addresses

Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:

10.0.0.0 10.255.255.255
172.16.0.0 — 172.31.255.255
192.168.0.0 - 192.168.255.255

You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

ZYXEL ZYWALL 2 WG - Private IP Addresses - 1

Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Intermets and RFC 1466, Guidelines for Management of IP Address Space.

6.3 DHCP

The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server. If you disable the ZyWALL's DHCP service, you must have another DHCP server on your LAN, or else the computers must be manually configured.

6.3.1 IP Pool Setup

The ZyWALL is pre-configured with a pool of IP addresses for the computers on your LAN. See Appendix A on page 631 for the default IP pool range. Do not assign your LAN computers static IP addresses that are in the DHCP pool.

6.4 RIP Setup

RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.

RIP Version controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.

By default, RIP Direction is set to Both and RIP Version to RIP-1.

6.5 Multicast

Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.

IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address

224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.

The ZyWALL supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the ZyWALL queries all directly connected networks to gather group membership. After that, the ZyWALL periodically updates this information. IP multicasting can be enabled/disabled on the ZyWALL LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces.

6.6 WINS

WINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network's computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name's IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server.

6.7 LAN

Click NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyWALL's IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

ZYXEL ZYWALL 2 WG - LAN - 1
Figure 50 NETWORK > LAN

The following table describes the labels in this screen.

Table 23 NETWORK > LAN

LABELDESCRIPTION
LAN TCP/IP
IP AddressType the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address.
IP Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your ZyWALL automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.
MulticastSelect IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
DHCP Setup
DHCPDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field. Select None to stop the ZyWALL from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured.
IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.
Pool SizeThis field specifies the size, or count of the IP address pool.
DHCP Server AddressType the IP address of the DHCP server to which you want the ZyWALL to relay DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
DHCP WINS Server 1, 2Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Windows Networking (NetBIOS over TCP/IP)NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.
Allow between LAN and WAN1Select this check box to forward NetBIOS packets from the LAN to WAN 1 and from WAN 1 to the LAN. If your firewall is enabled with the default policy set to block WAN 1 to LAN traffic, you also need to enable the default WAN 1 to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to WAN 1 and from WAN 1 to the LAN.
Allow between LAN and WAN2Select this check box to forward NetBIOS packets from the LAN to WAN 2 and from WAN 2 to the LAN. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN 2 to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to WAN 2 and from WAN 2 to the LAN.
Allow between LAN and DMZSelect this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN. If your firewall is enabled with the default policy set to block DMZ to LAN traffic, you also need to enable the default DMZ to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN.
Allow between LAN and WLANSelect this check box to forward NetBIOS packets from the LAN to the WLAN and from the WLAN to the LAN.Clear this check box to block all NetBIOS packets going from the LAN to the WLAN and from the WLAN to the LAN.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

6.8 LAN Static DHCP

This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

To change your ZyWALL's static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown.

ZYXEL ZYWALL 2 WG - LAN Static DHCP - 1
Figure 51 NETWORK > LAN > Static DHCP

The following table describes the labels in this screen.

Table 24 NETWORK > LAN > Static DHCP

LABELDESCRIPTION
#This is the index number of the Static IP table entry (row).
MAC AddressType the MAC address of a computer on your LAN.
IP AddressType the IP address that you want to assign to the computer on your LAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

6.9 LAN IP Alias

IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.

The ZyWALL has a single LAN interface. Even though more than one of ports 1 4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.

The ZyWALL supports three logical LAN interfaces via its single physical LAN Ethernet interface. The ZyWALL itself is the gateway for each of the logical LAN networks.

When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets).

ZYXEL ZYWALL 2 WG - LAN IP Alias - 1

Make sure that the subnets of the logical networks do not overlap.

The following figure shows a LAN divided into subnets A, B, and C.

ZYXEL ZYWALL 2 WG - LAN IP Alias - 2
Figure 52 Physical Network & Partitioned Logical Networks

To change your ZyWALL's IP alias settings, click NETWORK > LAN > IP Alias. The screen appears as shown.

ZYXEL ZYWALL 2 WG - LAN IP Alias - 3
Figure 53 NETWORK > LAN > IP Alias

The following table describes the labels in this screen.

Table 25 NETWORK > LAN > IP Alias

LABELDESCRIPTION
Enable IP Alias 1, 2Select the check box to configure another LAN network for the ZyWALL.
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
IP Subnet MaskYour ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionRIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicast. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also. By default, RIP direction is set to Both and the Version set to RIP-1.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

6.10 LAN Port Roles

Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface.

Ports 1 4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.

ZYXEL ZYWALL 2 WG - LAN Port Roles - 1

Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role:

1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
2 Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.

To change your ZyWALL's port role settings, click NETWORK > LAN > Port Roles. The screen appears as shown.

The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default.

ZYXEL ZYWALL 2 WG - LAN Port Roles - 2

Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens.

ZYXEL ZYWALL 2 WG - LAN Port Roles - 3
Figure 54 NETWORK > LAN > Port Roles

The following table describes the labels in this screen.

Table 26 NETWORK > LAN > Port Roles

LABELDESCRIPTION
LANSelect a port's LAN radio button to use the port as part of the LAN. The port will use the ZyWALL's LAN IP address and MAC address.
DMZSelect a port's DMZ radio button to use the port as part of the DMZ. The port will use the ZyWALL's DMZ IP address and MAC address.
WLANSelect a port's WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL's WLAN IP address and MAC address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen.

ZYXEL ZYWALL 2 WG - LAN Port Roles - 4
Figure 55 Port Roles Change Complete

Bridge Screens

This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode.

7.1 Bridge Loop

The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers.

Be careful to avoid bridge loops when you enable bridging in the ZyWALL. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following example shows the network topology that can lead to this problem:

  • If your ZyWALL (in bridge mode) is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next.

ZYXEL ZYWALL 2 WG - Bridge Loop - 1
Figure 56 Bridge Loop: Bridge Connected to Wired LAN

To prevent bridge loops, ensure that your ZyWALL is not set to bridge mode while connected to two wired segments of the same LAN or you enable RSTP in the Bridge screen.

7.2 Spanning Tree Protocol (STP)

STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network.

7.2.1 Rapid STP

The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP, topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding.

7.2.2 STP Terminology

The root bridge is the base of the spanning tree.

Path cost is the cost of transmitting a frame from the root bridge to that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the next table.

Table 27 STP Path Costs

LINK SPEEDRECOMMENDED VALUERECOMMENDED RANGEALLOWED RANGE
Path Cost4Mbps250100 to 10001 to 65535
Path Cost10Mbps10050 to 6001 to 65535
Path Cost16Mbps6240 to 4001 to 65535
Path Cost100Mbps1910 to 601 to 65535
Path Cost1Gbps43 to 101 to 65535
Path Cost10Gbps21 to 51 to 65535

On each bridge, the root port is the port through which this bridge communicates with the root. It is the port on this switch with the lowest path cost to the root (the root path cost). If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network.

For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN.

7.2.3 How STP Works

After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops.

STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed.

Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology.

7.2.4 STP Port States

STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops.

Table 28 STP Port States

PORT STATEDESCRIPTION
DisabledSTP is disabled (default).
BlockingOnly configuration and management BPDUs are received and processed.
ListeningAll BPDUs are received and processed.
LearningAll BPDUs are received and processed. Information frames are submitted to the learning process but not forwarded.
ForwardingAll BPDUs are received and processed. All information frames are received and forwarded.

7.3 Bridge

Select Bridge and click Apply in the MAINTENANCE Device Mode screen to have the ZyWALL function as a bridge.

In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.

You can use the firewall and VPN in bridge mode. See the user's guide for a list of other features that are available in bridge mode.

Click NETWORK > BRIDGE to display the screen shown next. Use this screen to configure bridge and RSTP (Rapid Spanning Tree Protocol) settings.

ZYXEL ZYWALL 2 WG - Bridge - 1
Figure 57 NETWORK > Bridge

The following table describes the labels in this screen.

Table 29 NETWORK > Bridge

LABELDESCRIPTION
Bridge IP Address Setup
IP AddressType the IP address of your ZyWALL in dotted decimal notation.
IP Subnet MaskThe subnet mask specifies the network number portion of an IP address.
Gateway IP AddressEnter the gateway IP address.
First/Second/Third DNS ServerDNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for content filtering, the time server, etc. If you have the IP address(es) of the DNS server(s), enter the DNS server's IP address(es) in the field(s) to the right.
Rapid Spanning Tree Protocol Setup
Enable Rapid Spanning Tree ProtocolSelect the check box to activate RSTP on the ZyWALL.
Bridge PriorityEnter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port. The switch with the highest priority (lowest numeric value) becomes the root. If multiple devices have the lowest priority, the device with the lowest MAC address becomes the root. The lower the numeric value you assign, the higher the priority for this bridge. Bridge Priority determines the root bridge, which in turn determines Hello Time, Max Age and Forward Delay.
Bridge Hello TimeEnter an interval (between 1 and 10) in seconds that the root bridge waits before sending a hello packet.
Bridge Max AgeEnter an interval (between 6 and 40) in seconds that a bridge waits to get a Hello BPDU from the root bridge.
Forward DelayEnter the length of time (between 4 and 30) in seconds that a bridge remains in the listening and learning port states. The default is 15 seconds.
Bridge PortThis is the bridge port type.
RSTP ActiveSelect the check box to enable RSTP on the corresponding port.
RSTP Priority 0(Highest)~240(Lowest)Enter a number between 0 and 240 as RSTP priority for the corresponding port. 0 is the highest.
RSTP Path Cost 1(Lowest)~65535(Highe st)Enter a number between 1 and 65535 as RSTP path cost for the corresponding port. 65535 is the highest.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

7.4 Bridge Port Roles

Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface.

Ports 1 4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.

To change your ZyWALL's port role settings, click NETWORK > BRIDGE > Port Roles. The screen appears as shown.

The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default.

ZYXEL ZYWALL 2 WG - Bridge Port Roles - 1
Figure 58 NETWORK > Bridge > Port Roles

The following table describes the labels in this screen.

Table 30 NETWORK > Bridge > Port Roles

LABELDESCRIPTION
LANSelect a port's LAN radio button to use the port as part of the LAN.
DMZSelect a port's DMZ radio button to use the port as part of the DMZ.
WLANSelect a port's WLAN radio button to use the port as part of the WLAN.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen.

ZYXEL ZYWALL 2 WG - Bridge Port Roles - 2
Figure 59 Port Roles Change Complete

WAN Screens

This chapter describes how to configure WAN settings.

ZYXEL ZYWALL 2 WG - WAN Screens - 1

WAN 2 refers to the 3G card on the supported ZyWALL in router mode.

8.1 WAN Overview

  • Use the WAN General screen to configure load balancing, route priority and traffic redirect properties for the ZyWALL.
  • Use the WAN1 screen to configure the WAN1 interface for Internet access on the ZyWALL.
  • Use the WAN2 screen to configure the WAN2 interface for Internet access on the ZyWALL.
  • Use the Traffic Redirect screen to configure an alternative gateway.
  • Use the Dial Backup screen to configure the backup WAN dial-up connection.

8.2 Multiple WAN

You can use a second connection for load sharing to increase overall network throughput or as a backup to enhance network reliability.

The ZyWALL has one WAN port. When the ZyWALL is in router mode, you can optionally insert a 3G card to add a second WAN interface. You can connect one interface to one ISP (or network) and connect the other to a second ISP (or network).

The ZyWALL can balance the load between the two WAN interfaces (see Section 8.3 on page 132).

You can use policy routing to specify the WAN interface that specific services go through. An ISP may give traffic from certain (more expensive) connections priority over the traffic from other accounts. You could route delay intolerant traffic (like voice over IP calls) through this kind of connection. Other traffic could be routed through a cheaper broadband Internet connection that does not provide priority service. If one WAN interface's connection goes down, the ZyWALL can automatically send its traffic through the other WAN interface. See Chapter 19 on page 349 for details.

The ZyWALL's NAT feature allows you to configure sets of rules for one WAN interface and separate sets of rules for the other WAN interface. Refer to Chapter 17 on page 329 for details.

You can select through which WAN interface you want to send out traffic from UPnP-enabled applications (see Chapter 23 on page 405).

The ZyWALL's DDNS lets you select which WAN interface you want to use for each individual domain name. The DDNS high availability feature lets you have the ZyWALL use the other WAN interface for a domain name if the configured WAN interface's connection goes down. See Section 21.10.2 on page 381 for details.

When configuring a VPN rule, you have the option of selecting one of the ZyWALL's domain names in the My Address field.

8.3 Load Balancing Introduction

On the ZyWALL, load balancing is the process of dividing traffic loads between the two WAN interfaces (or ports). This allows you to improve quality of services and maximize bandwidth utilization.

See also policy routing to provide quality of service by dedicating a route for a specific traffic type and bandwidth management to specify a set amount of bandwidth for a specific traffic type on an interface.

8.4 Load Balancing Algorithms

The ZyWALL uses three load balancing methods (least load first, weighted round robin and spillover) to decide which WAN interface the traffic for a session1 (from the LAN) uses.

The following sections describe each load balancing method. The available bandwidth you configure on the ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using.

8.4.1 Least Load First

The least load first algorithm uses the current (or recent) outbound and/or inbound bandwidth utilization of each WAN interface as the load balancing criteria for making decisions on how how to route traffic. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth. The inbound bandwidth utilization is defined as the measured inbound throughput over the available inbound bandwidth. The two ratios are indexes used to calculate which WAN interface is less utilized at the time. A new LAN-originated session is distributed to the less utilized WAN interface.

8.4.1.1 Example 1

The following figure depicts an example where both the WAN interfaces on the ZyWALL are connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively.

ZYXEL ZYWALL 2 WG - Example 1 - 1
Figure 60 Least Load First Example

If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K , the ZyWALL calculates the load balancing index as shown in the table below.

Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2.

Table 31 Least Load First: Example 1

INTERFACEOUTBOUNDLOAD BALANCING INDEX (M/A)
AVAILABLE (A)MEASURED (M)
WAN 1512 K412 K0.8
WAN 2256 K198 K0.77

8.4.1.2 Example 2

This example uses the same network scenario as in Figure 60 on page 133, but uses both the outbound and inbound bandwidth utilization in calculating the load balancing index. If the measured inbound stream throughput for both WAN 1 and WAN 2 is 1600K, the ZyWALL calculates the average load balancing indices as shown in the table below.

Since WAN 1 has a smaller load balancing index (meaning that it is less utilized than WAN 2), the ZyWALL will send the next new session traffic through WAN 1.

Table 32 Least Load First: Example 2

INTERFACEOUTBOUNDINBOUNDAVERAGE LOAD BALANCING INDEX (OM / OA + IM / IA) / 2
AVAILABLE (OA)MEASURED (OM)AVAILABLE (IA)MEASURED (IM)
WAN 1512 K412 K8000 K1600 K(0.8 + 0.2) / 2 = 0.5
WAN 2256 K198 K2000 K1600 K(0.77 + 0.8) / 2 = 0.79

8.4.2 Weighted Round Robin

Round Robin routes traffic on a rotating basis and is activated only when a WAN interface has more traffic than the configured available bandwidth. On the ZyWALL with two WAN interfaces, an amount of traffic is sent through the first interface. The second interface is also given an equal amount of traffic, and then the same amount of traffic is sent through the first interface again; and so on. This works in a looping fashion until there is no outgoing traffic.

Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight.

This algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different.

For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to WAN1 for every one session's traffic assigned to WAN2.

ZYXEL ZYWALL 2 WG - Weighted Round Robin - 1
Figure 61 Weighted Round Robin Algorithm Example

8.4.3 Spillover

With the spillover load balancing algorithm, the ZyWALL sends network traffic to the primary interface until the maximum allowable load is reached, then the ZyWALL sends the excess network traffic of new sessions to the secondary WAN interface. Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs.

In cases where the primary WAN interface uses an unlimited access Internet connection and the secondary WAN uses a per-use timed access plan, the ZyWALL will only use the secondary WAN interface when the traffic load reaches the upper threshold on the primary WAN interface. This allows you to fully utilize the bandwidth of the primary WAN interface while avoiding overloading it and reducing Internet connection fees at the same time.

In the following example figure, the upper threshold of the primary WAN interface is set to 800K. The ZyWALL sends network traffic of a new session that exceeds this limit to the secondary WAN interface.

ZYXEL ZYWALL 2 WG - Spillover - 1
Figure 62 Spillover Algorithm Example

8.5 TCP/IP Priority (Metric)

The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost".

1 The metric sets the priority for the ZyWALL's routes to the Internet. Each route must have a unique metric.
2 The priorities of the WAN interface routes must always be higher than the dial-backup and traffic redirect route priorities.

Lets say that you have the WAN operation mode set to active/passive, meaning the ZyWALL use the second highest priority WAN interface as a back up. The WAN 1 route has a metric of "2", the WAN 2 route has a metric of "3", the traffic-direct route has a metric of "14" and the dial-backup route has a metric of "15". In this case, the WAN 1 route acts as the primary default route. If the WAN 1 route fails to connect to the Internet, the ZyWALL tries the WAN 2 route next. If the WAN 2 route fails, the ZyWALL tries the traffic-direct route. In the same manner, the ZyWALL uses the dial-backup route if the traffic-direct route also fails.

The dial-backup or traffic redirect routes cannot take priority over the WAN 1 and WAN 2 routes.

8.6 WAN General

Click NETWORK > WAN to open the General screen. Use this screen to configure load balancing, route priority and traffic redirect properties.

ZYXEL ZYWALL 2 WG - WAN General - 1

WAN 2 refers to the 3G card on the supported ZyWALL in router mode.

ZYXEL ZYWALL 2 WG - WAN General - 2
Figure 63 NETWORK > WAN General

The following table describes the labels in this screen.

Table 33 NETWORK > WAN General

LABELDESCRIPTION
Active/Passive(Fail Over) ModeSelect the Active/Passive (fail over) operation mode to have the ZyWALL use the second highest priority WAN interface as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields). The ZyWALL will switch to the secondary (second highest priority) WAN interface when the primary WAN interface's connection fails.
Fall Back to Primary WAN When PossibleThis field determines the action the ZyWALL takes after the primary WAN interface fails and the ZyWALL starts using the secondary WAN interface. Select this check box to have the ZyWALL change back to using the primary WAN interface when the ZyWALL can connect through the primary WAN interface again. Clear this check box to have the ZyWALL continue using the secondary WAN interface, even after the ZyWALL can connect through the primary WAN interface again. The ZyWALL continues to use the secondary WAN interface until it's connection fails (at which time it will change back to using the primary WAN interface if its connection is up.
Active/Active ModeSelect Active/Active Mode to have the ZyWALL use both of the WAN interfaces at the same time and allow you to enable load balancing.
Load Balancing AlgorithmSelect Least Load First, Weighted Round Robin or Spillover to activate load balancing and set the related fields. Otherwise, select None.Refer to Section 8.7 on page 139 for load balancing configuration.
Route Priority
WAN1WAN2Traffic RedirectDial BackupThe default WAN connection is "1' as your broadband connection via the WAN interface should always be your preferred method of accessing the WAN. The ZyWALL switches from WAN interface 1 to WAN interface 2 if WAN interface 1's connection fails and then back to WAN interface 1 when WAN interface 1's connection comes back up. The default priority of the routes is WAN 1, WAN 2, Traffic Redirect and then Dial Backup:You have three choices for an auxiliary connection (WAN 2, Traffic Redirect and Dial Backup) in the event that your regular WAN connection goes down. If Dial Backup is preferred to Traffic Redirect, then type "14" in the Dial Backup Priority (metric) field (and leave the Traffic Redirect Priority (metric) at the default of "15").The Dial Backup field is available only when you enable the corresponding dial backup feature in the Dial Backup screen.
ConnectivityCheck
Check PeriodThe ZyWALL tests a WAN connection by periodically sending a ping to either the default gateway or the address in the Ping this Address field.Type a number of seconds (5 to 300) to set the time interval between checks. Allow more time if your destination IP address handles lots of traffic.
Check TimeoutType the number of seconds (1 to 10) for your ZyWALL to wait for a response to the ping before considering the check to have failed. This setting must be less than the Check Period. Use a higher value in this field if your network is busy or congested.
Check FailToleranceType how many WAN connection checks can fail (1-10) before the connection is considered "down" (not connected). The ZyWALL still checks a "down" connection to detect if it reconnects.
Check WAN1/2 ConnectivitySelect the check box to have the ZyWALL periodically test the respective WAN interface's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN interface's default gateway IP address. Select Ping this Address and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) to have the ZyWALL ping that address. For a domain name, use up to 63 alphanumeric characters (hyphens, periods and the underscore are also allowed) without spaces.
Check Traffic Redirection ConnectivitySelect the check box to have the ZyWALL periodically test the traffic redirect connection. Select Ping Default Gateway to have the ZyWALL ping the backup gateway's IP address. Select Ping this Address and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) to have the ZyWALL ping that address. For a domain name, use up to 63 alphanumeric characters (hyphens, periods and the underscore are also allowed) without spaces.
Windows Networking (NetBIOS over TCP/IP):NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Allow between WAN1 and LANSelect this check box to forward NetBIOS packets from WAN 1 to the LAN port and from the LAN port to WAN1. If your firewall is enabled with the default policy set to block WAN 1 to LAN traffic, you also need to enable the default WAN1 to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from WAN 1 to the LAN port and from LAN port to WAN1.
Allow between WAN1 and DMZSelect this check box to forward NetBIOS packets from WAN 1 to the DMZ port and from the DMZ port to WAN1.Clear this check box to block all NetBIOS packets going from WAN 1 to the DMZ port and from DMZ port to WAN1.
Allow between WAN1 and WLANSelect this check box to forward NetBIOS packets from WAN 1 to the WLAN port and from the WLAN port to WAN1.Clear this check box to block all NetBIOS packets going from WAN 1to the WLANport and from WLAN port to WAN1.
Allow between WAN2 and LANSelect this check box to forward NetBIOS packets from WAN 2 to the LAN port and from the LAN port to WAN2. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN2 to LANfirewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from WAN 2 to the LANport and from LAN port to WAN2.
Allow between WAN2 and DMZSelect this check box to forward NetBIOS packets from WAN 2 to the DMZ port and from the DMZ port to WAN2.Clear this check box to block all NetBIOS packets going from WAN 2 to the DMZ port and from DMZ port to WAN2.
Allow between WAN1 and WLANSelect this check box to forward NetBIOS packets from WAN 2 to the WLAN port and from the WLAN port to WAN2. Clear this check box to block all NetBIOS packets going from WAN 2 to the WLANport and from WLAN port to WAN2.
Allow Trigger DialSelect this option to allow NetBIOS packets to initiate calls.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.7 Configuring Load Balancing

To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel. The WAN General screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the ZyWALL.

The WAN General screen varies depending on what you select in the Load Balancing Algorithm field.

8.7.1 Least Load First

To configure Least Load First, select Least Load First in the Load Balancing Algorithm field.

ZYXEL ZYWALL 2 WG - Least Load First - 1
Figure 64 Load Balancing: Least Load First

The following table describes the related fields in this screen.

Table 34 Load Balancing: Least Load First

LABELDESCRIPTION
Active/Active ModeSelect Active/Active Mode and set the related fields to enable load balancing on the ZyWALL.
Load Balancing AlgorithmSet the load balancing method to Least Load First.
Time FrameYou can set the ZyWALL to get the measured bandwidth using the average bandwidth in the specified time interval. Enter the time interval between 10 and 600 seconds.
Load Balancing Index(es)Specify the direction of the traffic utilization you want the ZyWALL to use in calculating the load balancing index. Select Outbound Only, Inbound Only or Outbound + Inbound.
InterfaceThis field displays the name of the WAN interface (WAN 1 and WAN 2).
Available Inbound BandwidthThis field is applicable when you select Outbound + Inbound or Inbound Only in the Load Balancing Index(es) field. Specify the inbound (or downstream) bandwidth (in kilo bites per second) for the interface. This should be the actual downstream bandwidth that your ISP provides.
Available Outbound BandwidthThis field is applicable when you select Outbound + Inbound or Outbound Only in the Load Balancing Index(es) field. Specify the outbound (or upstream) bandwidth (in kilo bites per second) for the interface. This should be the actual upstream bandwidth that your ISP provides.

8.7.2 Weighted Round Robin

To load balance using the weighted round robin method, select Weighted Round Robin in the Load Balancing Algorithm field.

ZYXEL ZYWALL 2 WG - Weighted Round Robin - 1
Figure 65 Load Balancing: Weighted Round Robin

The following table describes the related fields in this screen.

Table 35 Load Balancing: Weighted Round Robin

LABELDESCRIPTION
Active/Active ModeSelect Active/Active Mode and set the related fields to enable load balancing on the ZyWALL.
Load Balancing AlgorithmSet the load balancing method to Weighted Round Robin.
InterfaceThis field displays the name of the WAN interface (WAN 1 and WAN 2).
RatioSpecify the weight for the interface. Enter 0 to set the ZyWALL not to send traffic load to the interface. The higher the number, the bigger the weight (the more traffic sent).

8.7.3 Spillover

To load balance using the spillover method, select Spillover in the Load Balancing Algorithm field.

Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN 1 is the primary WAN and WAN 2 is the secondary WAN.

ZYXEL ZYWALL 2 WG - Spillover - 1
Figure 66 Load Balancing: Spillover

The following table describes the related fields in this screen.

Table 36 Load Balancing: Spillover

LABELDESCRIPTION
Active/Active ModeSelect Active/Active Mode and set the related fields to enable load balancing on the ZyWALL.
Load Balancing AlgorithmSet the load balancing method to Spillover.
Time FrameYou can set the ZyWALL to get the measured bandwidth using the average bandwidth in the specified time interval. Enter the time interval between 10 and 600 seconds.
Send traffic to secondary WAN when primary WAN bandwidth exceedsSpecify the maximum allowable bandwidth on the primary WAN. Once this maximum bandwidth is reached, the ZyWALL sends the new session traffic that exceeds this limit to the secondary WAN. The ZyWALL continues to send traffic of existing sessions to the primary WAN.

8.8 WAN IP Address Assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.

Table 37 Private IP Address Ranges

10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

ZYXEL ZYWALL 2 WG - WAN IP Address Assignment - 1

Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Intermets and RFC 1466, Guidelines for Management of IP Address Space.

8.9 DNS Server Address Assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.

The ZyWALL can get the DNS server addresses in the following ways.

1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL's WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section 21.5.1 on page 372).

8.10 WAN MAC Address

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom" file.

Table 38 Example of Network Properties for LAN Servers with Fixed IP Addresses

Choose an IP address192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask255.255.255.0
Gateway (or default route)192.168.1.1(ZyWALL LAN IP)

8.11 WAN 1

To change your ZyWALL's WAN 1 ISP, IP and MAC settings, click NETWORK > WAN > WAN 1. The screen differs by the encapsulation.

ZYXEL ZYWALL 2 WG - WAN 1 - 1

The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets.

8.11.1 WAN Ethernet Encapsulation

For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number.

The screen shown next is for Ethernet encapsulation.

ZYXEL ZYWALL 2 WG - WAN Ethernet Encapsulation - 1
Figure 67 NETWORK > WAN > WAN 1 (Ethernet Encapsulation)

The following table describes the labels in this screen.

Table 39 NETWORK > WAN > WAN 1 (Ethernet Encapsulation)

LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationYou must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Service TypeChoose from Standard, Telstra (RoadRunner Telstra authentication method), RR-Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login. The following fields do not appear with the Standard service type.
User NameType the user name given to you by your ISP.
PasswordType the password associated with the user name above.
Retype to ConfirmType your password again to make sure that you have entered is correctly.
Login Server IP AddressType the authentication server IP address here if your ISP gave you one. This field is not available for Telia Login.
Login Server (Telia Login only)Type the domain name of the Telia login server, for example login1.telia.com.
Relogin Every(min) (Telia Login only)The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait between logits.
WAN IP Address Assignment
Get automatically from ISPSelect this option If your ISP did not assign you a fixed IP address. This is the default selection.
Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address.
My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address.
My WAN IP Subnet MaskEnter the IP subnet mask (if your ISP gave you one) in this field if you selected Use Fixed IP Address.
Gateway IP AddressEnter the gateway IP address (if your ISP gave you one) in this field if you selected Use Fixed IP Address.
Advanced Setup
Enable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this check box to enable NAT.
RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.Choose Both, None, In Only or Out Only.When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically.When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.When set to None, the ZyWALL will not send any RIP packets and will ignore any RIP packets received.By default, RIP Direction is set to Both.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).Choose RIP-1, RIP-2B or RIP-2M.RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicast. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also. By default, the RIP Version field is set to RIP-1.
Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC Address from LANYou can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyWALL uses the factory assigned MAC Address to identify itself on the WAN.Otherwise, select the check box next to Spoof WAN MAC Address from LAN and enter the IP address of the computer on the LAN whose MAC you are cloning.Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file.
Clone the computer's MAC address - IP AddressEnter the IP address of the computer on the LAN whose MAC you are cloning.If you clone the MAC address of a computer on your LAN, it is recommended that you clone the MAC address prior to hooking up the WAN port.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.11.2 PPPoE Encapsulation

The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.

For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example RADIUS).

One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function known as dynamic service selection. This enables the service provider to easily create and offer new IP services for individuals.

Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site.

By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LANs' computers will have access.

The screen shown next is for PPPoE encapsulation.

ZYXEL ZYWALL 2 WG - PPPoE Encapsulation - 1
Figure 68 NETWORK > WAN > WAN 1 (PPPoE Encapsulation)

The following table describes the labels in this screen.

Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation)

LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationSelect PPPoE for a dial-up connection using PPPoE.
Service NameType the PPPoE service name provided to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server.
User NameType the user name given to you by your ISP.
PasswordType the password associated with the user name above.
Rtype to ConfirmType your password again to make sure that you have entered is correctly.
Authentication TypeThe ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.CHAP - Your ZyWALL accepts CHAP only.PAP - Your ZyWALL accepts PAP only.
Nailed-UpSelect Nailed-Up if you do not want the connection to time out.
Idle TimeoutThis value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server.
WAN IP Address Assignment
Get automatically from ISPSelect this option If your ISP did not assign you a fixed IP address. This is the default selection.
Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address.
My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address.
Advanced Setup
Enable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).Select this checkbox to enable NAT.For more information about NAT see Chapter 17 on page 329.
RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.Choose Both, None, In Only or Out Only.When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically.When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.When set to None, the ZyWALL will not send any RIP packets and will ignore any RIP packets received.By default, RIP Direction is set to Both.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving).Choose RIP-1, RIP-2B or RIP-2M.RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also. By default, the RIP Version field is set to RIP-1.
Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC Address from LANYou can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyWALL uses the factory assigned MAC Address to identify itself on the WAN. Otherwise, select the check box next to Spoof WAN MAC Address from LAN and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file.
Clone the computer's MAC address – IP AddressEnter the IP address of the computer on the LAN whose MAC you are cloning. If you clone the MAC address of a computer on your LAN, it is recommended that you clone the MAC address prior to hooking up the WAN port.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.11.3 PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.

PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation.

ZYXEL ZYWALL 2 WG - PPTP Encapsulation - 1
Figure 69 NETWORK > WAN > WAN 1 (PPTP Encapsulation)

The following table describes the labels in this screen.

Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation)

LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationSet the encapsulation method to PPTP. The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
UserIDType the user name given to you by your ISP.
PasswordType the password associated with the user name above.
Retype to ConfirmType your password again to make sure that you have entered it correctly.
Authentication TypeThe ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.CHAP - Your ZyWALL accepts CHAP only.PAP - Your ZyWALL accepts PAP only.
Nailed-upSelect Nailed-Up if you do not want the connection to time out.
Idle TimeoutThis value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPTP server.
PPTP Configuration
My IP AddressType the (static) IP address assigned to you by your ISP.
My IP Subnet MaskYour ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Server IP AddressType the IP address of the PPTP server.
Connection ID/ NameType your identification name for the PPTP server.
WAN IP Address Assignment
Get automatically from ISPSelect this option If your ISP did not assign you a fixed IP address. This is the default selection.
Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address.
My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address.
Advanced Setup
Enable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).Select this checkbox to enable NAT.For more information about NAT see Chapter 17 on page 329.
RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.Choose Both, None, In Only or Out Only.When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically.When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.When set to None, the ZyWALL will not send any RIP packets and will ignore any RIP packets received.By default, RIP Direction is set to Both.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicast. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also. By default, the RIP Version field is set to RIP-1.
Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC Address from LANYou can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyWALL uses the factory assigned MAC Address to identify itself on the WAN. Otherwise, select the check box next to Spoof WAN MAC Address from LAN and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file.
Clone the computer's MAC address – IP AddressEnter the IP address of the computer on the LAN whose MAC you are cloning. If you clone the MAC address of a computer on your LAN, it is recommended that you clone the MAC address prior to hooking up the WAN port.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.12 WAN 2 (3G WAN)

3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices.

ZYXEL ZYWALL 2 WG - WAN 2 (3G WAN) - 1

The 3G downstream data rate can be up to 900 Kbps and upstream data rate can be up to 384 Kbps when you use the Sierra AC850/860 3G card in the ZyWALL.

The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider's base station, etc.

If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies.

Table 42 2G, 2.5G, 2.75G and 3G of Wireless Technologies

NAMEOFFICALLY DEFINED BY ITUATYPEMOBILE PHONE AND DATA STANDARDSDATA SPEED
2GYesCircuit-switchedGSM (Global System for Mobile Communications), Personal Handy- phone System (PHS), etc.Slow
2.5GNoPacket-switchedGPRS (General Packet Radio Services), High-Speed Circuit-Switched Data (HSCSD), etc.
2.75GNoPacket-switchedEnhanced Data rates for GSM Evolution (EDGE), Enhanced GPRS (EGPRS), etc.
3GYesPacket-switchedW-CDMA (Wideband Code Division Multiple Access), the higher speed transmission protocol used in the Japanese FOMA (Freedom of Mobile Multimedia Access) system and in the UMTS (Universal Mobile Telecommunications System) system, CDMA2000, etc.HSDPA (High-Speed Downlink Packet Access) is a mobile telephony protocol, used for UMTS-based 3G networks and allows for higher data transfer speeds.

A. The International Telecommunication Union (ITU) is an international organization within which governments and the private sector coordinate global telecom networks and services.

After you insert a 3G card in the ZyWALL, the 3G connection becomes WAN 2.

To change your ZyWALL's 3G WAN settings, click NETWORK > WAN > WAN 2.

ZYXEL ZYWALL 2 WG - WAN 2 (3G WAN) - 2

Turn the ZyWALL off before you install or remove the 3G card.

ZYXEL ZYWALL 2 WG - WAN 2 (3G WAN) - 3

The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets.

ZYXEL ZYWALL 2 WG - WAN 2 (3G WAN) - 4
Figure 70 NETWORK > WAN > WAN 2 (3G WAN)

The following table describes the labels in this screen.

Table 43 NETWORK > WAN > WAN 2 (3G WAN)

LABELDESCRIPTION
ISP Parameters for Internet Access
3G Wireless CardThis displays the manufacturer and model name of your 3G card if you inserted one in the ZyWALL. Otherwise, it displays Not Installed.
Access Point Name (APN)Enter the APN (Access Point Name) provided by your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 31 ASCII printable characters. Spaces are allowed.
UserIDType the user name (of up to 31 ASCII printable characters) given to you by your service provider.
PasswordType the password (of up to 31 ASCII printable characters) associated with the user name above.
Retype to ConfirmType your password again to make sure that you have entered is correctly.
PIN CodeA PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card. Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. If your ISP disabled PIN code authentication, enter an arbitrary number.
Phone NumberEnter the phone number (dial string) used to dial up a connection to your service provider's base station. Your ISP should provide the phone number. For example, *99# is the dial string to establish a GPRS or 3G connection in Taiwan.
Authentication TypeThe ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only.
Nailed-UpSelect Nailed-Up if you do not want the connection to time out.
Idle TimeoutThis value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the ISP.
WAN IP Address Assignment
Get automatically from ISPSelect this option If your ISP did not assign you a fixed IP address. This is the default selection.
Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address.
My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address.
Advanced Setup
Enable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT. For more information about NAT see Chapter 17 on page 329.
Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.13 Traffic Redirect

Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN.

ZYXEL ZYWALL 2 WG - Traffic Redirect - 1
Figure 71 Traffic Redirect WAN Setup

IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/ZyWALL firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2).

ZYXEL ZYWALL 2 WG - Traffic Redirect - 2
Figure 72 Traffic Redirect LAN Setup

8.14 Configuring Traffic Redirect

To change your ZyWALL's traffic redirect settings, click NETWORK > WAN > Traffic Redirect. The screen appears as shown.

ZYXEL ZYWALL 2 WG - Configuring Traffic Redirect - 1
Figure 73 NETWORK > WAN > Traffic Redirect

The following table describes the labels in this screen.

Table 44 NETWORK > WAN > Traffic Redirect

LABELDESCRIPTION
ActiveSelect this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Backup Gateway IP AddressType the IP address of your backup gateway in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.15 Configuring Dial Backup

Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection.

ZYXEL ZYWALL 2 WG - Configuring Dial Backup - 1
Figure 74 NETWORK > WAN > Dial Backup

The following table describes the labels in this screen.

Table 45 NETWORK > WAN > Dial Backup

LABELDESCRIPTION
Dial Backup Setup
Enable Dial BackupSelect this check box to turn on dial backup.
Basic Settings
Login NameType the login name assigned by your ISP.
PasswordType the password assigned by your ISP.
Retype to ConfirmType your password again to make sure that you have entered is correctly.
Authentication TypeUse the drop-down list box to select an authentication protocol for outgoing calls. Options are:CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.CHAP - Your ZyWALL accepts CHAP only.PAP - Your ZyWALL accepts PAP only.
Primary/ Secondary Phone NumberType the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your ZyWALL dials the Secondary Phone number if available. Some areas require dialing the pound sign # before the phone number for local calls. Include a # symbol at the beginning of the phone numbers as required.
Dial Backup Port SpeedUse the drop-down list box to select the speed of the connection between the Dial Backup port and the external device. Available speeds are: 9600, 19200, 38400, 57600, 115200 or 230400 bps.
AT Command Initial StringType the AT command string to initialize the WAN device. Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands.
Advanced Modem SetupClick Edit to display the Advanced Setup screen and edit the details of your dial backup setup.
TCP/IP Options
Get IP Address Automatically from Remote ServerType the login name assigned by your ISP for this remote node.
Used Fixed IP AddressSelect this check box if your ISP assigned you a fixed IP address, then enter the IP address in the following field.
My WAN IP AddressLeave the field set to 0.0.0.0 (default) to have the ISP or other remote router dynamically (automatically) assign your WAN IP address if you do not know it. Type your WAN IP address here if you know it (static). This is the address assigned to your local ZyWALL, not the remote router.
Enable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network to a different IP address known within another network.Select the check box to enable NAT. Clear the check box to disable NAT so the ZyWALL does not perform any NAT mapping for the dial backup connection.
Enable RIPSelect this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also.
RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.Choose Both, In Only or Out Only.When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically.When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.
Broadcast Dial Backup RouteSelect this check box to forward the backup route broadcasts to the WAN.
Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Multicast VersionSelect IGMP-v1 or IGMP-v2. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Budget
Always OnSelect this check box to have the dial backup connection on all of the time.
Configure BudgetSelect this check box to have the dial backup connection on during the time that you select.
Allocated BudgetType the amount of time (in minutes) that the dial backup connection can be used during the time configured in the Period field. Set an amount that is less than the time period configured in the Period field.
PeriodType the time period (in hours) for how often the budget should be reset. For example, to allow calls to this remote node for a maximum of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
Idle TimeoutType the number of seconds of idle time (when there is no traffic from the ZyWALL to the remote node) for the ZyWALL to wait before it automatically disconnects the dial backup connection. This option applies only when the ZyWALL initiates the call. The dial backup connection never times out if you set this field to "0" (it is the same as selecting Always On).
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

8.16 Advanced Modem Setup

8.16.1 AT Command Strings

For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.

For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both Dial and Init strings.

8.16.2 DTR Signal

The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.

8.16.3 Response Strings

The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; please consult the documentation of your WAN device to find the correct tags.

8.17 Configuring Advanced Modem Setup

Click the Edit button in the Dial Backup screen to display the Advanced Setup screen.

ZYXEL ZYWALL 2 WG - Configuring Advanced Modem Setup - 1

Consult the manual of your WAN device connected to your dial backup port for specific AT commands.

ZYXEL ZYWALL 2 WG - Configuring Advanced Modem Setup - 2
Figure 75 NETWORK > WAN > Dial Backup > Edit

The following table describes the labels in this screen.

Table 46 NETWORK > WAN > Dial Backup > Edit

LABELDESCRIPTION
AT Command Strings
DialType the AT Command string to make a call.
DropType the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+---ath" can be used if your modem has a slow response time.
AnswerType the AT Command string to answer a call.
Drop DTR When Hang UpSelect this check box to have the ZyWALL drop the DTR (Data Terminal Ready) signal after the "AT Command String: Drop" is sent out.
AT Response Strings
CLIDType the keyword that precedes the CLID (Calling Line Identification) in the AT response string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication.
Called IDType the keyword preceding the dialed number.
SpeedType the keyword preceding the connection speed.
Call Control
Dial Timeout (sec)Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping).
Retry CountType a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Retry Interval (sec)Type a number of seconds for the ZyWALL to wait before trying another call after a call has failed. This applies before a phone number is blacklisted.
Drop Timeout (sec)Type the number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation.
Call Back Delay (sec)Type a number of seconds for the ZyWALL to wait between dropping a callback request call and dialing the corresponding callback call.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

DMZ Screens

This chapter describes how to configure the ZyWALL's DMZ.

9.1 DMZ

The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN.

By default the firewall allows traffic between the WAN and the DMZ, traffic from the DMZ to the LAN is denied, and traffic from the LAN to the DMZ is allowed. Internet users can have access to host servers on the DMZ but no access to the LAN, unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user.

It is highly recommended that you connect all of your public servers to the DMZ port(s).

It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port. Store sensitive information on LAN computers.

9.2 Configuring DMZ

The DMZ and the connected computers can have private or public IP addresses.

When the DMZ uses public IP addresses, the WAN and DMZ ports must use public IP addresses that are on separate subnets. See Appendix E on page 663 for information on IP subnetting. If you do not configure SUA NAT or any full feature NAT mapping rules for the public IP addresses on the DMZ, the ZyWALL will route traffic to the public IP addresses on the DMZ without performing NAT. This may be useful for hosting servers for NAT unfriendly applications (see Chapter 17 on page 329 for more information).

If the DMZ computers use private IP addresses, use NAT if you want to make them publicly accessible.

Like the LAN, the ZyWALL can also assign TCP/IP configuration via DHCP to computers connected to the DMZ ports.

From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears as shown next.

ZYXEL ZYWALL 2 WG - Configuring DMZ - 1
Figure 76 NETWORK > DMZ

The following table describes the labels in this screen.

Table 47 NETWORK > DMZ

LABELDESCRIPTION
DMZ TCP/IP
IP AddressType the IP address of your ZyWALL's DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
IP Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL 255.255.255.0.
RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.
MulticastSelect IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
DHCP Setup
DHCPDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field. Select None to stop the ZyWALL from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured.
IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.
Pool SizeThis field specifies the size, or count of the IP address pool.
DHCP Server AddressType the IP address of the DHCP server to which you want the ZyWALL to relay DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
DHCP WINS Server 1, 2Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Windows Networking (NetBIOS over TCP/IP)
Allow between DMZ and LANSelect this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN. If your firewall is enabled with the default policy set to block DMZ to LAN traffic, you also need to configure a DMZ to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN.
Allow between DMZ and WAN 1Select this check box to forward NetBIOS packets from the DMZ to WAN 1 and from WAN 1 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN 1 and from WAN 1 to the DMZ.
Allow between DMZ and WAN 2Select this check box to forward NetBIOS packets from the DMZ to WAN 2 and from WAN 2 to the DMZ.Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ.
Allow between DMZ and WLANSelect this check box to forward NetBIOS packets from the WLAN to the DMZ and from the DMZ to the WLAN. If your firewall is enabled with the default policy set to block DMZ to WLAN traffic and WLAN to DMZ traffic, you also need to configure DMZ to WLAN and WLAN to DMZ firewall rules that forward NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

9.3 DMZ Static DHCP

This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

To change your ZyWALL's static DHCP settings on the DMZ, click NETWORK > DMZ > Static DHCP. The screen appears as shown.

ZYXEL ZYWALL 2 WG - DMZ Static DHCP - 1
Figure 77 NETWORK > DMZ > Static DHCP

The following table describes the labels in this screen.

Table 48 NETWORK > DMZ > Static DHCP

LABELDESCRIPTION
#This is the index number of the Static IP table entry (row).
MAC AddressType the MAC address of a computer on your DMZ.
IP AddressType the IP address that you want to assign to the computer on your DMZ. Alternatively, click the right mouse button to copy and/or paste the IP address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

9.4 DMZ IP Alias

IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.

The ZyWALL has a single DMZ interface. Even though more than one of ports 1 4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.

The ZyWALL supports three logical DMZ interfaces via its single physical DMZ Ethernet interface. The ZyWALL itself is the gateway for each of the logical DMZ networks.

The IP alias IP addresses can be either private or public regardless of whether the physical DMZ interface is set to use a private or public IP address. Use NAT if you want to make DMZ computers with private IP addresses publicly accessible (see Chapter 17 on page 329 for more information). When you use IP alias, you can have the DMZ use both public and private IP addresses at the same time.

ZYXEL ZYWALL 2 WG - DMZ IP Alias - 1

Make sure that the subnets of the logical networks do not overlap.

To change your ZyWALL's IP alias settings, click NETWORK > DMZ > IP Alias. The screen appears as shown.

ZYXEL ZYWALL 2 WG - DMZ IP Alias - 2
Figure 78 NETWORK > DMZ > IP Alias

The following table describes the labels in this screen.

Table 49 NETWORK > DMZ > IP Alias

LABELDESCRIPTION
Enable IP Alias 1, 2Select the check box to configure another DMZ network for the ZyWALL.
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
IP Subnet MaskYour ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicast. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also. By default, RIP direction is set to Both and the Version set to RIP-1.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

9.5 DMZ Public IP Address Example

The following figure shows a simple network setup with public IP addresses on the WAN and DMZ and private IP addresses on the LAN. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and connected servers (D through F) use public IP addresses that are in another subnet. The public IP addresses of the DMZ and WAN ports are in separate subnets.

ZYXEL ZYWALL 2 WG - DMZ Public IP Address Example - 1
Figure 79 DMZ Public Address Example LAN

9.6 DMZ Private and Public IP Address Example

The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and server F use private IP addresses that are in one subnet. The private IP addresses of the LAN and DMZ are on separate subnets. The DMZ port and connected servers (D and E) use public IP addresses that are in one subnet. The public IP addresses of the DMZ and WAN are on separate subnets.

Configure one subnet (either the public or the private) in the Network > DMZ screen (see Figure 9.2 on page 163) and configure the other subnet in the Network > DMZ > IP Alias screen (see Figure 9.4 on page 167) to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses.

ZYXEL ZYWALL 2 WG - DMZ Private and Public IP Address Example - 1
Figure 80 DMZ Private and Public Address Example

9.7 DMZ Port Roles

Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface.

Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.

ZYXEL ZYWALL 2 WG - DMZ Port Roles - 1

Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role:

1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
2 Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.

To change your ZyWALL's port role settings, click NETWORK > DMZ > Port Roles. The screen appears as shown.

The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default.

ZYXEL ZYWALL 2 WG - DMZ Port Roles - 2

Your changes are also reflected in the LAN and/or WLAN Port Roles screens.

ZYXEL ZYWALL 2 WG - DMZ Port Roles - 3
Figure 81 NETWORK > DMZ > Port Roles

The following table describes the labels in this screen.

Table 50 NETWORK > DMZ > Port Roles

LABELDESCRIPTION
LANSelect a port's LAN radio button to use the port as part of the LAN. The port will use the ZyWALL's LAN IP address and MAC address.
DMZSelect a port's DMZ radio button to use the port as part of the DMZ. The port will use the ZyWALL's DMZ IP address and MAC address.
WLANSelect a port's WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL's WLAN IP address and MAC address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

This chapter discusses how to configure wireless LAN on the ZyWALL.

10.1 Wireless LAN Introduction

A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN. To add a wireless network to the ZyWALL, you can either install a WLAN card or connect an Access Point to a port in the WLAN role.

The following figure provides an example of a wireless network.

ZYXEL ZYWALL 2 WG - Wireless LAN Introduction - 1
Figure 82 Example of a Wireless Network

The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your ZyWALL is the AP.

Every wireless network must follow these basic guidelines.

  • Every wireless client in the same wireless network must use the same SSID.

The SSID is the name of the wireless network. It stands for Service Set IDentity.

  • If two wireless networks overlap, they should use different channels.

Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information.

  • Every wireless client in the same wireless network must use security compatible with the AP.

Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network.

ZYXEL ZYWALL 2 WG - Wireless LAN Introduction - 2

See the WLAN appendix for more detailed information on WLANs.

10.2 Configuring WLAN

The built-in wireless card is used as part of the LAN by default. You can use the Port Roles screen (see Figure 87 on page 181) to set a port to be part of the WLAN. Then connect an access point (AP) to it to extend the ZyWALL's wireless LAN coverage.

Click NETWORK > WLAN to open the WLAN screen to configure the IP address for ZyWALL's WLAN interface, other TCP/IP and DHCP settings.

ZYXEL ZYWALL 2 WG - Configuring WLAN - 1
Figure 83 NETWORK >WLAN

The following table describes the labels in this screen.

Table 51 NETWORK > WLAN

LABELDESCRIPTION
WLAN TCP/IP
IP AddressType the IP address of your ZyWALL's WLAN interface in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
IP Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your ZyWALL automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicast, also. By default, RIP direction is set to Both and the Version set to RIP-1.
MulticastSelect IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
DHCP Setup
DHCPDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field. Select None to stop the ZyWALL from acting as a DHCP server. When you select None, you must have another DHCP server on your WLAN, or else the computers must be manually configured.
IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.
Pool SizeThis field specifies the size, or count of the IP address pool.
DHCP Server AddressType the IP address of the DHCP server to which you want the ZyWALL to relay DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
DHCP WINS Server 1, 2Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Windows Networking (NetBIOS over TCP/IP)NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.
Allow between WLAN and LANSelect this check box to forward NetBIOS packets from the WLAN to the LAN and from the LAN to the WLAN. Clear this check box to block all NetBIOS packets going from the LAN to the WLAN and from the WLAN to the LAN.
Allow between WLAN and WAN 1Select this check box to forward NetBIOS packets from the WLAN to WAN 1 and from WAN 1 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN 1 and from WAN 1 to the WLAN.
Allow between WLAN and WAN 2Select this check box to forward NetBIOS packets from the WLAN to WAN 2 and from WAN 2 to the WLAN.Clear this check box to block all NetBIOS packets going from the WLAN to WAN 2 and from WAN 2 to the WLAN.
Allow between WLAN and DMZSelect this check box to forward NetBIOS packets from the WLAN to the DMZ and from the DMZ to the WLAN. If your firewall is enabled with the default policy set to block WLAN to DMZ traffic and DMZ to WLAN traffic, you also need to configure WLAN to DMZ and DMZ to WLAN firewall rules that forward NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

10.3 WLAN Static DHCP

This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

To change your ZyWALL's WLAN static DHCP settings, click NETWORK >WLAN > Static DHCP. The screen appears as shown.

ZYXEL ZYWALL 2 WG - WLAN Static DHCP - 1
Figure 84 NETWORK > WLAN > Static DHCP

The following table describes the labels in this screen.

Table 52 NETWORK > WLAN > Static DHCP

LABELDESCRIPTION
#This is the index number of the Static IP table entry (row).
MAC AddressType the MAC address of a computer on your WLAN.
IP AddressType the IP address that you want to assign to the computer on your WLAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

10.4 WLAN IP Alias

IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.

The ZyWALL has a single WLAN interface. Even though more than one of ports 1 4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.

The ZyWALL supports three logical WLAN interfaces via its single physical WLAN Ethernet interface. The ZyWALL itself is the gateway for each of the logical WLAN networks.

When you use IP alias, you can also configure firewall rules to control access between the WLAN's logical networks (subnets).

ZYXEL ZYWALL 2 WG - WLAN IP Alias - 1

Make sure that the subnets of the logical networks do not overlap.

To change your ZyWALL's IP alias settings, click NETWORK > WLAN > IP Alias. The screen appears as shown.

ZYXEL ZYWALL 2 WG - WLAN IP Alias - 2
Figure 85 NETWORK >WLAN > IP Alias

The following table describes the labels in this screen.

Table 53 NETWORK > WLAN > IP Alias

LABELDESCRIPTION
Enable IP Alias 1, 2Select the check box to configure another WLAN network for the ZyWALL.
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
IP Subnet MaskYour ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionRIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicast. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicast, then all routers on your network must use multicast, also. By default, RIP direction is set to Both and the Version set to RIP-1.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

10.5 WLAN Port Roles

Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface.

Ports 1 4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.

Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL's wireless LAN coverage. The WLAN port role allows the ZyWALL's firewall to treat traffic from connected APs as part of the ZyWALL's WLAN. You can specify firewall rules for traffic going to or from the WLAN. The WLAN includes the ZyWALL's own WLAN and the Ethernet ports in the WLAN port role.

The following figure shows the ZyWALL with a wireless card installed and an AP connected to an Ethernet port in the WLAN port role.

ZYXEL ZYWALL 2 WG - WLAN Port Roles - 1
Figure 86 WLAN Port Role Example

ZYXEL ZYWALL 2 WG - WLAN Port Roles - 2

Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role:

1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
2 Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.

To change your ZyWALL's port role settings, click NETWORK > WLAN > Port Roles. The screen appears as shown.

The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default.

ZYXEL ZYWALL 2 WG - WLAN Port Roles - 3

Your changes are also reflected in the LAN and/or DMZ Port Roles screen.

ZYXEL ZYWALL 2 WG - WLAN Port Roles - 4
Figure 87 NETWORK > WLAN > Port Roles

The following table describes the labels in this screen.

Table 54 NETWORK >WLAN >Port Roles

LABELDESCRIPTION
LANSelect a port's LAN radio button to use the port as part of the LAN. The port will use the LAN IP address.
DMZSelect a port's DMZ radio button to use the port as part of the DMZ. The port will use the DMZ IP address.
WLANSelect a port's WLAN radio button to use the port as part of the WLAN. The port will use the WLAN IP address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen.

ZYXEL ZYWALL 2 WG - WLAN Port Roles - 5
Figure 88 NETWORK >WLAN >Port Roles: Change Complete

10.6 Wireless Security Overview

The following sections introduce different types of wireless security you can set up in the wireless network.

10.6.1 SSD

Normally, the AP acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the AP does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess.

This type of security is fairly weak, however, because there are ways for unauthorized devices to get the SSID. In addition, unauthorized devices can still see the information that is sent in the wireless network.

10.6.2 MAC Address Filter

Every wireless client has a unique identification number, called a MAC address. A MAC address is usually written using twelve hexadecimal characters; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each wireless client, see the appropriate User's Guide or other documentation.

You can use the MAC address filter to tell the AP which wireless clients are allowed or not allowed to use the wireless network. If a wireless client is allowed to use the wireless network, it still has to have the correct settings (SSID, channel, and security). If a wireless client is not allowed to use the wireless network, it does not matter if it has the correct settings.

This type of security does not protect the information that is sent in the wireless network. Furthermore, there are ways for unauthorized devices to get the MAC address of an authorized wireless client. Then, they can use that MAC address to use the wireless network.

10.6.3 User Authentication

You can make every user log in to the wireless network before they can use it. This is called user authentication. However, every wireless client in the wireless network has to support IEEE 802.1x to do this.

For wireless networks, there are two typical places to store the user names and passwords for each user.

  • In the AP: this feature is called a local user database or a local database.
  • In a RADIUS server: this is a server used in businesses more than in homes.

If your AP does not provide a local user database and if you do not have a RADIUS server, you cannot set up user names and passwords for your users.

Unauthorized devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.

Local user databases also have an additional limitation that is explained in the next section.

10.6.4 Encryption

Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message.

The types of encryption you can choose depend on the type of user authentication. (See Section 10.6.3 on page 183 for information about this.)

Table 55 Types of Encryption for Each Type of Authentication

Weakest StrongestNo AuthenticationRADIUS Server
No Security
Static WEP
802.1x +Static WEP
WPA-PSKWPA
WPA2-PSK or WPA2-PSK-MixWPA2 or WPA2-Mix

For example, if the wireless network has a RADIUS server, you can choose WPA or WPA2. If users do not log in to the wireless network, you can choose no encryption, Static WEP, WPA-PSK, or WPA2-PSK.

Usually, you should set up the strongest encryption that every wireless client in the wireless network supports. For example, suppose the AP does not have a local user database, and you do not have a RADIUS server. Therefore, there is no user authentication. Suppose the wireless network has two wireless clients. Device A only supports WEP, and device B supports WEP and WPA. Therefore, you should set up Static WEP in the wireless network.

Note: It is recommended that wireless clients use WPA-PSK, WPA, or stronger encryption. IEEE 802.1x and WEP encryption are better than none at all, but it is still possible for unauthorized devices to figure out the original information pretty quickly.

It is not possible to use WPA-PSK, WPA or stronger encryption with a local user database. In this case, it is better to set up stronger encryption with no authentication than to set up weaker encryption with the local user database.

If some wireless clients support WPA and some support WPA2, you should set up WPA2-PSK-Mix or WPA2-Mix (depending on the type of wireless network login) in the ZyWALL.

Many types of encryption use a key to protect the information in the wireless network. The longer the key, the stronger the encryption. Every wireless client in the wireless network must have the same key.

10.6.5 Additional Installation Requirements for Using 802.1x

  • A computer with an IEEE 802.11a/b/g wireless LAN card.
  • A computer equipped with a web browser (with JavaScript enabled) and/or Telnet.
  • A wireless station must be running IEEE 802.1x-compliant software. Currently, this is offered in Windows XP.
  • An optional network RADIUS server for remote user authentication and accounting.

10.7 Wireless Card

If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL's SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyWALL's new settings.

Click NETWORK > WIRELESS CARD to open the Wireless Card screen.

ZYXEL ZYWALL 2 WG - Wireless Card - 1
Figure 89 NETWORK > WIRELESS CARD

The following table describes the labels in this screen.

Table 56 NETWORK > WIRELESS CARD

LABELDESCRIPTION
Enable Wireless CardThe wireless LAN through a wireless LAN card is turned off by default, before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.
Bridge toSelect LAN to use the wireless card as part of the LAN. Select DMZ to use the wireless card as part of the DMZ. Select WLAN to use the wireless card as part of the WLAN. The ZyWALL restarts after you change the wireless card setting. Note: If you set the wireless card to be part of the LAN or DMZ, you can still use wireless access. The firewall will treat the wireless card as part of the LAN or DMZ respectively.
802.11 ModeSelect 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyWALL. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyWALL. Select 802.11b+g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the ZyWALL. The transmission rate of your ZyWALL might be reduced. Select 802.11a Only to allow only IEEE 802.11a compliant WLAN devices to associate with the ZyWALL.
Choose Channel IDSet the operating frequency/channel depending on your particular region. To manually set the ZyWALL to use a channel, select a channel from the drop-down list box. To have the ZyWALL automatically select a channel, click Scan instead.
ScanClick this button to have the ZyWALL automatically select the wireless channel with the lowest interference.
Super ModeSelect this to improve data throughput on the WLAN by enabling fast frame and packet bursting. At the time of writing, this works only when the wireless client is using an Atheros card.
RTS/CTS ThresholdThis is the threshold (number of bytes) for enabling RTS/CTS handshake. Data with a frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Enter a value between 256 and 2346. If you select Super Mode, this field is grayed out and the ZyWALL uses 2346 automatically.
Fragmentation ThresholdThis is the threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2346. If you select Super Mode, this field is grayed out and the ZyWALL uses 2346 automatically.
Output PowerSet the output power of the ZyWALL in this field. If there is a high density of APs in an area, decrease the output power to reduce interference with other APs. Select one of the following 100% (full power), 50%, 25%, 12.5% or min (minimum). See the product specifications for more information on your ZyWALL's output power.
Enable RoamingRoaming allows wireless stations to switch from one access point to another as they move from one coverage area to another. Select this checkbox to enable roaming on the ZyWALL if you have two or more ZyWALLs on the same subnet. Note: All APs on the same subnet and the wireless clients must have the sameSSID to allow roaming.
Select SSID ProfileAn SSID profile is the set of parameters relating to one of the ZyWALL's BSSs. The SSID (Service Set Identifier) identifies the Service Set with which a wireless client is associated. Wireless clients associating with the access point (AP) must have the same SSID.Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL's SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyWALL's new settings.
#This field displays the index number of each SSID profile.
ActiveChoose a profile to apply to your wireless network by selecting its radio button.
NameThis field displays the identification name of each SSID profile on the ZyWALL.
SSIDThis field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.
SecurityThis field indicates which security profile is currently associated with each SSID profile. See Section 10.8 on page 188 for more information.
ActionClick the Edit icon next to the profile you want to configure and go to the SSID configuration screen.Click the Reset Default icon to clear all user-entered configuration information and return the SSID profile to its factory defaults.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

10.7.1 SSD Profile

Configure wireless network security by configuring and applying an SSID profile. You can configure multiple profiles but you can only apply one to your network.

Use the WIREFLESS CARD screen to see information about the SSID profiles on the ZyWALL, and use the WIREFLESS CARD > Edit screen to configure the SSID profiles.

Each SSID profile references the settings configured in the following screens:

  • WIRELESS CARD > Security (one of the security profiles).
  • AUTHSERVER > RADIUS (the RADIUS server settings).
  • WIRELESS CARD > MAC Filter (the MAC filter list, if activated in the SSID profile).

Configure the fields in the above screens to use the settings in an SSID profile.

In the Wireless Card screen, click the Edit icon next to an SSID profile to display the following screen.

ZYXEL ZYWALL 2 WG - SSD Profile - 1
Figure 90 Configuring SSID

The following table describes the labels in this screen.

Table 57 Configuring SSID

LABELDESCRIPTION
NameEnter a name (up to 32 printable 7-bit ASCII characters) identifying this profile.
SSIDWhen a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
HideSSIDSelect Disable if you want the ZyWALL to broadcast thisSSID (a wireless client scanning for an AP will find thisSSID). Alternatively, select Enable to have the ZyWALL hide thisSSID (a wireless client scanning for an AP will not find thisSSID).
SecuritySelect a security profile to use with thisSSID profile. See Section 10.8 on page 188 for more information.
RADIUSThis displays N/A if the security profile you selected does not use RADIUS authentication. See Section 10.8 on page 188 for more information. This displays Radius Configuration if you select a security profile that uses RADIUS authentication. Click Radius Configuration to go to the RADIUS screen where you can view and/or change the RADIUS settings. See Section 16.3 on page 325 for more information.
Enable MAC FilteringSelect Enable from the drop down list box to activate MAC address filtering.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.8 Configuring Wireless Security

Click NETWORK > WIRELESS CARD > Security to open the Security screen. Use this screen to create security profiles. A security profile is a group of configuration settings which can be assigned to an SSID profile in the Wireless Card screen.

The screen changes when you configure a security profile and varies according to the security modes you select.

The following table describes the security modes you can configure.

Table 58 Security Modes

SECURITY MODEDESCRIPTION
NoneSelect this to have no data encryption.
WEPSelect this to use WEP encryption.
802.1x-OnlySelect this to use 802.1x authentication with no data encryption.
802.1x-Static64Select this to use 802.1x authentication with a static 64bit WEP key and an authentication server.
802.1x-Static128Select this to use 802.1x authentication with a static 128bit WEP key and an authentication server.
WPASelect this to use WPA.
WPA-PSKSelect this to use WPA with a pre-shared key.
WPA2Select this to use WPA2.
WPA2-MIXSelect this to use either WPA2 or WPA depending on which security mode the wireless client uses.
WPA2-PSKSelect this to use WPA2 with a pre-shared key.
WPA2-PSK-MIXSelect this to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses.

ZYXEL ZYWALL 2 WG - Configuring Wireless Security - 1
Figure 91 NETWORK > WIRELESS CARD > Security

The following table describes the labels in this screen.

Table 59 NETWORK > WIRELESS CARD > Security

LABELDESCRIPTION
Security Profile
IndexThis is the index number of the security profile.
Profile NameThis field displays a name given to a security profile in the Security configuration screen.
Security ModeThis field displays the security mode this security profile uses.
ActionClick the Edit icon to configure security settings for that profile. Click the Reset Default icon to clear all user-entered configuration information and return the security profile to its factory defaults.

10.8.1 No Security

ZYXEL ZYWALL 2 WG - No Security - 1

If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device within range.

ZYXEL ZYWALL 2 WG - No Security - 2
Figure 92 NETWORK > WIRELESS CARD > Security: None

The following table describes the wireless LAN security labels in this screen.

Table 60 NETWORK > WIRELESS CARD > Security: None

LABELDESCRIPTION
NameType a name (up to 32 printable 7-bit ASCII characters) to identify this security profile.
Security ModeSelect None to allow wireless clients to communicate with the access points without any data encryption.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.8.2 Static WEP

Static WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data.

Your ZyWALL allows you to configure up to four 64-bit, 128-bit or 152-bit WEP keys, but only one key can be used at any one time.

In order to configure and enable WEP encryption, click NETWORK > WIRELESS CARD > Security > Edit.

ZYXEL ZYWALL 2 WG - Static WEP - 1
Figure 93 NETWORK > WIRELESS CARD > Security: WEP

The following table describes the labels in this screen.

Table 61 NETWORK > WIRELESS CARD > Security: WEP

LABELDESCRIPTION
NameType a name to identify this security profile.
Security ModeSelect WEP from the drop-down list.
WEP EncryptionWEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network. Select 64-bit WEP, 128-bit WEP or 152-bit WEP to enable data encryption.
Authentication MethodSelect Shared-Key to have the ZyWALL use the default WEP key to authenticate the wireless client to the ZyWALL. Select Auto to have the ZyWALL switch between the shared-key and open system (the wireless clients and AP do not share a secret key for authentication) modes automatically. The default setting is Auto.
Key 1 to Key 4The WEP keys are used to encrypt data. Both the ZyWALL and the wireless clients must use the same WEP key for data transmission. If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 128-bit WEP in the WEP Encryption field, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 152-bit WEP in the WEP Encryption field, then enter 16 ASCII characters or 32 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. You can configure up to four keys, but only one key can be activated at any one time. The default key is key 1.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.8.3 IEEE 802.1x Only

Click the NETWORK > WIRELESS CARD > Security > Edit. Select 8021X-Only from the Security Mode list.

ZYXEL ZYWALL 2 WG - IEEE 802.1x Only - 1
Figure 94 NETWORK > WIRELESS CARD > Security: 802.1x Only

The following table describes the labels in this screen.

Table 62 NETWORK > WIRELESS CARD > Security: 802.1x Only

LABELDESCRIPTION
NameType a name to identify this security profile.
Security ModeSelect 8021X-Only from the drop-down list.
ReAuthentication TimerSpecify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle TimeoutThe ZyWALL automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again. Enter a time interval between 600 and 65535 seconds.
Authentication DatabasesClick Local User to go to the Local User Database screen where you can view and/or edit the list of users and passwords. Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.8.4 IEEE 802.1x + Static WEP

Click the NETWORK > WIRELESS CARD > Security > Edit. Select 8021X-Static 64 or 8021X-Static128 in the Security Mode field to display the following screen.

ZYXEL ZYWALL 2 WG - IEEE 802.1x + Static WEP - 1
Figure 95 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP

The following table describes the labels in this screen.

Table 63 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP

LABELDESCRIPTION
NameType a name to identify this security profile.
Security ModeSelect 8021X-Static64 or 8021X-Static128 from the drop-down list.
Key 1 to Key 4If you chose 8021X-Static64 in the Security Mode field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 8021X-Static128 in the Security Mode field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless clients.
ReAuthentication TimerSpecify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle TimeoutThe ZyWALL automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again. Enter a time interval between 600 and 65535 seconds.
Authentication DatabasesClick Local User to go to the Local User Database screen where you can view and/or edit the list of users and passwords. Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.8.5 WPA, WPA2, WPA2-MIX

Click NETWORK > WIRELESS CARD > Security > Edit. Select WPA, WPA2 or WPA2-MIX from the Security Mode list.

ZYXEL ZYWALL 2 WG - WPA, WPA2, WPA2-MIX - 1
Figure 96 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX

The following table describes the labels in this screen.

Table 64 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX

LABELDESCRIPTION
NameType a name to identify this security profile.
Security ModeSelect WPA, WPA2 or WPA2-MIX from the drop-down list.
ReAuthentication TimerSpecify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle TimeoutThe ZyWALL automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again. Enter a time interval between 600 and 65535 seconds.
Group Key Update TimerThe Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA(2)-PSK mode.
PMK CacheThis field is available only when you select WPA2 or WPA2-MIX. When a wireless client moves from one AP's coverage area to another, it performs an authentication procedure (exchanging security information) with the new AP. Instead of re-authenticating a client each time it returns to the AP's coverage area, which can cause delays to time-sensitive applications, the AP and the client can store (or "cache") and use information about their previous authentication. Select Enable to allow PMK (Pairwise Master Key) caching, or Disable to switch this feature off.

Table 64 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX

LABELDESCRIPTION
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX

Click NETWORK > WIRELESS CARD > Security > Edit. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX from the Security Mode list.

ZYXEL ZYWALL 2 WG - WPA-PSK, WPA2-PSK, WPA2-PSK-MIX - 1
Figure 97 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK

The following table describes the labels in this screen.

Table 65 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK

LABELDESCRIPTION
NameType a name to identify this security profile.
Security ModeSelect WPA-PSK, WPA2-PSK or WPA2-PSK-MIX from the drop-down list.
Pre-Shared KeyThe encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials.Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
ReAuthentication TimerSpecify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds.If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle TimeoutThe ZyWALL automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again.This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.Enter a time interval between 600 and 65535 seconds.
Group Key Update TimerThe Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA(2)-PSK mode.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

10.9 MAC Filter

The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the ZyWALL (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen.

To change your ZyWALL's MAC filter settings, click the NETWORK > WIRELESS CARD > MAC Filter. The screen appears as shown.

ZYXEL ZYWALL 2 WG - MAC Filter - 1

To activate MAC filtering on a profile, select Enable from the Enable MAC Filtering drop-down list box in the WIRELESS CARD > Edit screen and click Apply.

ZYXEL ZYWALL 2 WG - MAC Filter - 2
Figure 98 NETWORK > WIRELESS CARD > MAC Filter

The following table describes the labels in this menu.

Table 66 NETWORK > WIRELESS CARD > MAC Filter

LABELDESCRIPTION
AssociationDefine the filter action for the list of MAC addresses in the MAC address filter table. Select Deny to block access to the router, MAC addresses not listed will be allowed to access the router. Select Allow to permit access to the router, MAC addresses not listed will be denied access to the router.
#This is the index number of the MAC address.
User NameEnter a descriptive name for the MAC address.
MAC AddressEnter the MAC addresses (in XX:XX:XX:XX:XX format) of the wireless stations that are allowed or denied access to the ZyWALL in these address fields.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

PART III

Security

Firewall (201)

Content Filtering Screens (231)

Content Filtering Reports (249)

IPSecVPN (257)

Certificates (297)

Authentication Server (323)

Firewall

This chapter shows you how to configure your ZyWALL's firewall.

11.1 Firewall Overview

The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network.

The ZyWALL physically separates the LAN, DMZ, WLAN and the WAN and acts as a secure gateway for all data passing between the networks. The ZyWALL protects against Denial of Service (DoS) attacks, prevents theft, destruction and modification of data, and logs events.

Enable the firewall to protect your LAN computers from attacks by hackers on the Internet and control access between the LAN, DMZ, WLAN and WAN. By default the firewall:

  • allows traffic that originates from your LAN computers to go to all of the networks.
  • blocks traffic that originates on the other networks from going to the LAN.
  • allows traffic that originates on the WLAN to go to the WAN.
  • allows traffic that originates on the WAN to go to the DMZ and protects your DMZ computers against DoS attacks.
  • allows VPN traffic between any of the networks.

The following figure illustrates the default firewall action. User A can initiate an IM (Instant Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4).

ZYXEL ZYWALL 2 WG - Firewall Overview - 1
Figure 99 Default Firewall Action

Your customized rules take precedence and override the ZyWALL's default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.

11.2 Packet Direction Matrix

The ZyWALL's packet direction matrix allows you to apply certain security settings (like firewall, IDP, anti-virus and anti-spam) to traffic flowing in specific directions.

For example, click SECURITY > FIREWALL to open the following screen. This screen configures general firewall settings.

ZYXEL ZYWALL 2 WG - Packet Direction Matrix - 1
Figure 100 SECURITY > FIREWALL > Default Rule (Router Mode)

Packets have a source and a destination. The packet direction matrix in the lower part of the screen sets what the ZyWALL does with packets traveling in a specific direction that do not match any of the firewall rules.

FromTo
A specific interface or any of the ZyWALL's VPN connectionsA specific interface or any of the ZyWALL's VPN connections

To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces, you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown.

ZYXEL ZYWALL 2 WG - Packet Direction Matrix - 2
Figure 101 Default Block Traffic From WAN1 to DMZ Example

11.3 Packet Direction Examples

Firewall rules are grouped based on the direction of travel of packets to which they apply. This section gives some examples of why you might configure firewall rules for specific connection directions.

By default, the ZyWALL allows packets traveling in the following directions.:

  • LAN to LAN These rules specify which computers on the LAN can manage the ZyWALL (remote management) and communicate between networks or subnets connected to the LAN interface (IP alias).

ZYXEL ZYWALL 2 WG - Packet Direction Examples - 1

You can also configure the remote management settings to allow only a specific computer to manage the ZyWALL.

  • LAN to WAN 1 These rules specify which computers on the LAN can access which computers or services connected to WAN 1. See Section 11.5 on page 209 for an example.

By default, the ZyWALL drops packets traveling in the following directions.

  • WAN 1 to LAN

These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to:

  • Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.
  • Allow public access to a Web server on your protected network. You could also block certain IP addresses from accessing it.

ZYXEL ZYWALL 2 WG - Packet Direction Examples - 2

You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow computers on the WAN to access devices on the LAN. See Section 17.5.3 on page 340 for an example.

  • WAN to WAN

By default the ZyWALL stops computers connected to WAN1 or WAN2 from managing the ZyWALL or using the ZyWALL as a gateway to communicate with other computers on the WAN. You could configure one of these rules to allow a WAN computer to manage the ZyWALL.

ZYXEL ZYWALL 2 WG - Packet Direction Examples - 3

You also need to configure the remote management settings to allow a WAN computer to manage the ZyWALL.

See Chapter 4 on page 95 for information about packets traveling to or from the VPN tunnels.

11.3.1 To VPN Packet Direction

The ZyWALL can apply firewall rules to traffic before encrypting it to send through a VPN tunnel. To VPN means traffic that comes in through the selected "from" interface and goes out through any of the ZyWALL's VPN tunnels. For example, From LAN To VPN specifies the traffic that is coming from the LAN and going out through any of the ZyWALL's VPN tunnels.

For example, by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL's VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL's VPN tunnels.

ZYXEL ZYWALL 2 WG - To VPN Packet Direction - 1
Figure 102 From LAN to VPN Example

In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows.

ZYXEL ZYWALL 2 WG - To VPN Packet Direction - 2
Figure 103 Block DMZ to VPN Traffic by Default Example

11.3.2 From VPN Packet Direction

You can also apply firewall rules to traffic that comes in through the ZyWALL's VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected "to" interface.

For example, by default the firewall allows traffic from any VPN tunnel to go to any of the ZyWALL's interfaces, the ZyWALL itself and other VPN tunnels. You could edit the From VPN To LAN default firewall rule to silently block traffic from the VPN tunnels from going to the LAN computers.

ZYXEL ZYWALL 2 WG - From VPN Packet Direction - 1
Figure 104 From VPN to LAN Example

In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows.

ZYXEL ZYWALL 2 WG - From VPN Packet Direction - 2
Figure 105 Block VPN to LAN Traffic by Default Example

11.3.3 From VPN To VPN Packet Direction

From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL's VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL's VPN tunnels (this is called hub-and-spoke VPN, see Section 14.19 on page 294 for details). The ZyWALL decrypts the traffic and applies the firewall rules before re-encrypting it or allowing the traffic to terminate at the ZyWALL.

In the following example, the From VPN To VPN default firewall rule silently blocks the traffic that the ZyWALL receives from any VPN tunnel (either A or B) that is destined for the other VPN tunnel or the ZyWALL itself. VPN traffic destined for the DMZ is allowed through.

Figure 106 From VPN to VPN Example
ZYXEL ZYWALL 2 WG - From VPN To VPN Packet Direction - 1
You would configure the SECURITY > FIREWALL > Default Rule screen as follows.

ZYXEL ZYWALL 2 WG - From VPN To VPN Packet Direction - 2
Figure 107 Block VPN to VPN Traffic by Default Example

11.4 Security Considerations

ZYXEL ZYWALL 2 WG - Security Considerations - 1

Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.

Consider these security ramifications before creating a rule:

1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?
3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.
4 Does this rule conflict with any existing rules?

Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the web configurator screens.

11.5 Firewall Rules Example

Suppose that your company decides to block all of the LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule.

ZYXEL ZYWALL 2 WG - Firewall Rules Example - 1
Figure 108 Blocking All LAN to WAN IRC Traffic Example

Your firewallwould have the following configuration.

Table 67 Blocking All LAN to WAN IRC Traffic Example

#SOURCEDESTINATIONSCHEDULESERVICEACTION
1AnyAnyAnyIRCDrop
DefaultAnyAnyAnyAnyAllow
  • The first row blocks LAN access to the IRC service on the WAN.
  • The second row is the firewall's default policy that allows all traffic from the LAN to go to the WAN.

The ZyWALL applies the firewall rules in order. So for this example, when the ZyWALL receives traffic from the LAN, it checks it against the first rule. If the traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop) and stops checking the firewall rules. Any traffic that does not match the first firewall rule will match the default rule and the ZyWALL forwards it.

Now suppose that your company wants to let the CEO use IRC. You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO's computer. In order to make sure that the CEO's computer always uses the same IP address, make sure it either:

has a static IP address,
- or you configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see Section 6.8 on page 119 for information on static DHCP).

Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO's computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules.

ZYXEL ZYWALL 2 WG - Firewall Rules Example - 2
Figure 109 Limited LAN to WAN IRC Traffic Example

Your firewallwould have the following configuration.

Table 68 Limited LAN to WAN IRC Traffic Example

#SOURCEDESTINATIONSCHEDULESERVICEACTION
1192.168.1.7AnyAnyIRCAllow
2AnyAnyAnyIRCDrop
DefaultAnyAnyAnyAnyAllow
  • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN
    The second row blocks LAN access to the IRC service on the WAN.
  • The third row is (still) the firewall's default policy of allowing all traffic from the LAN to go to the WAN.

The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic. If the rule that blocks all LAN to WAN IRC traffic came first, the CEO's IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules.

11.6 Asymmetrical Routes

If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.

You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).

Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use IP alias to put the ZyWALL and the backup gateway on separate subnets.

11.6.1 Asymmetrical Routes and IP Alias

You can use IP alias instead of allowing asymmetrical routes. IP Alias allow you to partition your network into logical sections over the same interface.

By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyWALL to your LAN. The following steps describe such a scenario.

1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.
2 The ZyWALL reroutes the packet to Gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the ZyWALL.
4 The ZyWALL then sends it to the computer on the LAN in Subnet 1.

ZYXEL ZYWALL 2 WG - Asymmetrical Routes and IP Alias - 1
Figure 110 Using IP Alias to Solve the Triangle Route Problem

11.7 Firewall Default Rule (Router Mode)

Click SECURITY > FIREWALL to open the Default Rule screen.

Use this screen to configure general firewall settings when the ZyWALL is set to router mode.

ZYXEL ZYWALL 2 WG - Firewall Default Rule (Router Mode) - 1
Figure 111 SECURITY > FIREWALL > Default Rule (Router Mode)

The following table describes the labels in this screen.

Table 69 SECURITY > FIREWALL > Default Rule (Router Mode)

LABELDESCRIPTION
Enable FirewallSelect this check box to activate the firewall. TheZyWALLperforms access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Allow Asymmetrical RouteIf an alternate gateway on the LAN has an IP address in the same subnet as theZyWALL's LAN IP address, return traffic may not go through theZyWALL. This is called an asymmetrical or "triangle" route. This causes theZyWALLto reset the connection, as the connection has not been acknowledged.Select this check box to have theZyWALLpermit the use of asymmetrical route topology on the network (not reset the connection).Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through theZyWALL.A better solution is to use IP alias to put theZyWALLand the backup gateway on separate subnets. See Section 11.6.1 on page 211 for an example.
From, ToSet the firewall's default actions based on the direction of travel of packets. Here are some example descriptions of the directions of travel.From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet on the LAN interface of theZyWALLor theZyWALL itself. TheZyWALLdoes not apply the firewall to packets traveling from a LAN computer to another LAN computer on the same subnet.From VPN means traffic that came into theZyWALL through a VPN tunnel and is going to the selected "to"interface. For example, From VPN To LAN specifies the VPN traffic that is going to the LAN. TheZyWALLapplies the firewall to the traffic after decrypting it.To VPN is traffic that comes in through the selected "from"interface and goes out through any VPN tunnel. For example, From LAN To VPN specifies the traffic that is coming from the LAN and going out through a VPN tunnel. TheZyWALLapplies the firewall to the traffic before encrypting it.From VPN To VPN means traffic that comes in through a VPN tunnel and goes out through (another)VPN tunnel or terminates at theZyWALL.This is the case when theZyWALLis the hub in a hub-and-spoke VPN. This is also the case if you allow someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage theZyWALL.TheZyWALLapplies the firewall to the traffic after decrypting it.Note: TheVPN connection directions apply to the traffic going to or from theZyWALL's VPN tunnels. They do not apply to otherVPN traffic for which theZyWALLis not one of the gateways(VPN pass-through traffic).Here are the default actions from which you can select.Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.Select Permit to allow the passage of the packets.The firewall rules for the WAN port with a higher route priority also apply to the dial backup connection.
LogSelect the check box next to a direction of packet travel to create a log when the above action is taken for packets that are traveling in that direction and do not match any of your customized rules.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

11.8 Firewall Default Rule (Bridge Mode)

Click SECURITY > FIREWALL to open the Default Rule screen.

Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. See Section 11.1 on page 201 for more information about the firewall.

ZYXEL ZYWALL 2 WG - Firewall Default Rule (Bridge Mode) - 1
Figure 112 SECURITY > FIREWALL > Default Rule (Bridge Mode)

The following table describes the labels in this screen.

Table 70 SECURITY > FIREWALL > Default Rule (Bridge Mode)

LABELDESCRIPTION
Enable FirewallSelect this check box to activate the firewall. TheZyWALLperforms access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
From, ToSet the firewall's default actions based on the direction of travel of packets. Here are some example descriptions of the directions of travel.From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet on the LAN interface of theZyWALL or theZyWALL itself. TheZyWALLdoes not apply the firewall to packets traveling from a LAN computer to another LAN computer on the same subnet.From VPN means traffic that came into theZyWALL through a VPN tunnel and is going to the selected "to"interface. For example, From VPN To LAN specifies theVPN traffic that is going to the LAN. TheZyWALLapplies the firewall to the traffic after decrypting it.To VPN is traffic that comes in through the selected "from"interface and goes out through any VPN tunnel. For example, From LAN To VPN specifies the traffic that is coming from the LAN and going out through a VPN tunnel. TheZyWALLapplies thefirewall to the traffic before encrypting it.From VPN To VPN means traffic that comes in through a VPN tunnel and goes out through (another)VPN tunnel or terminates at theZyWALL. This is the case when theZyWALLis the hub in a hub-and-spoke VPN. This is also the case if you allow someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage theZyWALL. TheZyWALLapplies thefirewall to the traffic after decrypting it.Note: TheVPN connection directions apply to the traffic going to or from theZyWALL's VPN tunnels. They do not apply to otherVPN traffic for which theZyWALLis not one of the gateways(VPN pass-through traffic).Here are the default actions from which you can select.Select Drop to silently discard the packets without sending a TCP reset packet or anICMPdestination-unreachable message to the sender.Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or anICMPdestination-unreachable message (for a UDP packet) to the sender.Select Permit to allow the passage of the packets.
LogSelect this to create a log when the above action is taken.
Log Broadcast FrameSelect this to create a log for any broadcast frames traveling in the selected direction. Many of these logs in a short time period could indicate a broadcast storm.A broadcast storm occurs when a packet triggers multiple responses from all hosts on a network or when computers attempt to respond to a host that never replies. As a result,duplicated packets are continuously created and circulated in the network,thus reducing network performance or even rendering it inoperable. A broadcast storm can be caused by an attack on the network, an incorrect network topology(such as a bridge loop) or a malfunctioning network device.
ApplyClick Apply to save your changes back to theZyWALL.
ResetClick Reset to begin configuring this screen afresh.

11.9 Firewall Rule Summary

Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules.

ZYXEL ZYWALL 2 WG - Firewall Rule Summary - 1

The ordering of your rules is very important as rules are applied in the order that they are listed.

See Section 11.1 on page 201 for more information about the firewall.

ZYXEL ZYWALL 2 WG - Firewall Rule Summary - 2
Figure 113 SECURITY > FIREWALL > Rule Summary

The following table describes the labels in this screen.

Table 71 SECURITY > FIREWALL > Rule Summary

LABELDESCRIPTION
Firewall Rules Storage Space in UseThis bar displays the percentage of the ZyWALL's firewall rules storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting unnecessary firewall rules before adding more firewall rules.
Packet DirectionUse the drop-down list box to select a direction of travel of packets for which you want to configure firewall rules.Note: The VPN connection directions apply to the traffic going to or from the ZyWALL's VPN tunnels. They do not apply to otherVPN traffic for which the ZyWALL is not one of the gateways(VPN pass-through traffic).
Default PolicyThis field displays the default action and log policy you selected in the Default Rule screen for the packet direction shown in the field above.
The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above.
#This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists.
NameThis is the name of the firewall rule.
ActiveThis field displays whether a firewall is turned on (Y) or not (N).

Table 71 SECURITY > FIREWALL > Rule Summary

LABELDESCRIPTION
Source AddressThis drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
Destination AddressThis drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
Service TypeThis drop-down list box displays the services to which this firewall rule applies. See Appendix F on page 671 for a list of common services.
ActionThis field displays whether the firewall silently discards packets (Drop), discards packets and sends a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject) or allows the passage of packets (Permit).
Sch.This field tells you whether a schedule is specified (Yes) or not (No).
LogThis field shows you whether a log is created when packets match this rule (Yes) or not (No).
ModifyClick the edit icon to go to the screen where you can edit the rule. Click the delete icon to delete an existing firewall rule. A window display asking you to confirm that you want to delete the firewall rule. Note that subsequent firewall rules move up by one when you take this action.
InsertType the index number for where you want to put a rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. Click Insert to display this screen and refer to the following table for information on the fields.
MoveType a rule's index number and the number for where you want to put that rule. Click Move to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering.

11.9.1 Firewall Edit Rule

Follow these directions to create a new rule.

1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
2 Click Insert to display the Firewall Edit Rule screen.

Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels.

See Section 11.1 on page 201 for more information about the firewall.

ZYXEL ZYWALL 2 WG - Firewall Edit Rule - 1
Figure 114 SECURITY > FIREWALL > Rule Summary > Edit

The following table describes the labels in this screen.

Table 72 SECURITY > FIREWALL > Rule Summary > Edit

LABELDESCRIPTION
Rule NameEnter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed.
Edit Source/ Destination Address
Address TypeDo you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Start IP AddressEnter the single IP address or the starting IP address in a range here.
End IP AddressEnter the ending IP address in a range here.
Subnet MaskEnter the subnet mask here, if applicable.
AddClick Add to add a new address to the Source or Destination Address(es) box. You can add multiple addresses, ranges of addresses, and/or subnets.
ModifyTo edit an existing source or destination address, select it from the box and click Modify.
DeleteHighlight an existing source or destination address from the Source or Destination Address(es) box above and click Delete to remove it.
Edit Service
Available/ Selected ServicesHighlight a service from the Available Services box on the left, then click >> to add it to the Selected Service(s) box on the right. To remove a service, highlight it in the Selected Service(s) box on the right, then click <<. Next to the name of a service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type). For example, look at the DNS entry, (UDP/TCP:53) means UDP port 53 and TCP port 53. Click the Service link to go to the Service screen where you can configure custom service ports. See Appendix F on page 671 for a list of commonly used services and port numbers. You can use the [CTRL] key and select multiple services at once.
Edit Schedule
Day to ApplySelect everyday or the day(s) of the week to apply the rule.
Time of Day to Apply (24-Hour Format)Select All Day or enter the start and end times in the hour-minute format to apply the rule.
Actions When Matched
Log Packet Information When MatchedThis field determines if a log for packets that match the rule is created (Yes) or not (No). Go to the Log Settings page and select the Access Control logs category to have the ZyWALL record these logs.
Send Alert Message to Administrator When MatchedSelect the check box to have the ZyWALL generate an alert when the rule is matched.

Table 72 SECURITY > FIREWALL > Rule Summary > Edit

LABELDESCRIPTION
Action for Matched PacketsUse the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender. Select Permit to allow the passage of the packets. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) if you want to allow computers on the WAN to access devices on the LAN. Note: You may also need to configure the remote management settings if you want to allow a WAN computer to manage the ZyWALL or restrict management from the LAN.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

11.10 Anti-Probing

Click SECURITY > FIREWALL > Anti-Probing to open the following screen. Configure this screen to help keep the ZyWALL hidden from probing attempts. You can specify which of the ZyWALL's interfaces will respond to Ping requests and whether or not the ZyWALL is to respond to probing for unused ports.

ZYXEL ZYWALL 2 WG - Anti-Probing - 1
Figure 115 SECURITY > FIREWALL > Anti-Probing

The following table describes the labels in this screen.

Table 73 SECURITY > FIREWALL > Anti-Probing

LABELDESCRIPTION
Respond to PING onSelect the check boxes of the interfaces that you want to reply to incoming Ping requests.Clear an interface's check box to have the ZyWALL not respond to any Ping requests that come into that interface.
Do not respond to requests for unauthorized services.Select this option to prevent hackers from finding the ZyWALL by probing for unused ports. If you select this option, the ZyWALL will not respond to port request(s) for unused ports, thus leaving the unused ports and the ZyWALL unseen. If this option is not selected, the ZyWALL will reply with an ICMP port unreachable packet for a port probe on its unused UDP ports and a TCP reset packet for a port probe on its unused TCP ports.Note that the probing packets must first traverse the ZyWALL's firewall rule checks before reaching this anti-probing mechanism. Therefore if a firewall rule stops a probing packet, the ZyWALL reacts based on the firewall rule to either send a TCP reset packet for a blocked TCP packet (or an ICMP port-unreachable packet for a blocked UDP packets) or just drop the packets without sending a response packet.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

11.11 Firewall Thresholds

For DoS attacks, the ZyWALL uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions.

For TCP, half-open means that the session has not reached the established state-the TCP three-way handshake has not yet been completed. Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established.

ZYXEL ZYWALL 2 WG - Firewall Thresholds - 1
Figure 116 Three-Way Handshake

For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack.

11.11.1 Threshold Values

If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks. Factors influencing choices for threshold values are:

1 The maximum number of opened sessions.
2 The minimum capacity of server backlog in your LAN network.
3 The CPU power of servers in your LAN network.
4 Network bandwidth.
5 Type of traffic for certain servers.

Reduce the threshold values if your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy).

If you often use P2P applications such as file sharing with eMule or eDonkey, it's recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyWALL may classify them as DoS attacks.

11.12 Threshold Screen

Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections.

ZYXEL ZYWALL 2 WG - Threshold Screen - 1
Figure 117 SECURITY > FIREWALL > Threshold

The following table describes the labels in this screen.

Table 74 SECURITY > FIREWALL > Threshold

LABELDESCRIPTION
Disable DoS Attack Protection onSelect the check boxes of any interfaces (or all VPN tunnels) for which you want the ZyWALL to not use the Denial of Service protection thresholds. This disables DoS protection on the selected interface (or all VPN tunnels).You may want to disable DoS protection for an interface if the ZyWALL is treating valid traffic as DoS attacks. Another option would be to raise the thresholds.
Denial of Service ThresholdsThe ZyWALL measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
One Minute LowThis is the rate of new half-open sessions per minute that causes the firewall to stop deleting half-open sessions. The ZyWALL continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.
One Minute HighThis is the rate of new half-open sessions per minute that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection attempts.For example, if you set the one minute high to 100, the ZyWALL starts deleting half-open sessions when more than 100 session establishment attempts have been detected in the last minute. It stops deleting half-open sessions when the number of session establishment attempts detected in a minute goes below the number set as the one minute low.
Maximum Incomplete LowThis is the number of existing half-open sessions that causes the firewall to stop deleting half-open sessions. The ZyWALL continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.
Maximum Incomplete HighThis is the number of existing half-open sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number.For example, if you set the maximum incomplete high to 100, the ZyWALL starts deleting half-open sessions when the number of existing half-open sessions rises above 100. It stops deleting half-open sessions when the number of existing half-open sessions drops below the number set as the maximum incomplete low.
TCP Maximum IncompleteAn unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host.Specify the number of existing half-open TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address. Enter a number between 1 and 256. As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth. The ZyWALL sends alerts whenever the TCP Maximum Incomplete is exceeded.
Action taken when TCP Maximum Incomplete reached thresholdSelect the action that ZyWALL should take when the TCP maximum incomplete threshold is reached. You can have the ZyWALL either:Delete the oldest half open session when a new connection request comes.orDeny new connection requests for the number of minutes that you specify (between 1 and 256).
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

11.13 Service

Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL.

See Section 11.1 on page 201 for more information about the firewall.

ZYXEL ZYWALL 2 WG - Service - 1
Figure 118 SECURITY > FIREWALL > Service

The following table describes the labels in this screen.

Table 75 SECURITY > FIREWALL > Service

LABELDESCRIPTION
Custom ServiceThis table shows all configured custom services.
#This is the index number of the custom service.
Service NameThis is the name of the service.
ProtocolThis is the IP protocol type. If you selected Custom, this is the IP protocol value you entered.
AttributeThis is the IP port number or ICMP type and code that defines the service.
ModifyClick the edit icon to go to the screen where you can edit the service. Click the delete icon to remove an existing service. A window displays asking you to confirm that you want to delete the service. Note that subsequent services move up by one when you take this action.
AddClick this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services.
Predefined ServiceThis table shows all the services that are already configured for use in firewall rules. See Appendix F on page 671 for a list of common services.
#This is the index number of the predefined service.
Service NameThis is the name of the service.
ProtocolThis is the IP protocol type. There may be more than one IP protocol type.
AttributeThis is the IP port number or ICMP type and code that defines the service.

11.13.1 Firewall Edit Custom Service

Click SECURITY > FIREWALL > Service > Add to display the following screen. Use this screen to configure a custom service entry not is not predefined in the ZyWALL. See Appendix F on page 671 the user's guide appendices for a list of commonly used services and port numbers.

See Section 11.1 on page 201 for more information about the firewall.

ZYXEL ZYWALL 2 WG - Firewall Edit Custom Service - 1
Figure 119 Firewall Edit Custom Service

The following table describes the labels in this screen.

Table 76 SECURITY > FIREWALL > Service > Add

LABELDESCRIPTION
Service NameEnter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the custom service. You cannot use the “(” character. Spaces are allowed.
IP ProtocolChoose the IP protocol (TCP, UDP, TCP/UDP, ICMP or Custom) that defines your customized service from the drop down list box. If you select Custom, specify the protocol's number. For example, ICMP is 1, TCP is 6, UDP is 17 and so on.
Port RangeEnter the port number (from 1 to 255) that defines the customized service To specify one port only, enter the port number in the From field and enter it again in the To field. To specify a span of ports, enter the first port in the From field and enter the last port in the To field.
Type/CodeThis field is available only when you select ICMP in the IP Protocol field. The ICMP messages are identified by their types and in some cases codes. Enter the type number in the Type field and select the Code radio button and enter the code number if any.
ApplyClick Apply to save your customized settings and exit this screen.
CancelClick Cancel to exit this screen without saving.

11.14 My Service Firewall Rule Example

The following Internet firewall rule example allows a hypothetical My Service connection from the Internet.

1 In the Service screen, click Add to open the Edit Custom Service screen.

ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 1
Figure 120 My Service Firewall Rule Example: Service

2 Configure it as follows and click Apply.

ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 2
Figure 121 My Service Firewall Rule Example: Edit Custom Service

3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box.
4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
5 Click Insert to display the firewall rule configuration screen.

ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 3
Figure 122 My Service Firewall Rule Example: Rule Summary

6 Enter the name of the firewall rule.
7 Select Any in the Destination Address(es) box and then click Delete.
8 Configure the destination address fields as follows and click Add.

Figure 123 My Service Firewall Rule Example: Rule Edit
ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 4
9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done.

ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 5

Custom services show up with an * before their names in the Services list box and the Rule Summary list box.

ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 6
Figure 124 My Service Firewall Rule Example: Rule Configuration

Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.

ZYXEL ZYWALL 2 WG - My Service Firewall Rule Example - 7
Figure 125 My Service Firewall Rule Example: Rule Summary

Content Filtering Screens

This chapter provides an overview of content filtering.

12.1 Content Filtering Overview

Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites. With content filtering, you can do the following:

12.1.1 Restrict Web Features

The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.

12.1.2 Create a Filter List

You can select categories, such as pornography or racial intolerance, to block from a predefined list.

12.1.3 Customize Web Site Access

You can specify URLs to which the ZyWALL blocks access. You can alternatively block access to all URLs except ones that you specify. You can also have the ZyWALL block access to URLs that contain key words that you specify.

12.2 Content Filter General Screen

Click SECURITY > CONTENT FILTER to open the CONTENT FILTER General screen.

Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites.

Use this screen to enable content filtering, configure a schedule, and create a denial message. You can also choose specific computers to be included in or excluded from the content filtering configuration.

ZYXEL ZYWALL 2 WG - Content Filter General Screen - 1
Figure 126 SECURITY > CONTENT FILTER > General

The following table describes the labels in this screen.

Table 77 SECURITY > CONTENT FILTER > General

LABELDESCRIPTION
General Setup
Enable Content FilterSelect this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Enable Content Filter for VPN trafficSelect this check box to have the content filter apply to traffic that the ZyWALL sends out through a VPN tunnel or receives through a VPN tunnel. The ZyWALL applies the content filter to the traffic before encrypting it or after decrypting it.Note: The ZyWALL can apply content filtering on the traffic going to or from the ZyWALL's VPN tunnels. It does not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic).
Restrict Web FeaturesSelect the check box(es) to restrict a feature. When you try to access a page containing a restricted feature, the whole page will be blocked or the restricted feature part of the web page will appear blank or grayed out. You will also see the message and URL you configured in the Denied Access Message and Redirect URL fields.

Table 77 SECURITY > CONTENT FILTER > General

LABELDESCRIPTION
Block ActiveXActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.
Java AppletJava is a programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds.
CookiesCookies are files stored on a computer's hard drive. Some web servers use them to track usage and provide service based on ID.
Web ProxyA server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server.
Schedule to BlockContent filtering scheduling applies to the Filter List, Customized sites and Keywords. Restricted web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected.
Always BlockClick this option button to have content filtering always active with Time of Day limitations not enforced. This is enabled by default.
Block From/ToClick this option button to have content filtering only active during the time interval(s) specified. In the Block From and To fields, enter the time period(s), in 24-hour format, during which content filtering will be enforced.
Message to display when a site is blocked
Denied Access MessageEnter a message to be displayed when a user tries to access a restricted web site. The default message is Please contact your network administrator!!
Redirect URLEnter the URL of the web page to which you want to send users when their web access is blocked by content filtering. The web page you specify here opens in a new frame below the denied access message.Use “http://” followed by up to 120 ASCII characters. For example, http://192.168.1.17/blocked access.
Exempt Computers
Enforce content filter policies for all computersSelect this checkbox to have all users on your LAN follow content filter policies (default).
Include specified address ranges in the content filter enforcementSelect this checkbox to have a specific range of users on your LAN follow content filter policies.
Exclude specified address ranges from the content filter enforcementSelect this checkbox to exempt a specific range of users on your LAN from content filter policies.
Add Address Ranges
FromType the beginning IP address (in dotted decimal notation) of the specific range of users on your LAN.
ToType the ending IP address (in dotted decimal notation) of the specific range of users on your LAN, then click Add Range.
Address ListThis text field shows the address ranges that are blocked.
Add RangeClick Add Range after you have filled in the From and To fields above.

Table 77 SECURITY > CONTENT FILTER > General

LABELDESCRIPTION
Delete RangeClick Delete Range after you select the range of addresses you wish to delete.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

12.3 Content Filtering with an External Database

When you register for and enable external database content filtering, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories. The content filtering lookup process is described below.

ZYXEL ZYWALL 2 WG - Content Filtering with an External Database - 1
Figure 127 Content Filtering Lookup Procedure

1 A computer behind the ZyWALL tries to access a web site.
2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site's category will be in the ZyWALL's cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
3 Use the CONTENT FILTER Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses (see Section 12.7 on page 246). All of the web site address records are also cleared from the local cache when the ZyWALL restarts.
4 If the ZyWALL has no record of the web site, it will query the external content filtering database and simultaneously send the request to the web server.

The external content filtering database may change a web site's category or categorize a previously uncategorized web site.

5 The external content filtering server sends the category information back to the ZyWALL, which then blocks and/or logs access to the web site. The web site's address and category are then stored in the ZyWALL's content filtering cache.

12.4 Content Filter Categories

Click SECURITY >CONTENT FILTER > Categories to display the CONTENT FILTER Categories screen.

Use this screen to configure category-based content filtering. You can set the ZyWALL to use external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it. Use the

REGISTRATION screens (see Chapter 5 on page 107) to create a myZyXEL.com account, register your device and activate the external content filtering service.

Do the following to view content filtering reports (see Chapter 13 on page 249 for details).

1 Log into myZyXEL.com and click your device's link to open it's Service Management screen.
2 Click Content Filter in the Service Name field to open the Blue Coat login screen.
3 Enter your ZyWALL's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 133 on page 251). Type your myZyXEL.com account password in the Password field. Click Submit.

You may find that a web site has not been accurately categorized or that a web site's contents have changed and the content filtering category needs to be updated. See Section 13.3 on page 254 for how to submit the web site for review.

ZYXEL ZYWALL 2 WG - Content Filter Categories - 1
Figure 128 SECURITY > CONTENT FILTER > Categories

The following table describes the labels in this screen.

Table 78 SECURITY > CONTENT FILTER > Categories

LABELDESCRIPTION
Auto Category Setup
Enable External Database Content FilteringEnable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page.
Matched Web PagesSelect Block to prevent users from accessing web pages that match the categories that you select below.When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.Select Log to record attempts to access prohibited web pages.
Unrated Web PagesSelect Block to prevent users from accessing web pages that the external database content filtering has not categorized.When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.Select Log to record attempts to access web pages that are not categorized.
When Content Filter Server Is UnavailableSelect Block to block access to any requested web page if the external content filtering database is unavailable. The following are possible causes:There is no response from the external content filtering server within the time period specified in the Content Filter Server Unavailable Timeout field.The ZyWALL is not able to resolve the domain name of the external content filtering database.There is an error response from the external content filtering database.This can be caused by an expired content filtering registration (External content filtering's license key is invalid".Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable.
Content Filter Server Unavailable TimeoutSpecify a number of seconds (1 to 30) for the ZyWALL to wait for a response from the external content filtering server. If there is still no response by the time this period expires, the ZyWALL blocks or allows access to the requested web page based on the setting in the Block When Content Filter Server Is Unavailable field.
Select CategoriesThese are the categories available at the time of writing.Note:If you chose to record attempts to access the restricted pages and a web page matches more than one category you selected, you will see a log showing this page matches one category (the first matched one) only.
Select All CategoriesSelect this check box to restrict access to all site categories listed below.
Clear All CategoriesSelect this check box to clear the selected categories below.
Adult/Mature ContentSelecting this category excludes pages that contain material of adult nature that does not necessarily contain excessive violence, sexual content, or nudity. These pages include very profane or vulgar content and pages that are not appropriate for children.
PornographySelecting this category excludes pages that contain sexually explicit material for the purpose of arousing a sexual or prurient interest.
Sex EducationSelecting this category excludes pages that provide graphic information (sometimes graphic) on reproduction, sexual development, safe sex practices, sexuality, birth control, and sexual development. It also includes pages that offer tips for better sex as well as products used for sexual enhancement.
Intimate Apparel/SwimsuitSelecting this category excludes pages that contain images or offer the sale of swimsuits or intimate apparel or other types of suggestive clothing. It does not include pages selling undergarments as a subsection of other products offered.
NuditySelecting this category excludes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature. This category also includes nudist or naturist pages that contain pictures of nude individuals.
Alcohol/TobaccoSelecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products.
Illegal/QuestionableSelecting this category excludes pages that advocate or give advice on performing illegal acts such as service theft, evading law enforcement, fraud, burglary techniques and plagiarism. It also includes pages that provide or sell questionable educational materials, such as term papers.Note: This category includes sites identified as being malicious in any way (such as having viruses, spyware and etc.).
GamblingSelecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide information, assistance, recommendations, or training on placing bets or participating in games of chance. It does not include pages that sell gambling related products or machines. It also does not include pages for offline casinos and hotels (as long as those pages do not meet one of the above requirements).
Violence/Hate/RacismSelecting this category excludes pages that depict extreme physical harm to people or property, or that advocate or provide instructions on how to cause such harm. It also includes pages that advocate, depict hostility or aggression toward, or denigrate an individual or group on the basis of race, religion, gender, nationality, ethnic origin, or other characteristics.
WeaponsSelecting this category excludes pages that sell, review, or describe weapons such as guns, knives or martial arts devices, or provide information on their use, accessories, or other modifications. It does not include pages that promote collecting weapons, or groups that either support or oppose weapons use.
AbortionSelecting this category excludes pages that provide information or arguments in favor of or against abortion, describe abortion procedures, offer help in obtaining or avoiding abortion, or provide information on the effects, or lack thereof, of abortion.
HackingSelecting this category excludes pages that distribute, promote, or provide hacking tools and/or information which may help gain unauthorized access to computer systems and/or computerized communication systems. Hacking encompasses instructions on illegal or questionable tactics, such as creating viruses, distributing cracked or pirated software, or distributing other protected intellectual property.
PhishingSelecting this category excludes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers).
Arts/EntertainmentSelecting this category excludes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Business/EconomySelecting this category excludes pages devoted to business firms, business information, economics, marketing, business management and entrepreneurship. This does not include pages that perform services that are defined in another category (such as Information Technology companies, or companies that sell travel services).
Alternative Spirituality/OccultSelecting this category excludes pages that promote and provide information on religions such as Wicca, Witchcraft or Satanism. Occult practices, atheistic views, voodoo rituals or any other form of mysticism are represented here. Includes sites that endorse or offer methods, means of instruction, or other resources to affect or influence real events through the use of spells, incantations, curses and magic powers. This category includes sites which discuss or deal with paranormal or unexplained events.
Illegal DrugsSelecting this category excludes pages that promote, offer, sell, supply, encourage or otherwise advocate the illegal use, cultivation, manufacture, or distribution of drugs, pharmaceuticals, intoxicating plants or chemicals and their related paraphernalia.
EducationSelecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Cultural/Charitable OrganizationSelecting this category excludes pages that nurture cultural understanding and foster volunteerism such as 4H, the Lions and Rotary Clubs. Also encompasses non-profit associations that cultivate philanthropic or relief efforts. Sites that provide a learning environment or cultural refinement/awareness outside of the strictures of formalized education such as museums and planetariums are included under this heading.
Financial ServicesSelecting this category excludes pages that provide or advertise banking services (online or offline) or other types of financial information, such as loans. It does not include pages that offer market information, brokerage or trading services.
Brokerage/TradingSelecting this category excludes pages that provide or advertise trading of securities and management of investment assets (online or offline). It also includes insurance pages, as well as pages that offer financial investment strategies, quotes, and news.
Online GamesSelecting this category excludes pages that provide information and support game playing or downloading, video games, computer games, electronic games, tips, and advice on games or how to obtain cheat codes. It also includes pages dedicated to selling board games as well as journals and magazines dedicated to game playing. It includes pages that support or host online sweepstakes and giveaways.
Government/LegalSelecting this category excludes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities.
MilitarySelecting this category excludes pages that promote or provide information on military branches or armed services.
Political/Activist GroupsSelecting this category excludes pages sponsored by or which provide information on political parties, special interest groups, or any organization that promotes change or reform in public policy, public opinion, social practice, or economic activities.
HealthSelecting this category excludes pages that provide advice and information on general health such as fitness and well-being, personal health or medical services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, self-help, and support organizations dedicated to a disease or condition.
Computers/InternetSelecting this category excludes pages that sponsor or provide information on computers, technology, the Internet and technology-related organizations and companies.
Search Engines/PortalsSelecting this category excludes pages that support searching the Internet, indices, and directories.
Spyware/Malware SourcesSelecting this category excludes pages which distribute spyware and other malware. Spyware is defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal information. This includes drive-by downloads; browser hijackers; dialers; intrusive advertising; any program which modifies your homepage, bookmarks, or security settings; and keyloggers. It also includes any software which bundles spyware (as defined above) as part of its offering. Information collected or reported is "personal" if it contains uniquely identifying data, such as email addresses, name, social security number, IP address, etc. A site is not classified as spyware if the user is reasonably notified that the software will perform these actions (ie, it alerts that it will send personal information, be installed, or that it will log keystrokes). Note: Sites rated as spyware should have a second category assigned with them.
Spyware Effects/Privacy ConcernsSelecting this category excludes pages to which spyware (as defined in the Spyware/Malware Sources category) reports its findings or from which it alone downloads advertisements. Also includes sites that contain serious privacy issues, such as "phone home" sites to which software can connect and send user info; sites that make extensive use of tracking cookies without a posted privacy statement; and sites to which browser hijackers redirect users. Usually does not include sites that can be marked as Spyware/Malware. Note: Sites rated as spyware effects typically have a second category assigned with them.
Job Search/CareersSelecting this category excludes pages that provide assistance in finding employment, and tools for locating prospective employers.
News/MediaSelecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories.
Personals/DatingSelecting this category excludes pages that promote interpersonal relationships.
ReferenceSelecting this category excludes pages containing personal, professional, or educational reference, including online dictionaries, maps, census, almanacs, library catalogues, genealogy-related pages and scientific information.
Open Image/Media SearchSelecting this category excludes pages with image or video search capabilities which return graphical results (i.e. thumbnail pictures) that include potentially pornographic content along with non-pornographic content (as defined in the Pornography category). Sites that explicitly exclude offensive content are not included in this category.
Chat/Instant MessagingSelecting this category excludes pages that provide chat or instant messaging capabilities or client downloads.
EmailSelecting this category excludes pages offering web-based email services, such as online email reading, e-cards, and mailing list services.
Blogs/NewsgroupsSelecting this category excludes pages that offer access to Usenet news groups or other messaging or bulletin board systems. Also, blog specific sites or an individual with his own blog. This does not include social networking communities with blogs.
ReligionSelecting this category excludes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca or witchcraft (Cult/Occult) or atheist beliefs (Political/Activist Groups).
Social NetworkingSelecting this category excludes pages that enable people to connect with others to form an online community. Typically members describe themselves in personal web page profiles and form interactive networks, linking them with other members based on common interests or acquaintances. Instant messaging, file sharing and web logs (blogs) are common features of Social Networking sites. Note: These sites may contain offensive material in the community-created content. Sites in this category are also referred to as "virtual communities" or "online communities". This category does not include more narrowly focused sites, like those that specifically match descriptions for Persons/Dating sites or Business sites.
Online StorageSelecting this category excludes pages that provide a secure, encrypted, off-site backup and restoration of personal data. These online repositories are typically used to store, organize and share videos, music, movies, photos, documents and other electronically formatted information. Sites that fit this criteria essentially act as your personal hard drive on the Internet.
Remote Access ToolsSelecting this category excludes pages that primarily focus on providing information about and/or methods that enables authorized access to and use of a desktop computer or private network remotely.
ShoppingSelecting this category excludes pages that provide or advertise the means to obtain goods or services. It does not include pages that can be classified in other categories (such as vehicles or weapons).
AuctionsSelecting this category excludes pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements.
Real EstateSelecting this category excludes pages that provide information on renting, buying, or selling real estate or properties.
Society/LifestyleSelecting this category excludes pages providing information on matters of daily life. This does not include pages relating to entertainment, sports, jobs, sex or pages promoting alternative lifestyles such as homosexuality. Personal homepages fall within this category if they cannot be classified in another category.
Sexuality/Alternative LifestylesSelecting this category excludes pages that provide information, promote, or cater to gays, lesbians, swingers, other sexual orientations or practices, or a particular fetish. This category does not include sites that are sexually gratuitous in nature which would typically fall under the Pornography category.
Restaurants/Dining/FoodSelecting this category excludes pages that list, review, discuss, advertise and promote food, catering, dining services, cooking and recipes.
Sports/Recreation/HobbiesSelecting this category excludes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
TravelSelecting this category excludes pages that promote or provide opportunity for travel planning, including finding and making travel reservations, vehicle rentals, descriptions of travel destinations, or promotions for hotels or casinos.
VehiclesSelecting this category excludes pages that provide information on or promote vehicles, boats, or aircraft, including pages that support online purchase of vehicles or parts.
Humor/JokesSelecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
Software DownloadsSelecting this category excludes pages that are dedicated to the electronic download of software packages, whether for payment or at no charge.
Pay to SurfSelecting this category excludes pages that pay users in the form of cash or prizes, for clicking on or reading specific links, email, or web pages.
Peer-to-PeerSelecting this category excludes pages that distribute software to facilitate the direct exchange of files between users, including software that enables file search and sharing across a network without dependence on a central server.
Streaming Media/MP3sSelecting this category excludes pages that sell, deliver, or stream music or video content in any format, including sites that provide downloads for such viewers.
Proxy AvoidanceSelecting this category excludes pages that provide information on how to bypass proxy server/appliance features or gain access to URLs in any way that bypasses the proxy server/appliance. It also includes any service that will allow a person to bypass the content filtering feature, such as anonymous surfing services.
For KidsSelecting this category excludes pages designed specifically for children.
Web AdvertisementsSelecting this category excludes pages that provide online advertisements or banners. This does not include advertising servers that serve adult-oriented advertisements.
Web HostingSelecting this category excludes pages of organizations that provide top-level domain pages, as well as web communities or hosting services.
Advanced/BasicClick Advanced to see an expanded list of categories, or click Basic to see a smaller list.
Test Web Site Attribute
Test if Web site is blockedYou can check whether or not the content filter currently blocks any given web page. Enter a web site URL in the text box.
Test Against Local CacheClick this button to test whether or not the web site above is saved in the ZyWALL's database of restricted web pages.
Test Against Internet ServerClick this button to test whether or not the web site above is saved in the external content filter server's database of restricted web pages.
Content Filter Service StatusThis read-only field displays the status of your category-based content filtering (using an external database) service subscription.License Inactive displays if you have not registered and activated the category-based content filtering service.License Active and the subscription expiration date display if you have registered the ZyWALL and activated the category-based content filtering service.Trial Active and the trial subscription expiration date display if you have registered the ZyWALL and activated the category-based content filtering service.License Inactive and the date your subscription expired display if your subscription to the category-based content filtering service has expired.Note: After you register for content filtering, you need to wait up to five minutes for content filtering to be activated.See Section 13.1 on page 249 for how to check the content filtering activation.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

12.5 Content Filter Customization

Click SECURITY > CONTENT FILTER > Customization to display the CONTENT FILTER Customization screen.

You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site's address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.

ZYXEL ZYWALL 2 WG - Content Filter Customization - 1
Figure 129 SECURITY >CONTENT FILTER >Customization

The following table describes the labels in this screen.

Table 79 SECURITY >CONTENT FILTER >Customization

LABELDESCRIPTION
Web Site List Customization
Enable Web site customizationSelect this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names.
Disable all Web traffic except for trusted Web sitesWhen this box is selected, the ZyWALL only allows Web access to sites on the Trusted Web Site list. If they are chosen carefully, this is the most effective way to block objectionable material.
Don't block Java/ActiveX/ Cookies/Web proxy to trusted Web sitesWhen this box is selected, the ZyWALL will permit Java, ActiveX and Cookies from sites on the Trusted Web Site list to the LAN. In certain cases, it may be desirable to allow Java, ActiveX or Cookies from sites that are known and trusted.
Trusted Web SitesThese are sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. You can enter up to 32 entries.
Add Trusted Web SiteEnter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
Trusted Web SitesThis list displays the trusted web sites already added.
AddClick this button when you have finished adding the host name in the text field above.
DeleteSelect a web site name from the Trusted Web Site List, and then click this button to delete it from that list.
Forbidden Web Site ListSites that you want to block access to, regardless of their content rating, can be allowed by adding them to this list. You can enter up to 32 entries.
Add Forbidden Web SiteEnter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are blocked. For example, entering “bad-site.com” also blocks “www.bad-site.com”, “partner.bad-site.com”, “press.bad-site.com”, etc.
Forbidden Web SitesThis list displays the forbidden web sites already added.
AddClick this button when you have finished adding the host name in the text field above.
DeleteSelect a web site name from the Forbidden Web Site List, and then click this button to delete it from that list.
Keyword BlockingKeyword Blocking allows you to block websites with URLs that contain certain keywords in the domain name or IP address. See Section 12.6 on page 245 for how to set how much of the URL the ZyWALL checks.
Block Web sites which contain these keywords.Select this checkbox to enable keyword blocking.
Add KeywordEnter a keyword (up to 31 printable ASCII characters) to block. You can also enter a numerical IP address.
Keyword ListThis list displays the keywords already added.
AddClick this button when you have finished adding the key words field above.
DeleteSelect a keyword from the Keyword List, and then click this button to delete it from that list.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

12.6 Customizing Keyword Blocking URL Checking

You can use commands to set how much of a website's URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter.

12.6.1 Domain Name or IP Address URL Checking

By default, the ZyWALL checks the URL's domain name or IP address when performing keyword blocking.

This means that the ZyWALL checks the characters that come before the first slash in the URL.

For example, with the URL www.zyxel.com.tw/news/pressroom.php, content filtering only searches for keywords within www.zyxel.com.tw.

12.6.2 Full Path URL Checking

Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL.

For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/.

Use the ip urlfilter customize actionFlags 6 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's full path.

12.6.3 File Name URL Checking

Filename URL checking has the ZyWALL check all of the characters in the URL.

For example, filename URL checking searches for keywords within the URL

www.zyxel.com.tw/news/pressroom.php.

Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's complete filename.

12.7 Content Filtering Cache

Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen.

Use this screen to view and configure your ZyWALL's URL caching. You can also configure how long a categorized web site address remains in the cache as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server. The ZyWALL only queries the external content filtering database for sites not found in the cache.

You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site's category has been changed.

Please see Section 13.3 on page 254 for how to submit a web site that has been incorrectly categorized.

ZYXEL ZYWALL 2 WG - Content Filtering Cache - 1
Figure 130 SECURITY > CONTENT FILTER > Cache

The following table describes the labels in this screen.

Table 80 SECURITY > CONTENT FILTER > Cache

LABELDESCRIPTION
URL Cache Setup
Maximum TTLType the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.
URL Cache Entry
FlushClick this button to clear all web site addresses from the cache manually.
RefreshClick this button to reload the cache.
#This is the index number of a categorized web site address record.
ActionThis field shows whether access to the web site's URL was blocked-or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed. Point the triangle down to display the URLs to which access was allowed before the blocked URLs.
URLThis is a web site's address that the ZyWALL previously checked with the external content filtering database.
PortThis is the service port number for which access was requested.
Remaining Time (hour)This is the number of hours left before the URL entry is discarded from the cache.
ModifyClick the delete icon to remove the URL entry from the cache.

Content Filtering Reports

This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service.

See Chapter 5 on page 107 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.

13.1 Checking Content Filtering Activation

After you activate content filtering, you need to wait up to five minutes for content filtering to be turned on.

Since there will be no content filtering activation notice, you can do the following to see if content filtering is active.

1 Go to your device's web configurator's CONTENT FILTER Categories screen.
2 Select at least one category and click Apply.
3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button.

When content filtering is active, you should see an access blocked or access forwarded message. An error message displays if content filtering is not active.

13.2 Viewing Content Filtering Reports

Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen.

You need to register your iCard before you can view content filtering reports.

Alternatively, you can also view content filtering reports during the free trial (up to 30 days).

1 Go to http://www.myZyXEL.com.
2 Fill in your myZyXEL.com account information and click Submit.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 1
Figure 131 myZyXEL.com: Login

3 A welcome screen displays. Click your ZyWALL's model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 133 on page 251).

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 2
Figure 132 myZyXEL.com: Welcome

4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 3
Figure 133 myZyXEL.com: Service Management

5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 133 on page 251). Type your myZyXEL.com account password in the Password field.
6 Click Submit.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 4
Figure 134 Blue Coat: Login

7 In the Web Filter Home screen, click the Reports tab.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 5
Figure 135 Content Filtering Reports Main Screen

8 Select items under Global Reports or Single User Reports to view the corresponding reports.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 6
Figure 136 Blue Coat: Report Home

9 Select a time period in the Date Range field, either Allowed or Restricted in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report. The screens vary according to the report type you selected in the Report Home screen.

10 A chart and/or list of requested web site categories display in the lower half of the screen.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 7
Figure 137 Global Report Screen Example

11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.

ZYXEL ZYWALL 2 WG - Viewing Content Filtering Reports - 8
Figure 138 Requested URLs Example

13.3 Web Site Submission

You may find that a web site has not been accurately categorized or that a web site's contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.

1 Log into the content filtering reports web site (see Section 13.2 on page 249).
2 In the Web Filter Home screen (see Figure 135 on page 252), click Site Submissions to open the Web Page Review Process screen shown next.

ZYXEL ZYWALL 2 WG - Web Site Submission - 1
Figure 139 Web Page Review Process Screen

3 Type the web site's URL in the field and click Submit to have the web site reviewed.

IPSec VPN

This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL.

14.1 IPSec VPN Overview

A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data communications across a public network like the Internet. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.

The following figure provides one perspective of a VPN tunnel.

Figure 140 VPN: Example
ZYXEL ZYWALL 2 WG - IPSec VPN Overview - 1
The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). These routers then connect the local network (A) and remote network (B).

A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network. The following figure illustrates this.

ZYXEL ZYWALL 2 WG - IPSec VPN Overview - 2
Figure 141 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is established securely using the IKE SA that routers X and Y established first.

The rest of this section discusses IKE SA and IPSec SA in more detail.

14.1.1 IKE SA Overview

The IKE SA provides a secure connection between the ZyWALL and remote IPSec router.

It takes several steps to establish an IKE SA. The negotiation mode determines the number of steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.

ZYXEL ZYWALL 2 WG - IKE SA Overview - 1

Both routers must use the same negotiation mode.

These modes are discussed in more detail in Section 14.3.1.4 on page 264. Main mode is used in various examples in the rest of this section.

14.1.1.1 IP Addresses of the ZyWALL and Remote IPSec Router

In the ZyWALL, you have to specify the IP addresses of the ZyWALL and the remote IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface.

You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA.

14.2 VPN Rules (IKE)

A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network.

  • A gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel.
  • A network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel.

ZYXEL ZYWALL 2 WG - VPN Rules (IKE) - 1
Figure 142 Gateway and Network Policies

This figure helps explain the main fields in the VPN setup.

ZYXEL ZYWALL 2 WG - VPN Rules (IKE) - 2
Figure 143 IPSec Fields Summary

Click SECURITY > VPN to display the VPN Rules (IKE) screen. Use this screen to manage the ZyWALL's list of VPN rules (tunnels) that use IKE SAs.

ZYXEL ZYWALL 2 WG - VPN Rules (IKE) - 3
Figure 144 SECURITY >VPN>VPN Rules (IKE)

The following table describes the labels in this screen.

Table 81 SECURITY > VPN > VPN Rules (IKE)

LABELDESCRIPTION
VPN RulesThese VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
Click this icon to add a VPN gateway policy (or IPSec rule).
Gateway PoliciesThe first row of each VPN rule represents the gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA (click the edit icon to display the other settings).
My ZyWALLThis represents your ZyWALL. The WAN IP address, domain name or dynamic domain name of your ZyWALL displays in router mode. The ZyWALL's IP address displays in bridge mode.
Remote GatewayThis represents the remote secure gateway. The IP address, domain name or dynamic domain name of the remote IPSec router displays if you specify it, otherwise Dynamic displays.
Click this icon to add a VPN network policy.
Network PoliciesThe subsequent rows in a VPN rule are network policies. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.
Local NetworkThis is the network behind the ZyWALL. A network policy specifies which devices (behind the IPSec routers) can use the VPN tunnel.
Remote NetworkThis is the remote network behind the remote IPsec router.
@Click this icon to display a screen in which you can associate a network policy to a gateway policy.
[ ]Click this icon to display a screen in which you can change the settings of a gateway or network policy.
[ ]Click this icon to delete a gateway or network policy. The ZyWALL automatically moves the associated network policy(ies) to the recycle bin.
[ ]Click this icon to establish a VPN connection to a remote network.
[ ]Click this icon to drop a VPN connection to a remote network.
×This indicates that a network policy is not active.
Recycle BinThe recycle bin holds any network policies without an associated gateway policy.

14.3 IKE SA Setup

This section provides more details about IKE SAs.

14.3.1 IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated below.

ZYXEL ZYWALL 2 WG - IKE SA Proposal - 1
Figure 145 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal

The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can set up only one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL. If the remote IPSec router rejects all of the proposals (for example, if the VPN tunnel is not configured correctly), the ZyWALL and remote IPSec router cannot establish an IKE SA.

ZYXEL ZYWALL 2 WG - IKE SA Proposal - 2

Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.

See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 14.3.1.1 on page 262 for more information about DH key groups.

14.3.1.1 Diffie-Hellman (DH) Key Exchange

The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA. In main mode, the DH key exchange is done in steps 3 and 4, as illustrated below.

ZYXEL ZYWALL 2 WG - Diffie-Hellman (DH) Key Exchange - 1
Figure 146 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange

The DH key exchange is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption keys, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 encryption keys take longer to encrypt and decrypt.

14.3.1.2 Authentication

Before the ZyWALL and remote IPSec router establish an IKE SA, they have to verify each other's identity. This process is based on pre-shared keys and router identities.

In main mode, the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. Their identities are encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps.

ZYXEL ZYWALL 2 WG - Authentication - 1
Figure 147 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication

The ZyWALL and remote IPSec router use a pre-shared key in the authentication process, though it is not actually transmitted or exchanged.

ZYXEL ZYWALL 2 WG - Authentication - 2

The ZyWALL and the remote IPSec router must use the same pre-shared key.

Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist.

The ZyWALL and the remote IPSec router each has its own identity, so each one must store two sets of information, one for itself and one for the other router. Local ID type and ID content refers to the ID type and ID content that applies to the router itself, and peer ID type and ID content refers to the ID type and ID content that applies to the other router in the IKE SA.

ZYXEL ZYWALL 2 WG - Authentication - 3

The ZyWALL's local and peer ID type and ID content must match the remote IPSec router's peer and local ID type and ID content, respectively.

In the following example, the ID type and content match so the ZyWALL and the remote IPSec router authenticate each other successfully.

Table 82 VPN Example: Matching ID Type and Content

ZYWALLREMOTE IPSEC ROUTER
Local ID type: E-mailLocal ID type: IP
Local ID content: tom@yourcompany.comLocal ID content: 1.1.1.2
Peer ID type: IPPeer ID type: E-mail
Peer ID content: 1.1.1.2Peer ID content: tom@yourcompany.com

In the following example, the ID type and content do not match so the authentication fails and the ZyWALL and the remote IPSec router cannot establish an IKE SA.

Table 83 VPN Example: Mismatching ID Type and Content

ZYWALLREMOTE IPSEC ROUTER
Local ID type: E-mailLocal ID type: IP
Local ID content: tom@yourcompany.comLocal ID content: 1.1.1.2
Peer ID type: IPPeer ID type: E-mail
Peer ID content: 1.1.1.15Peer ID content: tom@yourcompany.com

It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is not as secure as other peer ID types, however.

14.3.1.2.1 Certificates

It is also possible for the ZyWALL and remote IPSec router to authenticate each other with certificates. In this case, the authentication process is different.

  • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check each other's certificates.

  • The local ID type and ID content come from the certificate. On the ZyWALL, you simply select which certificate to use.

  • If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router using the trusted certificates and trusted CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content.

ZYXEL ZYWALL 2 WG - Certificates - 1

You must set up the certificates for the ZyWALL and remote IPSec router before you can use certificates in IKE SA. See Chapter 15 on page 297 for more information about certificates.

14.3.1.3 Extended Authentication

Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.

Extended authentication occurs right after the authentication described in Section 14.3.1.2 on page 262.

In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, the routers do not establish an IKE SA.

You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or you can set up the ZyWALL to check a user name and password that is provided by the remote IPSec router.

14.3.1.4 Negotiation Mode

There are two negotiation modes: main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1-2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL.

Steps 3-4: The ZyWALL and the remote IPSec router participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.

Steps 5-6: Finally, the ZyWALL and the remote IPSec router generate an encryption key from the shared secret, encrypt their identities, and exchange their encrypted identity information for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA.

Step 1: The ZyWALL sends its proposals to the remote IPSec router. It also starts the Diffie-Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for authentication.

Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. It also finishes the Diffie-Hellman key exchange, authenticates the ZyWALL, and sends its (unencrypted) identity to the ZyWALL for authentication.

Step 3: The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established.

Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters).

14.3.1.5 VPN, NAT, and NAT Traversal

In the following example, there is another router (A) between router X and router Y .

ZYXEL ZYWALL 2 WG - VPN, NAT, and NAT Traversal - 1
Figure 148 VPN/NAT Example

If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel.

Most routers like router A now have an IPSec pass-through feature. This feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Section 14.6.2 on page 273 for more information about active protocols.)

If router A does not have an IPSec pass-through or if the active protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel.

You have to do the following things to set up NAT traversal.

  • Enable NAT traversal on the ZyWALL and remote IPSec router.
  • Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.)

The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ZyWALL and remote IPSec router support.

14.4 Additional IPSec VPN Topics

This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted.

14.4.1 SA Life Time

SAs have a lifetime that specifies how long the SA lasts until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in the following situations:

  • There is traffic when the SA life time expires
  • The IPSec SA is configured on the ZyWALL as nailed up (see below)

ZYXEL ZYWALL 2 WG - SA Life Time - 1

Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic.

If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected.

An IPSec SA can be set to nailed up. Normally, the ZyWALL drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set the IPSec SA to nailed up, the ZyWALL automatically renegotiates the IPSec SA when the SA life time expires, and it does not drop the IPSec SA if there is no inbound traffic.

ZYXEL ZYWALL 2 WG - SA Life Time - 2

The SA life time and nailed up settings only apply if the rule identifies the remote IPSec router by a static IP address or a domain name. If the Remote Gateway Address field is set to 0.0.0.0, the ZyWALL cannot initiate the tunnel (and cannot renegotiate the SA).

14.4.2 IPSec High Availability

IPSec high availability (also known as VPN high availability) allows you to use a redundant (backup) VPN connection to another WAN interface on the remote IPSec router if the primary (regular) VPN connection goes down.

In the following figure, if the primary VPN tunnel (A) goes down, the ZyWALL uses the redundant VPN tunnel (B).

ZYXEL ZYWALL 2 WG - IPSec High Availability - 1
Figure 149 IPSec High Availability

When setting up a IPSec high availability VPN tunnel, the remote IPSec router:

  • Must have multiple WAN connections

  • Only needs the configure one corresponding IPSec rule

  • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections

  • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0)
  • Should use a WAN connectivity check to this ZyWALL's WAN IP address

If the remote IPSec router is not a ZyWALL, you may also want to avoid setting the IPSec rule to nailed up.

14.4.3 Encryption and Authentication Algorithms

In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The encryption algorithms are listed here in order from weakest to strongest.

  • Data Encryption Standard (DES) is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.
  • Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively tripling the strength of DES.
  • Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.

Use the commands to have the AES encryption apply 192-bit or 256-bit keys to 128-bit blocks of data.

You can select one of the following authentication algorithms for each proposal. The algorithms are listed here in order from weakest to strongest.

  • MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
  • SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data

14.5 VPN Rules (IKE) Gateway Policy Edit

In the VPN Rule (IKE) screen, click the add gateway policy ( ) icon or the edit ( ) icon to display the VPN-Gateway Policy -Edit screen.

Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.

ZYXEL ZYWALL 2 WG - VPN Rules (IKE) Gateway Policy Edit - 1
Figure 150 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy

The following table describes the labels in this screen.

Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy

LABELDESCRIPTION
Property
NameType up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
NAT TraversalSelect this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.Note: The remote IPSec router must also have NAT traversal enabled. See Section 14.3.1.5 on page 265 for more information.You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not with AH protocol nor with manual key management. In order for an IPSec router behind a NAT router to receive an initiating IPSec packet, set the NAT router to forward UDP ports 500 and 4500 to the IPSec router behind the NAT router.
Gateway Policy Information
My ZyWALLWhen the ZyWALL is in router mode, this field identifies the WAN IP address or domain name of the ZyWALL. You can select My Address and enter the ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0.The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect.Otherwise, you can select My Domain Name and choose one of the dynamic domain names that you have configured (in the DDNS screen) to have the ZyWALL use that dynamic domain name's IP address.When the ZyWALL is in bridge mode, this field is read-only and displays the ZyWALL's IP address.The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup.
Primary Remote GatewayType the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.In order to have more than one active rule with the Remote Gateway Address field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules.If you configure an active rule with 0.0.0.0 in the Remote Gateway Address field and the LAN's full IP address range as the local IP address, then you cannot configure any other active rules with the Remote Gateway Address field set to 0.0.0.0.
Enable IPSec High AvailabilityTurn on the high availability feature to use a redundant (backup) VPN connection to another WAN interface on the remote IPSec router if the primary (regular) VPN connection goes down. The remote IPSec router must have a second WAN connection in order for you to use this.To use this, you must identify both the primary and the redundant remote IPSec routers by WAN IP address or domain name (you cannot set either to 0.0.0.0).
Redundant Remote GatewayType the WAN IP address or the domain name (up to 31 characters) of the backup IPSec router to use when the ZyWALL cannot not connect to the primary remote gateway.
Fall back to Primary Remote Gateway when possibleSelect this to have the ZyWALL change back to using the primary remote gateway if the connection becomes available again.
Fall Back Check Interval*Set how often the ZyWALL should check the connection to the primary remote gateway while connected to the redundant remote gateway. Each gateway policy uses one or more network policies. If the fall back check interval is shorter than a network policy's SA life time, the fall back check interval is used as the check interval and network policy SA life time. If the fall back check interval is longer than a network policy's SA life time, the SA lifetime is used as the check interval and network policy SA life time.
Authentication Key
Pre-Shared KeySelect the Pre-Shared Key radio button and type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself. Both ends of the VPN tunnel must use the same pre-shared key. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
CertificateSelect the Certificate radio button to identify the ZyWALL by a certificate. Use the drop-down list box to select the certificate to use for this VPN tunnel. You must have certificates already configured in the My Certificates screen. Click My Certificates to go to the My Certificates screen where you can view the ZyWALL's list of certificates.
Local ID TypeSelect IP to identify this ZyWALL by its IP address. Select DNS to identify this ZyWALL by a domain name. Select E-mail to identify this ZyWALL by an e-mail address. You do not configure the local ID type and content when you set Authentication Key to Certificate. The ZyWALL takes them from the certificate you select.
ContentWhen you select IP in the Local ID Type field, type the IP address of your computer in the local Content field. The ZyWALL automatically uses the IP address in the My ZyWALL field (refer to the My ZyWALL field description) if you configure the local Content field to 0.0.0.0 or leave it blank. It is recommended that you type an IP address other than 0.0.0.0 in the local Content field or use the DNS or E-mail ID type in the following situations. 1. When there is a NAT router between the two IPSec routers. 2. When you want the remote IPSec router to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses. When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this ZyWALL in the local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string.
Peer ID TypeSelect from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Select from the following when you set Authentication Key to Certificate. Select IP to identify the remote IPSec router by the IP address in the subject alternative name field of the certificate it uses for this VPN connection. Select DNS to identify the remote IPSec router by the domain name in the subject alternative name field of the certificate it uses for this VPN connection. Select E-mail to identify the remote IPSec router by the e-mail address in the subject alternative name field of the certificate it uses for this VPN connection. Select Subject Name to identify the remote IPSec router by the subject name of the certificate it uses for this VPN connection. Select Any to have the ZyWALL not check the remote IPSec router's ID.
ContentThe configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Key to Pre-shared Key. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyWALL will use the address in the Remote Gateway Address field (refer to the Remote Gateway Address field description). For DNS or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-mail ID type in the following situations:1. When there is a NAT router between the two IPSec routers.2. When you want the ZyWALL to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses. Do the following when you set Authentication Key to Certificate.1. For IP, type the IP address from the subject alternative name field of the certificate the remote IPSec router will use for this VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyWALL will use the address in the Remote Gateway Address field (refer to the Remote Gateway Address field description).2. For DNS or E-mail, type the domain name or e-mail address from the subject alternative name field of the certificate the remote IPSec router will use for this VPN connection.3. For Subject Name, type the subject name of the certificate the remote IPSec router will use for this VPN connection. Use up to255 ASCII characters including spaces.4. For Any, the peer Content field is not available.5. Regardless of how you configure the ID Type and Content fields, two active IPSec SAs cannot have both the local and remote IP address ranges overlap between rules.
ExtendedAuthentication
Enable ExtendedAuthenticationSelect this check box to activate extended authentication.
Server ModeSelect Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection.You must also configure the extended authentication clients' usernames and passwords in the authentication server's local user database or a RADIUS server (see Chapter 16 on page 323).Click Local User to go to the Local User Database screen where you can view and/or edit the list of user names and passwords. Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server.During authentication, if the ZyWALL (in server mode) does not find the extended authentication clients' user name in its internal user database and an external RADIUS server has been enabled, it attempts to authenticate the client through the RADIUS server.
Client ModeSelect Client Mode to have your ZyWALL use a username and password when initiating this VPN connection to the extended authentication server ZyWALL. Only a VPN extended authentication client can initiate this VPN connection.
User NameEnter a user name for your ZyWALL to be authenticated by the VPN peer (in server mode). The user name can be up to 31 case-sensitive ASCII characters, but spaces are not allowed. You must enter a user name and password when you select client mode.
PasswordEnter the corresponding password for the above user name. The password can be up to 31 case-sensitive ASCII characters, but spaces are not allowed.
IKE Proposal
Negotiation ModeSelect Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encryption AlgorithmSelect which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm3DES - a 168-bit key with the DES encryption algorithmAES - a 128-bit key with the AES encryption algorithmThe ZyWALL and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput.
Authentication AlgorithmSelect which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
SA Life Time (Seconds)Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 180 to 3,000,000 seconds (almost 35 days).A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Key GroupSelect which Diffie-Hellman key group (DHx) you want to use for encryption keys.Choices are:DH1 - use a 768-bit random numberDH2 - use a 1024-bit random number
Enable Multiple ProposalsSelect this to allow the ZyWALL to use any of its phase 1 key groups and encryption and authentication algorithms when negotiating an IKE SA.When you enable multiple proposals, the ZyWALL allows the remote IPSec router to select which phase 1 key groups and encryption and authentication algorithms to use for the IKE SA, even if they are less secure than the ones you configure for the VPN rule.Clear this to have the ZyWALL use only the configured phase 1 key groups and encryption and authentication algorithms when negotiating an IKE SA.
Associated Network PoliciesThe following table shows the policy(ies) you configure for this rule. To add a VPN policy, click the add network policy ( ) icon in the VPN Rules (IKE) screen (see Figure 144 on page 260). Refer to Section 14.7 on page 275 for more information.
#This field displays the policy index number.
NameThis field displays the policy name.
Local NetworkThis field displays one or a range of IP address(es) of the computer(s) behind the ZyWALL.
Remote NetworkThis field displays one or a range of IP address(es) of the remote network behind the remote IPsec router.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

14.6 IPSec SA Overview

Once the ZyWALL and remote IPSec router have established the IKE SA, they can securely negotiate an IPSec SA through which to send data between computers on the networks.

ZYXEL ZYWALL 2 WG - IPSec SA Overview - 1

The IPSec SA stays connected even if the underlying IKE SA is not available anymore.

This section introduces the key components of an IPSec SA.

14.6.1 Local Network and Remote Network

In IPSec SA, the local network, the one(s) connected to the ZyWALL, may be called the local policy. Similarly, the remote network, the one(s) connected to the remote IPSec router, may be called the remote policy.

14.6.2 Active Protocol

The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406).

ZYXEL ZYWALL 2 WG - Active Protocol - 1

The ZyWALL and remote IPSec router must use the same active protocol.

Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.

14.6.3 Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.

ZYXEL ZYWALL 2 WG - Encapsulation - 1

The ZyWALL and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

ZYXEL ZYWALL 2 WG - Encapsulation - 2
Figure 151 VPN: Transport and Tunnel Mode Encapsulation

In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers:

  • Outside header: The outside IP header contains the IP address of the ZyWALL or remote IPSec router, whichever is the destination.
  • Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers.

In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL includes part of the original IP header when it encapsulates the packet. With ESP, however, the ZyWALL does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.

14.6.4 IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see Section 14.3.1 on page 261), except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS).

If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.

If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.

The DH key exchange is time-consuming and may be unnecessary for data that does not require such security.

14.7 VPN Rules (IKE): Network Policy Edit

Click SECURITY > VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.

ZYXEL ZYWALL 2 WG - VPN Rules (IKE): Network Policy Edit - 1
Figure 152 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy

The following table describes the labels in this screen.

Table 85 SECURITY >VPN >VPN Rules (IKE) >Edit Network Policy

LABELDESCRIPTION
ActiveIf the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.If you clear the Active check box while the tunnel is up (and click Apply), you turn off the network policy and the tunnel goes down.
NameType a name to identify this VPN network policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
ProtocolEnter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Nailed-UpSelect this check box to turn on the nailed up feature for this SA.Turn on nailed up to have the ZyWALL automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The ZyWALL also reinitiates the SA when it restarts.The ZyWALL also rebuilds the tunnel if it was disconnected due to the output or input idle timer.
Allow NetBIOS Traffic Through IPSec TunnelThis field is not available when the ZyWALL is in bridge mode.NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.Select this check box to send NetBIOS packets through the VPN connection.
Check IPSec Tunnel ConnectivitySelect the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router.The ZyWALL pings the IP address every minute. The ZyWALL starts the IPSec connection idle timeout timer when it sends the ping packet. If there is no traffic from the remote IPSec router by the time the timeout period expires, the ZyWALL disconnects the VPN tunnel.
LogSelect this check box to set the ZyWALL to create logs when it cannot ping the remote device.
Ping this AddressIf you select Check IPSec Tunnel Connectivity, enter the IP address of a computer at the remote IPSec network. The computer's IP address must be in this IP policy's remote range (see the Remote Network fields).
Gateway Policy Information
Gateway PolicySelect the gateway policy with which you want to use the VPN policy.
Local NetworkLocal IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses.Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Address TypeUse the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address for a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
Starting IP AddressWhen the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/ Subnet MaskWhen the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your ZyWALL.
Local Port0 is the default and signifies any port. Type a port number from 0 to 65535 in the Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
Remote NetworkRemote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Address TypeUse the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address with a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
Starting IP AddressWhen the Address Type field is configured to Single Address, enter a (static) IP address on the network behind the remote IPSec router. When the Addr Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/ Subnet MaskWhen the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a subnet mask on the network behind the remote IPSec router.
Remote Port0 is the default and signifies any port. Type a port number from 0 to 65535 in the Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
IPSec Proposal
Encapsulation ModeSelect Tunnel mode or Transport mode.
Active ProtocolSelect the security protocols used for an SA. Both AH and ESP increase processing requirements and communications latency (delay).
Encryption AlgorithmSelect which key size and encryption algorithm to use in the IKE SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES - a 128-bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same algorithms and keys. Longer keys require more processing power, resulting in increased latency and decreased throughput.
Authentication AlgorithmSelect which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
SA Life Time (Seconds)Define the length of time before an IPSec SA automatically renegotiates in this field. The minimum value is 180 seconds.A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Perfect Forward Secret (PFS)Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are:NONE - disable PFSDH1 - enable PFS and use a 768-bit random numberDH2 - enable PFS and use a 1024-bit random numberPFS changes the root key that is used to generate encryption keys for each IPSec SA. It is more secure but takes more time.
Enable Replay DetectionAs a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DOS) attacks. The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Enable replay detection by selecting this check box.
Enable Multiple ProposalsSelect this to allow the ZyWALL to use any of its phase 2 encryption and authentication algorithms when negotiating an IPSec SA.When you enable multiple proposals, the ZyWALL allows the remote IPSec router to select which phase 2 encryption and authentication algorithms to use for the IPSec SA, even if they are less secure than the ones you configure for the VPN rule.Clear this to have the ZyWALL use only the configured phase 2 encryption and authentication algorithms when negotiating an IPSec SA.
ApplyClick Apply to save the changes.
CancelClick Cancel to discard all changes and return to the main VPN screen.

14.8 VPN Rules (IKE): Network Policy Move

Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen.

A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies.

  • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel.
  • The network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel.

Use this screen to associate a network policy to a gateway policy.

ZYXEL ZYWALL 2 WG - VPN Rules (IKE): Network Policy Move - 1
Figure 153 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy

The following table describes the labels in this screen.

Table 86 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy

LABELDESCRIPTION
Network Policy InformationThe following fields display the general network settings of this VPN policy.
NameThis field displays the policy name.
Local NetworkThis field displays one or a range of IP address(es) of the computer(s) behind the ZyWALL.
Remote NetworkThis field displays one or a range of IP address(es) of the remote network behind the remote IPsec router.
Gateway Policy Information
Gateway PolicySelect the name of a VPN rule (or gateway policy) to which you want to associate this VPN network policy. If you do not want to associate a network policy to any gateway policy, select Recycle Bin from the drop-down list box. The Recycle Bin gateway policy is a virtual placeholder for any network policy(ies) without an associated gateway policy. When there is a network policy in Recycle Bin, the Recycle Bin gateway policy automatically displays in the VPN Rules (IKE) screen.
ApplyClick Apply to save the changes.
CancelClick Cancel to discard all changes and return to the main VPN screen.

14.9 Dialoging the VPN Tunnel via Web Configurator

To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel. If you find a disconnect ( ) icon next to the rule you just created in the VPN Rules (IKE) screen, the ZyWALL automatically built the VPN tunnel. Go to the SA Monitor screen to view a list of connected VPN tunnels. See Section 14.15 on page 289 for more information.

ZYXEL ZYWALL 2 WG - Dialoging the VPN Tunnel via Web Configurator - 1
Figure 154 VPN Rule Configured

The following screen displays.

ZYXEL ZYWALL 2 WG - Dialoging the VPN Tunnel via Web Configurator - 2
Figure 155 VPN Dial

This screen displays later if the IPSec routers can build the VPN tunnel.

ZYXEL ZYWALL 2 WG - Dialoging the VPN Tunnel via Web Configurator - 3
Figure 156 VPN Tunnel Established

14.10 VPN Troubleshooting

If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers.

Check the settings in each field methodically and slowly.

14.10.1 VPN Log

The system log can often help to identify a configuration problem.

Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel.

View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24.8. See Section 25.5 on page 434 for information on the log messages.

Figure 157 VPN Log Example
ras>sys log disp ike ipsec

.time source destination notes message

0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE
Rule [ex-1] Tunnel built successfully
1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE
Send:[HASH]
3|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
4|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 |IKE
Adjust TCP MSS to 1398
5|01/11/2001 18:47:22 |5.1.2.3 |5.6.7.8 |IKE
Recv:[HASH][SA][NONCE][ID][ID]
6|01/11/2001 18:47:22 |5.1.2.3 |5.6.7.8 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
7|01/11/2001 18:47:21 |5.6.7.8 |5.1.2.3 |IKE
IKE Packet Retransmit
8|01/11/2001 18:47:21 |5.6.7.8 |5.1.2.3 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
9|01/11/2001 18:47:17 |5.6.7.8 |5.1.2.3 |IKE
Send:[HASH][SA][NONCE][ID][ID]
10|01/11/2001 18:47:17 |5.6.7.8 |5.1.2.3 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
11|01/11/2001 18:47:17 |5.6.7.8 |5.1.2.3 |IKE
Start Phase 2:Quick Mode
12|01/11/2001 18:47:17 |5.6.7.8 |5.1.2.3 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
13|01/11/2001 18:47:17 |5.6.7.8 |5.1.2.3 |IKE
Phase 1 IKE SA process done
14|01/11/2001 18:47:17 |5.6.7.8 |5.1.2.3 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
15|01/11/2001 18:47:17 |5.1.2.3 |5.6.7.8 |IKE
Recv:[ID][HASH][NOTFY:INIT CONTACT]9C3F7DCA
16|01/11/2001 18:47:17 |5.1.2.3 |5.6.7.8 |IKE
The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA
I ^*I 01/11/2001 18:47:15 |5.6.7.8 |5.1.2.3 |IKE
Send:[ID][HASH][NOTFY:INIT CONTACT]9C3F7DCA

14.11 IPSec Debug

If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (in the commands).

ZYXEL ZYWALL 2 WG - IPSec Debug - 1

If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information. Type ipsec debug level 0 and press [ENTER] to stop it.

Figure 158 IKE/IPSec Debug Example
ras>ipsec debug type level display ras>ipsec debug type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]on|off 4:XAUTH on|off | 5:CERT on|off | 6:All> ras>ipsec debug level <0:None | 1:User | 2:Low | 3:High> ras>ipsec debug type 1 on ras>ipsec debug type 2 on ras>ipsec debug level 3 ras>ipsec dial 1 get_ipsec_SA_by_policyIndex(): Start dialing for tunnel rule# 1... ikeStartNegotiate(): saIndex<0> peerIp<5.1.2.3> protocol:(3) peer Ip < 5 .1.2.3 initiator(): type, exch

initiator : protocol: IPSEC_ESP, exchange mode: Main mode find_ipsec_SA(): find ipsec saNot found Not found isadb_is_outstanding_req(): isakmp is outstanding req : SA not found isadb_create_entry(): >> INITIATOR isadb_get_entry_by_addr(): Get IKE entry by address: SA not found SA not found ISAKMP SA created for peer size<900> ISAKMP SA created for peer size<900> ISAKMP SA built, ikePeer.s0 ISAKMP SA built, index = Oisadb_create_entry(): done create IKE entry doneinitiator(): find myIpAddr = 0.0.0.0 , use <5.6.7.8> r

14.12 IPSec SA Using Manual Keys

You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA.

In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA. They only establish an IPSec SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences between IPSec SA using manual keys and other types of SA.

14.12.1 IPSec SA Proposal Using Manual Keys

In IPSec SA using manual keys, you can only specify one encryption algorithm and one authentication algorithm. You cannot specify several proposals. There is no DH key exchange, so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use.

ZYXEL ZYWALL 2 WG - IPSec SA Proposal Using Manual Keys - 1

The ZyWALL and remote IPSec router must use the same encryption key and authentication key.

14.12.2 Authentication and the Security Parameter Index (SPI)

For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number.

ZYXEL ZYWALL 2 WG - Authentication and the Security Parameter Index (SPI) - 1

The ZyWALL and remote IPSec router must use the same SPI.

14.13 VPN Rules (Manual)

Refer to Figure 143 on page 259 for a graphical representation of the fields in the web configurator.

Click SECURITY > VPN > VPN Rules (Manual) to open the VPN Rules (Manual) screen.

Use this screen to manage the ZyWALL's list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management.

ZYXEL ZYWALL 2 WG - VPN Rules (Manual) - 1
Figure 159 SECURITY > VPN > VPN Rules (Manual)

The following table describes the labels in this screen.

Table 87 SECURITY > VPN > VPN Rules (Manual)

LABELDESCRIPTION
#This is the VPN policy index number.
NameThis field displays the identification name for this VPN policy.
ActiveThis field displays whether the VPN policy is active or not. A Yes signifies that this VPN policy is active. No signifies that this VPN policy is not active.
Local NetworkThis is the IP address(es) of computer(s) on your local network behind your ZyWALL.The same (static) IP address is displayed twice when the Local Network Address Type field in the VPN - Manual Key - Edit screen is configured to Single Address.The beginning and ending (static) IP addresses, in a range of computers are displayed when the Local Network Address Type field in the VPN - Manual Key - Edit screen is configured to Range Address.A (static) IP address and a subnet mask are displayed when the Local Network Address Type field in the VPN - Manual Key - Edit screen is configured to Subnet Address.
Remote NetworkThis is the IP address(es) of computer(s) on the remote network behind the remote IPSec router.This field displays N/A when the Remote Gateway Address field displays 0.0.0.0.In this case only the remote IPSec router can initiate the VPN.The same (static) IP address is displayed twice when the Remote Network Address Type field in the VPN - Manual Key - Edit screen is configured to Single Address.The beginning and ending (static) IP addresses, in a range of computers are displayed when the Remote Network Address Type field in the VPN - Manual Key - Edit screen is configured to Range Address.A (static) IP address and a subnet mask are displayed when the Remote Network Address Type field in the VPN - Manual Key - Edit screen is configured to Subnet Address.
Encap.This field displays Tunnel or Transport mode (Tunnel is the default selection).
IPSec AlgorithmThis field displays the security protocols used for an SA.Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
Remote Gateway AddressThis is the static WAN IP address or domain name of the remote IPSec router.
ModifyClick the edit icon to edit the VPN policy. Click the delete icon to remove the VPN policy. A window displays asking you to confirm that you want to delete the VPN rule. When a VPN policy is deleted, subsequent policies move up in the page list.
AddClick Add to add a new VPN policy.

14.14 VPN Rules (Manual): Edit

Click the Add button or the edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rules that use manual keys. Manual key management is useful if you have problems with IKE key management.

See Section 14.12 on page 284 for more information about IPSec SAs using manual keys.

ZYXEL ZYWALL 2 WG - VPN Rules (Manual): Edit - 1
Figure 160 SECURITY > VPN > VPN Rules (Manual) > Edit

The following table describes the labels in this screen.

Table 88 SECURITY >VPN>VPN Rules (Manual) > Edit

LABELDESCRIPTION
Property
ActiveSelect this check box to activate this VPN policy.
NameType up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Allow NetBIOS Traffic Through IPSec TunnelThis field is not available when the ZyWALL is in bridge mode. NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to find other computers. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa. Select this check box to send NetBIOS packets through the VPN connection.
Local NetworkLocal IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Address TypeUse the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address for a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
Starting IP AddressWhen the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/Subnet MaskWhen the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your ZyWALL.
Remote NetworkRemote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Address TypeUse the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address with a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
Starting IP AddressWhen the Address Type field is configured to Single Address, enter a (static) IP address on the network behind the remote IPSec router. When the Addr Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/Subnet MaskWhen the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a subnet mask on the network behind the remote IPSec router.
Gateway Policy Information
My ZyWALLWhen the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0.The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. If the WAN connection goes down, the ZyWALL uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect.The VPN tunnel has to be rebuilt if this IP address changes.When the ZyWALL is in bridge mode, this field is read-only and displays the ZyWALL's IP address.
Primary Remote GatewayType the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection.
Manual Proposal
SPIType a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9".
Encapsulation ModeSelect Tunnel mode or Transport mode from the drop-down list box.
Active ProtocolSelect ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next).Select AH if you want to use AH (Authentication Header Protocol). The AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed. If you select AH here, you must select options from the Authentication Algorithm field (described next).
Encryption AlgorithmSelect DES, 3DES or NULL from the drop-down list box.When DES is used for data communications, both sender and receiver must know the Encryption Key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key.As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
Authentication AlgorithmSelect SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Encryption KeyThis field is applicable when you select ESP in the Active Protocol field above.With DES, type a unique key 8 characters long. With 3DES, type a unique key 24 characters long. Any characters may be used, including spaces, but trailing spaces are truncated.
Authentication KeyType a unique authentication key to be used by IPSec if applicable. Enter 16 characters for MD5 authentication or 20 characters for SHA-1 authentication. Any characters may be used, including spaces, but trailing spaces are truncated.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

14.15 VPN SA Monitor

In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections.

A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections.

ZYXEL ZYWALL 2 WG - VPN SA Monitor - 1
Figure 161 SECURITY >VPN >SA Monitor

The following table describes the labels in this screen.

Table 89 SECURITY > VPN > SA Monitor

LABELDESCRIPTION
#This is the security association index number.
NameThis field displays the identification name for this VPN policy.
Local NetworkThis field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Remote NetworkThis field displays IP address (in a range) of computers on the remote network behind the remote IPSec router.
EncapsulationThis field displays Tunnel or Transport mode.
IPSec AlgorithmThis field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay).
RefreshClick Refresh to display the current active VPN connection(s).
DisconnectSelect a security association index number that you want to disconnect and then click Disconnect.

14.16 VPN Global Setting

Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. Use this screen to change settings that apply to all of your VPN tunnels.

ZYXEL ZYWALL 2 WG - VPN Global Setting - 1
Figure 162 SECURITY >VPN >Global Setting

The following table describes the labels in this screen.

Table 90 SECURITY > VPN > Global Setting

LABELDESCRIPTION
Output Idle TimerWhen traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity. If the remote IPSec router does not reply, the ZyWALL automatically disconnects the VPN tunnel. Enter the time period (between 120 and 3600 seconds) to wait before the ZyWALL checks all of the VPN connections to remote IPSec routers. Enter 0 to disable this feature.
Input Idle TimerWhen no traffic is received from a remote IPSec router after the specified time period, the ZyWALL checks the VPN connectivity. If the remote IPSec router does not reply, the ZyWALL automatically disconnects the VPN tunnel. Enter the time period (between 30 and 3600 seconds) to wait before the ZyWALL checks all of the VPN connections to remote IPSec routers. Enter 0 to disable this feature.
Gateway Domain Name Update TimerIf you use dynamic domain names in VPN rules to identify the ZyWALL and/or the remote IPSec router, the IP address mapped to the domain name can change. The VPN tunnel stops working after the IP address changes. Any users of the VPN tunnel are disconnected until the ZyWALL gets the new IP address from a DNS server and rebuilds the VPN tunnel. Enter the time period (between 2 and 60 minutes) to set how often the ZyWALL queries a DNS server to update the IP address and domain name mapping. If the query returns a new IP address for a dynamic domain name, the ZyWALL disconnects the VPN tunnel. The ZyWALL rebuilds the VPN tunnel (using the new IP address) immediately if the IPSec SA is set to nailed up. Otherwise the ZyWALL rebuilds the VPN tunnel when there are packets for it or you manually dial it. If the ZyWALL and all of the remote IPSec routers use static IP addresses or regular domain names, you can enter 0 to disable this feature.
Adjust TCP Maximum Segment SizeThe TCP packets are larger after the ZyWALL encrypts them for VPN. The ZyWALL fragments packets that are larger than a connection's MTU (Maximum Transmit Unit).In most cases you should leave this set to Auto. The ZyWALL automatically sets the Maximum Segment Size (MSS) of the TCP packets that are to be encrypted by VPN based on the encapsulation type.Select Off to not adjust the MSS for the encrypted TCP packets.If your network environment causes fragmentation issues that are affecting your throughput performance, you can manually set a smaller MSS for the TCP packets that are to be encrypted by VPN. Select User-Defined and specify a size from 0~1460 bytes. 0 has the ZyWALL use the auto setting.
VPN rules skip applying to the overlap range of local and remote IP addressesWhen you configure a VPN rule, the ZyWALL checks to make sure that the IP addresses in the local and remote networks do not overlap. Select this check box to disable the check if you need to configure a VPN policy with overlapping local and remote IP addresses.Note: If a VPN policy's local and remote IP addresses overlap, you may not be able to access the device on your LAN because the ZyWALL automatically triggers a VPN tunnel to the remote device with the same IP address.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

14.17 Telecommuter VPN/IPSec Examples

The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address.

14.17.1 Telecommuters Sharing One VPN Rule Example

See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyWALL at headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all use the same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap.

ZYXEL ZYWALL 2 WG - Telecommuters Sharing One VPN Rule Example - 1
Figure 163 Telecommuters Sharing One VPN Rule Example

Table 91 Telecommuters Sharing One VPN Rule Example

FIELDSTELECOMMUTERSHEADQUARTERS
My ZyWALL:0.0.0.0 (dynamic IP address assigned by the ISP)Public static IP address
Remote Gateway Address:Public static IP address0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel.
Local Network - Single IP Address:Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15192.168.1.10
Remote Network - Single IP Address:192.168.1.10Not Applicable

14.17.2 Telecommuters Using Unique VPN Rules Example

In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this).

With aggressive negotiation mode (see Section 14.3.1.4 on page 264), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules configured on the ZyWALL at headquarters can overlap. The local IP addresses of the rules configured on the telecommuters' IPSec routers should not overlap.

See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters. The ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection.

The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names.

ZYXEL ZYWALL 2 WG - Telecommuters Using Unique VPN Rules Example - 1
Figure 164 Telecommuters Using Unique VPN Rules Example

Table 92 Telecommuters Using Unique VPN Rules Example

TELECOMMUTERSHEADQUARTERS
All Telecommuter Rules:All Headquarters Rules:
My ZyWALL 0.0.0.0My ZyWALL: bigcompanyhq.com
Remote Gateway Address: bigcompanyhq.comLocal Network - Single IP Address: 192.168.1.10
Remote Network - Single IP Address: 192.168.1.10Local ID Type: E-mail
Peer ID Type: E-mailLocal ID Content: bob@bigcompanyhq.com
Peer ID Content: bob@bigcompanyhq.com
Telecommuter A (telecommutera.dydns.org)Headquarters ZyWALL Rule 1:
Local ID Type: IPPeer ID Type: IP
Local ID Content: 192.168.2.12Peer ID Content: 192.168.2.12
Local IP Address: 192.168.2.12Remote Gateway Address: telecommutera.dydns.org
Remote Address 192.168.2.12
Telecommuter B (telecommuterb.dydns.org)Headquarters ZyWALL Rule 2:
Local ID Type: DNSPeer ID Type: DNS
Local ID Content: telecommuterb.comPeer ID Content: telecommuterb.com
Local IP Address: 192.168.3.2Remote Gateway Address: telecommuterb.dydns.org
Remote Address 192.168.3.2
Telecommuter C (telecommuterc.dydns.org)Headquarters ZyWALL Rule 3:
Local ID Type: E-mailPeer ID Type: E-mail
Local ID Content: myVPN@myplace.comPeer ID Content: myVPN@myplace.com
Local IP Address: 192.168.4.15Remote Gateway Address: telecommuterc.dydns.org
Remote Address 192.168.4.15

14.18 VPN and Remote Management

You can allow someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage the ZyWALL. One of the ZyWALL's ports must be part of the VPN rule's local network. This can be the ZyWALL's LAN port if you do not want to allow remote management on the WAN port. You also have to configure remote management (REMOTE MGMT) to allow management access for the service through the specific port.

In the following example, the VPN rule's local network (A) includes the ZyWALL's LAN IP address of 192.168.1.7. Someone in the remote network (B) can use a service (like HTTP for example) through the VPN tunnel to access the ZyWALL's LAN interface. Remote management must also be configured to allow HTTP access on the ZyWALL's LAN interface.

ZYXEL ZYWALL 2 WG - VPN and Remote Management - 1
Figure 165 VPN for Remote Management Example

14.19 Hub-and-spoke VPN

Hub-and-spoke VPN connects VPN tunnels to form one secure network.

Figure 166 on page 294 shows some example network topologies. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-and-spoke) approach, there is a VPN connection between each spoke router (B,C,D, and E) and the hub router (A). The hub router routes VPN traffic between the spoke routers and itself.

ZYXEL ZYWALL 2 WG - Hub-and-spoke VPN - 1
Figure 166 VPN Topologies

ZYXEL ZYWALL 2 WG - Hub-and-spoke VPN - 2

Hub-and-spoke VPN reduces the number of VPN connections that you have to set up and maintain in the network. Small office or telecommuter IPSec routers that support a limited number of VPN tunnels are also able to use VPN to connect to more networks. Hub-and-spoke VPN makes it easier for the hub router to manage the traffic between the spoke routers. If you have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, the hub router can also provide content filtering, IDP, anti-spam and anti-virus protection for the spoke routers.

You should not use a hub-and-spoke VPN in every situation, however. The hub router is a single point of failure, so a hub-and-spoke VPN may not be appropriate if the connection between the spoke routers cannot be down occasionally (for maintenance, for example). In addition, there is a significant burden on the hub router. It receives VPN traffic from one spoke, decrypts it, inspects it to find out where to send it, encrypts it, and sends it to the appropriate spoke. Therefore, a hub-and-spoke VPN is more suitable when there is a minimum amount of traffic between spoke routers.

14.19.1 Hub-and-spoke VPN Example

The following figure shows a basic hub-and-spoke VPN. Branch office A uses one VPN rule to access both the headquarters (HQ) network and branch office B's network. Branch office B uses one VPN rule to access both the headquarters and branch office A's networks.

ZYXEL ZYWALL 2 WG - Hub-and-spoke VPN Example - 1
Figure 167 Hub-and-spoke VPN Example

14.19.2 Hub-and-spoke Example VPN Rule Addresses

The VPN rules for this hub-and-spoke example would use the following address settings.

Branch Office A:

Remote Gateway: 10.0.0.1
- Local IP address: 192.168.167.0/255.255.255.0
Remote IP address: 192.168.168.0~192.168.169.255

Headquarters:

Rule 1:

Remote Gateway: 10.0.0.2
- Local IP address: 192.168.168.0~192.168.169.255
- Remote IP address:192.168.167.0/255.255.255.0

Rule 2:

Remote Gateway: 10.0.0.3
- Local IP address: 192.168.167.0~192.168.168.255
Remote IP address: 192.168.169.0/255.255.255.0

Branch Office B:

Remote Gateway: 10.0.0.1
- Local IP address: 192.168.169.0/255.255.255.0
Remote IP address: 192.168.167.0~192.168.168.255

14.19.3 Hub-and-spoke VPN Requirements and Suggestions

Consider the following when implementing a hub-and-spoke VPN.

The local IP addresses configured in the VPN rules cannot overlap

The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule.

If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.

Make sure that your From VPN and To VPN firewall rules do not block the VPN packets.

Certificates

This chapter gives background information about public-key certificates and explains how to use them.

15.1 Certificates Overview

The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner's identity and public key. Certificates provide a way to exchange public keys for use in authentication.

A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyWALL to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority.

In public-key encryption and decryption, each host has two keys. One key is public and can be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows.

1 Tim wants to send a private message to Jenny. Tim generates a public-private key pair. What is encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim's public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny's public key to decrypt the message.

The ZyWALL uses certificates based on public-key cryptography to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority's public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked.

Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer's certificate against a directory server's list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).

15.1.1 Advantages of Certificates

Certificates offer the following benefits.

  • The ZyWALL only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
    Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

15.2 Self-signed Certificates

You can have the ZyWALL act as a certification authority and sign its own certificates.

15.3 Verifying a Certificate

Before you import a trusted CA or trusted remote host certificate into the ZyWALL, you should verify that you have the actual certificate. This is especially true of trusted CA certificates since the ZyWALL also trusts any valid certificate signed by any of the imported trusted CA certificates.

15.3.1 Checking the Fingerprint of a Certificate on Your Computer

A certificate's fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate's fingerprint to verify that you have the actual certificate.

1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a ".cert" or ".crt" file name extension.

ZYXEL ZYWALL 2 WG - Checking the Fingerprint of a Certificate on Your Computer - 1
Figure 168 Certificates on Your Computer

3 Double-click the certificate's icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.

Figure 169 Certificate Details
ZYXEL ZYWALL 2 WG - Checking the Fingerprint of a Certificate on Your Computer - 2
4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.

15.4 Configuration Summary

This section summarizes how to manage certificates on the ZyWALL.

ZYXEL ZYWALL 2 WG - Configuration Summary - 1
Figure 170 Certificate Configuration Overview

Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyWALL's CA-signed certificates.

Use the Trusted CA screens to save the certificates of trusted CAs to the ZyWALL. You can also export the certificates to a computer.

Use the Trusted Remote Hosts screens to import self-signed certificates from trusted remote hosts.

Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates).

15.5 My Certificates

Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL's summary list of certificates and certification requests. Certificates display in black and certification requests display in gray.

ZYXEL ZYWALL 2 WG - My Certificates - 1
Figure 171 SECURITY > CERTIFICATES > My Certificates

The following table describes the labels in this screen.

Table 93 SECURITY > CERTIFICATES > My Certificates

LABELDESCRIPTION
PKI Storage Space in UseThis bar displays the percentage of the ZyWALL's PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
ReplaceThis button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
#This field displays the certificate index number. The certificates are listed in alphabetical order.
NameThis field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name.
TypeThis field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate. *SELF represents the default self-signed certificate, which the ZyWALL uses to sign imported trusted remote host certificates. CERT represents a certificate issued by a certification authority.
SubjectThis field displays identifying information about the certificate's owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
IssuerThis field displays identifying information about the certificate's issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
ModifyClick the details icon to open a screen with an in-depth list of information about the certificate (or certification request).Click the export icon to save the certificate to a computer. For a certification request, click the export icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the delete icon to remove the certificate (or certification request). A window displays asking you to confirm that you want to delete the certificate.You cannot delete a certificate that one or more features is configured to use.Do the following to delete a certificate that shows *SELF in the Type field.1. Make sure that no other features, such as HTTPS, VPN, SSH are configured to use the *SELF certificate.2. Click the details icon next to another self-signed certificate (see the description on the Create button if you need to create a self-signed certificate).3. Select the Default self-signed certificate which signs the imported remote host certificates check box.4. Click Apply to save the changes and return to the My Certificates screen.5. The certificate that originally showed *SELF displays SELF and you can delete it now.Note that subsequent certificates move up by one when you take this action
ImportClick Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyWALL.
CreateClick Create to go to the screen where you can have the ZyWALL generate a certificate or a certification request.
RefreshClick Refresh to display the current validity status of the certificates.

15.6 My Certificate Details

Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 171 on page 300). Click the details icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate's name.

If it is a self-signed certificate, you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates.

ZYXEL ZYWALL 2 WG - My Certificate Details - 1
Figure 172 SECURITY > CERTIFICATES > My Certificates > Details

The following table describes the labels in this screen.

Table 94 SECURITY > CERTIFICATES > My Certificates > Details

LABELDESCRIPTION
NameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Property Default self-signed certificate which signs the imported remote host certificates.Select this check box to have the ZyWALL use this certificate to sign the trusted remote host certificates that you import to the ZyWALL. This check box is only available with self-signed certificates. If this check box is already selected, you cannot clear it in this screen, you must select this check box in another self-signed certificate's details screen. This automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates.
Certification PathClick the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyWALL does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.
RefreshClick Refresh to display the certification path.
Certificate InformationThese read-only fields display detailed information about the certificate.
TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate's owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
VersionThis field displays the X.509 version number.
Serial NumberThis field displays the certificate's identification number given by the certification authority or generated by the ZyWALL.
SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
IssuerThis field displays identifying information about the certificate's issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field.
Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. The ZyWALL uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate's key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative NameThis field displays the certificate owner's IP address (IP), domain name (DNS) or e-mail address (EMAIL).
Key UsageThis field displays for what functions the certificate's key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority's certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate's path.
MD5 FingerprintThis is the certificate's message digest that the ZyWALL calculated using the MD5 algorithm.
SHA1 FingerprintThis is the certificate's message digest that the ZyWALL calculated using the SHA1 algorithm.
Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authority's web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment. You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).
ApplyClick Apply to save your changes back to the ZyWALL. You can only change the name, except in the case of a self-signed certificate, which you can also set to be the default self-signed certificate that signs the imported trusted remote host certificates.
CancelClick Cancel to quit and return to the My Certificates screen.

15.7 My Certificate Export

Click SECURITY > CERTIFICATES > My Certificates and then a certificate's export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the certificate from the ZyWALL to a computer.

15.7.1 Certificate File Export Formats

You can export a certificate in one of these file formats:

  • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
  • Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL.

ZYXEL ZYWALL 2 WG - Certificate File Export Formats - 1
Figure 173 SECURITY > CERTIFICATES > My Certificates > Export

The following table describes the labels in this screen.

Table 95 SECURITY > CERTIFICATES > My Certificates > Export

LABELDESCRIPTION
Export the certificate in binary X.509 format.Binary X.509 is an ITU-T recommendation that defines the formats for X.509 certificates.
Export the certificate along with the corresponding private key in PKCS#12 format.PKCS#12 is a format for transferring public key and private key certificates. You can also password-encrypt the private key in the PKCS #12 file. The file's password is not connected to your certificate's public or private passwords.
PasswordType the file's password to use for encrypting the private key. The password is optional, although you must specify one if you want to be able to import the PKCS#12 format certificate into Netscape version 7.2.
Retype to confirmType the password to make sure that you have entered it correctly.
ApplyClick Apply and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.
CancelClick Cancel to quit and return to the My Certificates screen.

15.8 My Certificate Import

Click SECURITY > CERTIFICATES > My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate from a computer to the ZyWALL.

ZYXEL ZYWALL 2 WG - My Certificate Import - 1

You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL (the certification request contains the private key). The certificate you import replaces the corresponding request in the My Certificates screen.

One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key.

ZYXEL ZYWALL 2 WG - My Certificate Import - 2

You must remove any spaces from the certificate's filename before you can import it.

15.8.1 Certificate File Formats

The certification authority certificate that you want to import has to be in one of these file formats:

  • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
  • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.
  • Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. The ZyWALL currently allows the importation of a PKS#7 file that contains a single certificate.
  • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form.
  • Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL.

ZYXEL ZYWALL 2 WG - Certificate File Formats - 1

Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

ZYXEL ZYWALL 2 WG - Certificate File Formats - 2
Figure 174 SECURITY > CERTIFICATES > My Certificates > Import

The following table describes the labels in this screen.

Table 96 SECURITY > CERTIFICATES > My Certificates > Import

LABELDESCRIPTION
File PathType in the location of the file you want to upload in this field or click Browse to find it.
BrowseClick Browse to find the certificate file you want to upload.
ApplyClick Apply to save the certificate on the ZyWALL.
CancelClick Cancel to quit and return to the My Certificates screen.

When you import a binary PKCS#12 format certificate, another screen displays for you to enter the password.

ZYXEL ZYWALL 2 WG - Certificate File Formats - 3
Figure 175 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12

The following table describes the labels in this screen.

Table 97 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12

LABELDESCRIPTION
PasswordType the file's password that was created when the PKCS #12 file was exported.
ApplyClick Apply to save the certificate on the ZyWALL.
CancelClick Cancel to quit and return to the My Certificates screen.

15.9 My Certificate Create

Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.

ZYXEL ZYWALL 2 WG - My Certificate Create - 1
Figure 176 SECURITY > CERTIFICATES > My Certificates > Create

The following table describes the labels in this screen.

Table 98 SECURITY > CERTIFICATES > My Certificates > Create

LABELDESCRIPTION
Certificate NameType up to 31 ASCII characters (not including spaces) to identify this certificate.
Subject InformationUse these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.
Common NameSelect a radio button to identify the certificate's owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address can be up to 31 ASCII characters. The domain name or e-mail address is for identification purposes only and can be any string.
Organizational UnitType up to 127 characters to identify the organizational unit or department to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
OrganizationType up to 127 characters to identify the company or group to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
CountryType up to 127 characters to identify the nation where the certificate owner is located. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Key LengthSelect a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.
Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated.
Create a self-signed certificateSelect Create a self-signed certificate to have the ZyWALL generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.
Create a certification request and save it locally for later manual enrollmentSelect Create a certification request and save it locally for later manual enrollment to have the ZyWALL generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority. Copy the certification request from the My Certificate Details screen (see Section 15.6 on page 301) and then send it to the certification authority.
Create a certification request and enroll for a certificate immediately onlineSelect Create a certification request and enroll for a certificate immediately online to have the ZyWALL generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority's certificate already imported in the Trusted CAs screen. When you select this option, you must select the certification authority's enrollment protocol and the certification authority's certificate from the drop-down list boxes and enter the certification authority's server address. You also need to fill in the Reference Number and Key if the certification authority requires them.
Enrollment ProtocolSelect the certification authority's enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.
CA Server AddressEnter the IP address (or URL) of the certification authority server.
CA CertificateSelect the certification authority's certificate from the CA Certificate drop-down list box. You must have the certification authority's certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities.
Request AuthenticationWhen you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just fill in the Key field if your certification authority uses the SCEP enrollment protocol.
KeyType the key that the certification authority gave you.
ApplyClick Apply to begin certificate or certification request generation.
CancelClick Cancel to quit and return to the My Certificates screen.

After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request.

After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.

If you configured the My Certificate Create screen to have the ZyWALL enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online.

15.10 Trusted CAs

Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. This screen displays a summary list of certificates of the certification authorities that you have set the ZyWALL to accept as trusted. The ZyWALL accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities.

ZYXEL ZYWALL 2 WG - Trusted CAs - 1
Figure 177 SECURITY > CERTIFICATES > Trusted CAs

The following table describes the labels in this screen.

Table 99 SECURITY > CERTIFICATES > Trusted CAs

LABELDESCRIPTION
PKI Storage Space in UseThis bar displays the percentage of the ZyWALL's PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
#This field displays the certificate index number. The certificates are listed in alphabetical order.
NameThis field displays the name used to identify this certificate.
SubjectThis field displays identifying information about the certificate's owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
IssuerThis field displays identifying information about the certificate's issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
CRL IssuerThis field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate's details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays “No”.
ModifyClick the details icon to open a screen with an in-depth list of information about the certificate.Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificates. Note that subsequent certificates move up by one when you take this action.
ImportClick Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ZyWALL.
RefreshClick this button to display the current validity status of the certificates.

15.11 Trusted CA Details

Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority's certificate, change the certificate's name and set whether or not you want the ZyWALL to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority.

ZYXEL ZYWALL 2 WG - Trusted CA Details - 1
Figure 178 SECURITY > CERTIFICATES > Trusted CAs > Details

The following table describes the labels in this screen.

Table 100 SECURITY > CERTIFICATES > Trusted CAs > Details

LABELDESCRIPTION
NameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Property Check incoming certificates issued by this CA against a CRLSelect this check box to have the ZyWALL check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL). Clear this check box to have the ZyWALL not check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL).
Certification PathClick the Refresh button to have this read-only text box display the end entity's certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity's certificate. If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the end entity's own certificate). The ZyWALL does not trust the end entity's certificate and displays "Not trusted" in this field if any certificate on the path has expired or been revoked.
RefreshClick Refresh to display the certification path.
Certificate InformationThese read-only fields display detailed information about the certificate.
TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate's owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
VersionThis field displays the X.509 version number.
Serial NumberThis field displays the certificate's identification number given by the certification authority.
SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
IssuerThis field displays identifying information about the certificate's issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.
Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).
Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate's key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative NameThis field displays the certificate's owner's IP address (IP), domain name (DNS) or e-mail address (EMAIL).
Key UsageThis field displays for what functions the certificate's key can be used. For example, "DigitalSignature" means that the key can be used to sign certificates and "KeyEncipherment" means that the key can be used to encrypt text.
Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority's certificate and "Path Length Constraint=1" means that there can only be one certification authority in the certificate's path.
CRL Distribution PointsThis field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
MD5 FingerprintThis is the certificate's message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
SHA1 FingerprintThis is the certificate's message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).
ApplyClick Apply to save your changes back to the ZyWALL. You can only change the name and/or set whether or not you want the ZyWALL to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.
CancelClick Cancel to quit and return to the Trusted CAs screen.

15.12 Trusted CA Import

Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority's certificate from a computer to the ZyWALL. The ZyWALL trusts any valid certificate signed by any of the imported trusted CA certificates.

ZYXEL ZYWALL 2 WG - Trusted CA Import - 1

You must remove any spaces from the certificate's filename before you can import the certificate.

ZYXEL ZYWALL 2 WG - Trusted CA Import - 2
Figure 179 SECURITY > CERTIFICATES > Trusted CAs > Import

The following table describes the labels in this screen.

Table 101 SECURITY > CERTIFICATES > Trusted CAs Import

LABELDESCRIPTION
File PathType in the location of the file you want to upload in this field or click Browse to find it.
BrowseClick Browse to find the certificate file you want to upload.
ApplyClick Apply to save the certificate on the ZyWALL.
CancelClick Cancel to quit and return to the Trusted CAs screen.

15.13 Trusted Remote Hosts

Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. This screen displays a list of the certificates of peers that you trust but which are not signed by one of the certification authorities on the Trusted CAs screen.

You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy.

ZYXEL ZYWALL 2 WG - Trusted Remote Hosts - 1
Figure 180 SECURITY > CERTIFICATES > Trusted Remote Hosts

The following table describes the labels in this screen.

Table 102 SECURITY > CERTIFICATES > Trusted Remote Hosts

LABELDESCRIPTION
PKI Storage Space in UseThis bar displays the percentage of the ZyWALL's PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Issuer (My Default Self-signed Certificate)This field displays identifying information about the default self-signed certificate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates.
#This field displays the certificate index number. The certificates are listed in alphabetical order.
NameThis field displays the name used to identify this certificate.
SubjectThis field displays identifying information about the certificate's owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
ModifyClick the details icon to open a screen with an in-depth list of information about the certificate.Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action.
ImportClick Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL.
RefreshClick this button to display the current validity status of the certificates.

15.14 Trusted Remote Hosts Import

Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen.

You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen. Follow the instructions in this screen to save a peer's certificates from a computer to the ZyWALL.

You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy.

ZYXEL ZYWALL 2 WG - Trusted Remote Hosts Import - 1

The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its filename before you can import it.

ZYXEL ZYWALL 2 WG - Trusted Remote Hosts Import - 2
Figure 181 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import

The following table describes the labels in this screen.

Table 103 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import

LABELDESCRIPTION
File PathType in the location of the file you want to upload in this field or click Browse to find it.
BrowseClick Browse to find the certificate file you want to upload.
ApplyClick Apply to save the certificate on the ZyWALL.
CancelClick Cancel to quit and return to the Trusted Remote Hosts screen.

15.15 Trusted Remote Host Certificate Details

Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host's certificate and/or change the certificate's name.

CERTIFICATES - TRUSTED REMOTE HOST - DETAILS

ZYXEL ZYWALL 2 WG - Trusted Remote Host Certificate Details - 1
Figure 182 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details

The following table describes the labels in this screen.

Table 104 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details

LABELDESCRIPTION
NameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Certification PathClick the Refresh button to have this read-only text box display the end entity's own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a certificate's issuing certification authority. For a trusted host, the list consists of the end entity's own certificate and the default self-signed certificate that the ZyWALL uses to sign remote host certificates.
RefreshClick Refresh to display the certification path.
Certificate InformationThese read-only fields display detailed information about the certificate.
TypeThis field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.
VersionThis field displays the X.509 version number.
Serial NumberThis field displays the certificate's identification number given by the device that created the certificate.
SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
IssuerThis field displays identifying information about the default self-signed certificate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates.
Signature AlgorithmThis field displays the type of algorithm that the ZyWALL used to sign the certificate, which is rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm).
Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate's key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example).
Subject Alternative NameThis field displays the certificate's owner's IP address (IP), domain name (DNS) or e-mail address (EMAIL).
Key UsageThis field displays for what functions the certificate's key can be used. For example, "DigitalSignature" means that the key can be used to sign certificates and "KeyEncipherment" means that the key can be used to encrypt text.
Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority's certificate and "Path Length Constraint=1" means that there can only be one certification authority in the certificate's path.
MD5 FingerprintThis is the certificate's message digest that the ZyWALL calculated using the MD5 algorithm. The ZyWALL uses one of its own self-signed certificates to sign the imported trusted remote host certificates. This changes the fingerprint value displayed here (so it does not match the original). See Section 15.3 on page 298 for how to verify a remote host's certificate before you import it into the ZyWALL.
SHA1 FingerprintThis is the certificate's message digest that the ZyWALL calculated using the SHA1 algorithm. The ZyWALL uses one of its own self-signed certificates to sign the imported trusted remote host certificates. This changes the fingerprint value displayed here (so it does not match the original). See Section 15.3 on page 298 for how to verify a remote host's certificate before you import it into the ZyWALL.
Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).
ApplyClick Apply to save your changes back to the ZyWALL. You can only change the name of the certificate.
CancelClick Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen.

15.16 Directory Servers

Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen. This screen displays a summary list of directory servers (that contain lists of valid and revoked certificates) that have been saved into the ZyWALL. If you decide to have the ZyWALL check incoming certificates against the issuing certification authority's list of revoked certificates, the ZyWALL first checks the server(s) listed in the CRL Distribution Points field of the incoming certificate. If the certificate does not list a server or the listed server is not available, the ZyWALL checks the servers listed here.

ZYXEL ZYWALL 2 WG - Directory Servers - 1
Figure 183 SECURITY > CERTIFICATES > Directory Servers

The following table describes the labels in this screen.

Table 105 SECURITY > CERTIFICATES > Directory Servers

LABELDESCRIPTION
PKI Storage Space in UseThis bar displays the percentage of the ZyWALL's PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
#The index number of the directory server. The servers are listed in alphabetical order.
NameThis field displays the name used to identify this directory server.
AddressThis field displays the IP address or domain name of the directory server.
PortThis field displays the port number that the directory server uses.
ProtocolThis field displays the protocol that the directory server uses.
ModifyClick the details icon to open a screen where you can change the information about the directory server. Click the delete icon to remove the directory server entry. A window displays asking you to confirm that you want to delete the directory server. Note that subsequent certificates move up by one when you take this action.
AddClick Add to open a screen where you can configure information about a directory server so that the ZyWALL can access it.

15.17 Directory Server Add or Edit

Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this screen to configure information about a directory server that the ZyWALL can access.

ZYXEL ZYWALL 2 WG - Directory Server Add or Edit - 1
Figure 184 SECURITY > CERTIFICATES > Directory Server > Add

The following table describes the labels in this screen.

Table 106 SECURITY > CERTIFICATES > Directory Server > Add

LABELDESCRIPTION
Directory Service Setting
NameType up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Access ProtocolUse the drop-down list box to select the access protocol used by the directory server. LDAP (Lightweight Directory Access Protocol) is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates. A
Server AddressType the IP address (in dotted decimal notation) or the domain name of the directory server.
Server PortThis field displays the default server port number of the protocol that you select in the Access Protocol field. You may change the server port number if needed, however you must use the same server port number that the directory server uses. 389 is the default server port number for LDAP.
Login Setting
LoginThe ZyWALL may need to authenticate itself in order to assess the directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority).
PasswordType the password (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority).
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to quit configuring this screen and return to the Directory Servers screen.

A. At the time of writing, LDAP is the only choice of directory server access protocol.

Authentication Server

This chapter discusses how to configure the ZyWALL's authentication server feature.

16.1 Authentication Server Overview

A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users. The ZyWALL uses the same local user database for VPN extended authentication and wireless LAN security. See Appendix G on page 675 for more information about RADIUS.

16.1.1 Local User Database

By storing user profiles locally on the ZyWALL, your ZyWALL is able to authenticate users without interacting with a network RADIUS server. However, there is a limit on the number of users you may authenticate in this way.

16.1.2 RADIUS

The ZyWALL can use an external RADIUS server to authenticate an unlimited number of users.

16.2 Local User Database

Click SECURITY > AUTHSERVER to open the Local User Database screen. The local user database is a list of user profiles stored on the ZyWALL. The ZyWALL can use this list of user profiles to authenticate users. Use this screen to change your ZyWALL's list of user profiles.

AUTHENTICATIONSERVER

ZYXEL ZYWALL 2 WG - Local User Database - 1
Figure 185 SECURITY > AUTHSERVER > Local User Database

The following table describes the labels in this screen.

Table 107 SECURITY > AUTH SERVER > Local User Database

LABELDESCRIPTION
ActiveSelect this check box to enable the user profile.
User NameEnter the user name of the user profile.
PasswordEnter a password up to 31 characters long for this user profile.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

16.3 RADIUS

Click SECURITY > AUTH_SERVER > RADIUS to open the RADIUS screen. Configure this screen to use an external RADIUS server to authenticate users.

ZYXEL ZYWALL 2 WG - RADIUS - 1
Figure 186 SECURITY > AUTH SERVER > RADIUS

The following table describes the labels in this screen.

Table 108 SECURITY > AUTH SERVER > RADIUS

LABELDESCRIPTION
Authentication Server
ActiveSelect the check box to enable user authentication through an external authentication server.Clear the check box to enable user authentication using the local user profile on the ZyWALL.
Server IP AddressEnter the IP address of the external authentication server in dotted decimal notation.
Port NumberThe default port of the RADIUS server for authentication is 1812.You need not change this value unless your network administrator instructs you to do so with additional information.

Table 108 SECURITY > AUTH SERVER > RADIUS

LABELDESCRIPTION
KeyEnter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL.
Accounting Server
ActiveSelect the check box to enable user accounting through an external authentication server.
Server IP AddressEnter the IP address of the external accounting server in dotted decimal notation.
Port NumberThe default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
KeyEnter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyWALL. The key is not sent over the network. This key must be the same on the external accounting server and ZyWALL.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

PART IV

Advanced

Network Address Translation (NAT) (329)

Static Route (345)

Policy Route (349)

Bandwidth Management (355)

DNS (371)

Remote Management (383)

UPnP (405)

ALG Screen (415)

Network Address Translation (NAT)

This chapter discusses how to configure NAT on the ZyWALL.

17.1 NAT Overview

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.

17.1.1 NAT Definitions

Inside/outside denotes where a host is located relative to the ZyWALL. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

Global/local denotes the IP address of a host in a packet as the packet traverses a router. For example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side.

Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information.

Table 109 NAT Definitions

TERMDESCRIPTION
InsideThis refers to the host on the LAN.
OutsideThis refers to the host on the WAN.
LocalThis refers to the packet address (source or destination) as the packet travels on the LAN.
GlobalThis refers to the packet address (source or destination) as the packet travels on the WAN.

ZYXEL ZYWALL 2 WG - NAT Definitions - 1

NAT never changes the IP address (either local or global) of an outside host.

17.1.2 What NAT Does

In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.

The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers (for example a web server and a telnet server) on your local network and make them accessible to the outside world. Although you can make designated servers on the LAN accessible to the outside world, it is strongly recommended that you attach those servers to the DMZ port instead. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection. With no servers defined, your ZyWALL filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).

17.1.3 How NAT Works

Each packet has two addresses - a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyWALL keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.

ZYXEL ZYWALL 2 WG - How NAT Works - 1
Figure 187 How NAT Works

17.1.4 NAT Application

The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.

ZYXEL ZYWALL 2 WG - NAT Application - 1
Figure 188 NAT Application With IP Alias

17.1.5 Port Restricted Cone NAT

ZyWALL ZyNOS version 4.00 and later uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the following example, the ZyWALL maps the source address of all packets sent from internal IP address 1 and port A to IP address 2 and port B on the external network. A host on the external network (IP address 3 and Port C for example) can only send packets to the internal host if the internal host has already sent a packet to the external host's IP address and port.

A server with IP address 1 and port A sends packets to IP address 3, port C and IP address 4, port D. The ZyWALL changes the server's IP address to 2 and port to B.

Since 1, A has already sent packets to 3, C and 4, D, they can send packets back to 2, B and the ZyWALL will perform NAT on them and send them to the server at IP address 1, port A.

Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A.

ZYXEL ZYWALL 2 WG - Port Restricted Cone NAT - 1
Figure 189 Port Restricted Cone NAT Example

17.1.6 NAT Mapping Types

NAT supports five types of IP/port mapping. They are:

  • One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global IP address.
  • Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option).
  • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.

  • Many One to One: In Many-One-to-One mode, the ZyWALL maps each local IP address to a unique global IP address.

  • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead.

ZYXEL ZYWALL 2 WG - NAT Mapping Types - 1

Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.

The following table summarizes the NAT mapping types.

Table 110 NAT Mapping Types

TYPEIP MAPPINGSMT ABBREVIATION
One-to-OneILA1 ↔ IGA11-1
Many-to-One (SUA/PAT)ILA1 ↔ IGA1 ILA2 ↔ IGA1 ...M-1
Many-to-Many OverloadILA ↔ IGA1 ILA2 ↔ IGA2 ILA3 ↔ IGA1 ILA4 ↔ IGA2 ...M-M Ov
Many-One-to-OneILA1 ↔ IGA1 ILA2 ↔ IGA2 ILA3 ↔ IGA3 ...M-1-1
ServerServer 1 IP ↔ IGA1 Server 2 IP ↔ IGA1 Server 3 IP ↔ IGA1Server

17.2 Using NAT

ZYXEL ZYWALL 2 WG - Using NAT - 1

You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.

17.2.1 SUA (Single User Account) Versus NAT

SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA or Full Feature in NAT Overview.

Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you're using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don't configure NAT mapping rules to those computers with public IP addresses on the DMZ.

17.3 NAT Overview Screen

Click ADVANCED > NAT to open the NAT Overview screen.

ZYXEL ZYWALL 2 WG - NAT Overview Screen - 1
Figure 190 ADVANCED > NAT > NAT Overview

The following table describes the labels in this screen.

Table 111 ADVANCED > NAT > NAT Overview

LABELDESCRIPTION
Global Settings
Max. Concurrent SessionsThis read-only field displays the highest number of NAT sessions that the ZyWALL will permit at one time.
Max. Concurrent Sessions Per HostUse this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time.
WAN Operation ModeThis read-only field displays the operation mode of the ZyWALL's WAN interfaces.
WAN 1, 2
Enable NATSelect this check box to turn on the NAT feature for the WAN interface. Clear this check box to turn off the NAT feature for the WAN interface.
Address Mapping RulesSelect SUA if you have just one public WAN IP address for your ZyWALL. This lets the ZyWALL use its permanent, pre-defined NAT address mapping rules. Select Full Feature if you have multiple public WAN IP addresses for your ZyWALL. This lets the ZyWALL use the address mapping rules that you configure. This is the equivalent of what used to be called full feature NAT or multi-NAT. The bar displays how many of the ZyWALL's possible address mapping rules are configured. The first number shows how many address mapping rules are configured on the ZyWALL. The second number shows the maximum number of address mapping rules that can be configured on the ZyWALL.
Port Forwarding RulesThe bar displays how many of the ZyWALL's possible port forwarding rules are configured. The first number shows how many port forwarding rules are configured on the ZyWALL. The second number shows the maximum number of port forwarding rules that can be configured on the ZyWALL.
Port Triggering RulesThe bar displays how many of the ZyWALL's possible trigger port rules are configured. The first number shows how many trigger port rules are configured on the ZyWALL. The second number shows the maximum number of trigger port rules that can be configured on the ZyWALL.
Copy to WAN 2 (and Copy to WAN 1)Click Copy to WAN 2 (or Copy to WAN 1) to duplicate this WAN interface's NAT port forwarding or trigger port rules on the other WAN interface. Note: Using the copy button overwrites the other WAN interface's existing rules. The copy button is best suited for initial NAT configuration where you have configured NAT port forwarding or trigger port rules for one interface and want to use similar rules for the other WAN interface. You can use the other NAT screens to edit the NAT rules after you copy them from one WAN interface to the other.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

17.4 NAT Address Mapping

Click ADVANCED > NAT > Address Mapping to open the following screen.

17.4.1 What NAT Does

In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.

See Section 17.1 on page 329 for more on NAT.

Use this screen to change your ZyWALL's address mapping settings. Not all fields are available on all models.

Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6.

ZYXEL ZYWALL 2 WG - What NAT Does - 1
Figure 191 ADVANCED > NAT > Address Mapping

The following table describes the labels in this screen.

Table 112 ADVANCED > NAT > Address Mapping

LABELDESCRIPTION
SUA Address Mapping RulesThis read-only table displays the default address mapping rules.
Full Feature Address Mapping Rules
WAN InterfaceSelect the WAN interface for which you want to view or configure address mapping rules.
Go To PageChoose a page from the drop-down list box to display the corresponding summary page of address mapping rules.
#This is the rule index number.
Local Start IPThis refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address. Local IP addresses are N/A for Server port mapping.
Local End IPThis is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then this field displays 255.255.255.255 as the Local End IP address. This field is N/A for One-to-One and Server mapping types.
Global Start IPThis refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
Global End IPThis is the ending Inside Global Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.
Type1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. 3. Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses. 4. Many One-to-One mode maps each local IP address to unique global IP addresses. 5. Server allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.
ModifyClick the edit icon to go to the screen where you can edit the address mapping rule. Click the delete icon to delete an existing address mapping rule. A window display asking you to confirm that you want to delete the address mapping rule. Note that subsequent address mapping rules move up by one when you take this action.
InsertClick Insert to insert a new mapping rule before an existing one.

17.4.2 NAT Address Mapping Edit

Click the Edit button to display the NAT Address Mapping Edit screen. Use this screen to edit an address mapping rule. See Section 17.1 on page 329 for information on NAT and address mapping.

ZYXEL ZYWALL 2 WG - NAT Address Mapping Edit - 1
Figure 192 ADVANCED > NAT > Address Mapping > Edit

The following table describes the labels in this screen.

Table 113 ADVANCED > NAT > Address Mapping > Edit

LABELDESCRIPTION
TypeChoose the port mapping type from one of the following.1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type.2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature.3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.4. Many One-to-One: Many One-to-One mode maps each local IP address to unique global IP addresses.5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.
Local Start IPThis is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping.
Local End IPThis is the end Inside Local IP Address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address.This field is N/A for One-to-One and Server mapping types.
Global Start IPThis is the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP.
Global End IPThis is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

17.5 Port Forwarding

A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.

You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. You can allocate a server IP address that corresponds to a port or a range of ports.

Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.

17.5.1 Default Server IP Address

In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen.

ZYXEL ZYWALL 2 WG - Default Server IP Address - 1

If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.

17.5.2 Port Forwarding: Services and Port Numbers

The ZyWALL provides the additional safety of the DMZ ports for connecting your publicly accessible servers. This makes the LAN more secure by physically separating it from your public servers.

Use the Port Forwarding screen to forward incoming service requests to the server(s) on your local network.

The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers.

Table 114 Services and Port Numbers

SERVICESPORT NUMBER
ECHO7
FTP (File Transfer Protocol)21
SMTP (Simple Mail Transfer Protocol)25
DNS (Domain Name System)53
Finger79
HTTP (Hyper Text Transfer protocol or WWW, Web)80
POP3 (Post Office Protocol)110
NNTP (Network News Transport Protocol)119
SNMP (Simple Network Management Protocol)161
SNMP trap162
PPTP (Point-to-Point Tunneling Protocol)1723

17.5.3 Configuring Servers Behind Port Forwarding (Example)

Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet.

ZYXEL ZYWALL 2 WG - Configuring Servers Behind Port Forwarding (Example) - 1
Figure 193 Multiple Servers Behind NAT Example

17.5.4 NAT and Multiple WAN

The ZyWALL has two WAN interfaces. You can configure port forwarding and trigger port rule sets for the first WAN interface and separate sets of rules for the second WAN interface.

17.5.5 Port Translation

The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the local network. When you use port forwarding without port translation, a single server on the local network can use a specific port number and be accessible to the outside world through a single WAN IP address. When you use port translation with port forwarding, multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address.

The following example has two web servers on a LAN. Server A uses IP address 192.168.1.33 and server B uses 192.168.1.34. Both servers use port 80. The letters a.b.c.d represent the WAN port's IP address. The ZyWALL translates port 8080 of traffic received on the WAN port (IP address a.b.c.d) to port 80 and sends it to server A (IP address 192.168.1.33). The ZyWALL also translates port 8100 of traffic received on the WAN port (also IP address a.b.c.d) to port 80, but sends it to server B (IP address 192.168.1.34).

ZYXEL ZYWALL 2 WG - Port Translation - 1

In this example, anyone wanting to access server A from the Internet must use port 8080. Anyone wanting to access server B from the Internet must use port 8100.

ZYXEL ZYWALL 2 WG - Port Translation - 2
Figure 194 Port Translation Example

17.6 Port Forwarding Screen

Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen.

ZYXEL ZYWALL 2 WG - Port Forwarding Screen - 1

If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.

Refer to Figure 114 on page 339 for port numbers commonly used for particular services.

ZYXEL ZYWALL 2 WG - Port Forwarding Screen - 2

The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard.

ZYXEL ZYWALL 2 WG - Port Forwarding Screen - 3
Figure 195 ADVANCED > NAT > Port Forwarding

The following table describes the labels in this screen.

Table 115 ADVANCED > NAT > Port Forwarding

LABELDESCRIPTION
WAN InterfaceSelect the WAN interface for which you want to view or configure address mapping rules.
Default ServerIn addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Go To PageChoose a page from the drop-down list box to display the corresponding summary page of the port forwarding servers.
#This is the number of an individual port forwarding server entry.
ActiveSelect this check box to enable the port forwarding server entry. Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry.
NameEnter a name to identify this port-forwarding rule.
Incoming Port(s)Enter a port number here. To forward only one port, enter it again in the second field. To specify a range of ports, enter the last port to be forwarded in the second field.
Port TranslationEnter the port number here to which you want the ZyWALL to translate the incoming port. For a range of ports, you only need to enter the first number of the range to which you want the incoming ports translated, the ZyWALL automatically calculates the last port of the translated port range.
Server IP AddressEnter the inside IP address of the server here.

Table 115 ADVANCED > NAT > Port Forwarding

LABELDESCRIPTION
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

17.7 Port Triggering

Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address.

Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyWALL records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the ZyWALL's WAN port receives a response with a specific port number and protocol ("incoming" port), the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request. After that computer's connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.

For example:

ZYXEL ZYWALL 2 WG - Port Triggering - 1
Figure 196 Trigger Port Forwarding Process: Example

1 Jane (A) requests a file from the Real Audio server (port 7070).
2 Port 7070 is a "trigger" port and causes the ZyWALL to record Jane's computer IP address. The ZyWALL associates Jane's computer IP address with the "incoming" port range of 6970-7170.
3 The Real Audio server responds using a port number ranging between 6970-7170.
4 The ZyWALL forwards the traffic to Jane's computer IP address.
5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol).

Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your ZyWALL's trigger port settings.

ZYXEL ZYWALL 2 WG - Port Triggering - 2
Figure 197 ADVANCED > NAT > Port Triggering

The following table describes the labels in this screen.

Table 116 ADVANCED > NAT > Port Triggering

LABELDESCRIPTION
WAN InterfaceSelect the WAN interface for which you want to view or configure address mapping rules.
#This is the rule index number (read-only).
NameType a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
IncomingIncoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Start PortType a port number or the starting port number in a range of port numbers.
End PortType a port number or the ending port number in a range of port numbers.
TriggerThe trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Start PortType a port number or the starting port number in a range of port numbers.
End PortType a port number or the ending port number in a range of port numbers.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

This chapter shows you how to configure static routes for your ZyWALL.

18.1 IP Static Route

Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1. However, the ZyWALL is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyWALL about the networks beyond the remote nodes.

ZYXEL ZYWALL 2 WG - IP Static Route - 1
Figure 198 Example of Static Routing Topology

18.2 IP Static Route

Click ADVANCED > STATIC ROUTE to open the IP Static Route screen.

The first two static route entries are for default WAN 1 and WAN 2 routes on a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route.

The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address.

Figure 199 ADVANCED > STATIC ROUTE > IP Static Route

STATIC ROUTE

IP Static Route

Static Route Setup

#NameActiveDestinationGatewayModify
1Reserved--...E'U
2Reserved--...E'U
3E'U
4E'U
5E'U
6E'U
7E'U
8E'U
9E'U
10E'U
11E'U
12E'U
13E'U
14E'U
15E'U
16E'U
17E'U
18E'U
19E'U
20E'U
21E'U
22E'U
23E'U
24E'U
25E'U
26E'U
27E'U
28E'U
29E'U
30E'U

The following table describes the labels in this screen.

Table 117 ADVANCED >STATIC ROUTE > IP Static Route

LABELDESCRIPTION
#This is the number of an individual static route.
NameThis is the name that describes or identifies this route.
ActiveThis field shows whether this static route is active (Yes) or not (No).
DestinationThis parameter specifies the IP network address of the final destination. Routing is always based on network number.

Table 117 ADVANCED >STATIC ROUTE > IP Static Route

LABELDESCRIPTION
GatewayThis is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyWALL's interface. The gateway helps forward packets to their destinations.
ModifyClick the edit icon to go to the screen where you can set up a static route on the ZyWALL. Click the delete icon to remove a static route from the ZyWALL. A window displays asking you to confirm that you want to delete the route.

18.2.1 IP Static Route Edit

Select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route.

ZYXEL ZYWALL 2 WG - IP Static Route Edit - 1
Figure 200 ADVANCED >STATIC ROUTE >IP Static Route >Edit

The following table describes the labels in this screen.

Table 118 ADVANCED >STATIC ROUTE > IP Static Route > Edit

LABELDESCRIPTION
Route NameEnter the name of the IP static route. Leave this field blank to delete this static route.
ActiveThis field allows you to activate/deactivate this static route.
Destination IP AddressThis parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
IP Subnet MaskEnter the IP subnet mask here.
Gateway IP AddressEnter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
MetricMetric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number.

Table 118 ADVANCED >STATIC ROUTE > IP Static Route > Edit

LABELDESCRIPTION
PrivateThis parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

Policy Route

This chapter covers setting and applying policies used for IP routing.

19.1 Policy Route

Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.

19.2 Benefits

  • Source-Based Routing - Network administrators can use policy-based routing to direct traffic from different users through different connections.
  • Quality of Service (QoS) - Organizations can differentiate traffic by setting the precedence or ToS (Type of Service) values in the IP header at the periphery of the network to enable the backbone to prioritize traffic.
  • Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
  • Load Sharing - Network administrators can use IPPR to distribute traffic among multiple paths.

19.3 Routing Policy

Individual routing policies are used as part of the overall IPPR process. A policy defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria include the source address and port, IP protocol (ICMP, UDP, TCP, etc.), destination address and port, ToS and precedence (fields in the IP header) and length. The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets.

The actions that can be taken include:

  • Routing the packet to a different gateway (and hence the outgoing interface).
  • Setting the ToS and precedence fields in the IP header.

IPPR follows the existing packet filtering facility of RAS in style and in implementation.

19.4 IP Routing Policy Setup

Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen.

Figure 201 ADVANCED > POLICY ROUTE > Policy Route Summary

POLICY ROUTE

Policy Route Summary

Policy Route Setup

#ActiveSource Address/PortDestination Address/PortGatewayProtocolActionModify
1E 0
2E 0
3E 0
4E 0
5E 0
6E 0
7E 0
8E 0
9E 0
10E 0
11E 0
12E 0
13E 0
14E 0
15E 0
16E 0
17E 0
18E 0
19E 0
20E 0
21E 0
22E 0
23E 0
24E 0

Move rule

to rule

(rule number)

The following table describes the labels in this screen.

Table 119 ADVANCED >POLICY ROUTE >Policy Route Summary

LABELDESCRIPTION
#This is the number of an individual policy route.
ActiveThis field shows whether the policy is active or inactive.
Source Address/PortThis is the source IP address range and/or port number range.
Destination Address/PortThis is the destination IP address range and/or port number range.
GatewayEnter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
ProtocolThis is the IP protocol and can be ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51).
ActionThis field specifies whether action should be taken on criteria Matched or Not Matched.
ModifyClick the edit icon to go to the screen where you can edit the routing policy on the ZyWALL. Click the delete icon to remove an existing routing policy from the ZyWALL. A window display asking you to confirm that you want to delete the routing policy.
MoveType a policy route's index number and the number for where you want to put that rule. Click Move to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering.

19.5 Policy Route Edit

Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen. Then click the edit icon to open the Edit IP Policy Route screen. WAN 2 refers to the 3G card on the supported ZyWALL in router mode.

Use this screen to configure a policy route to override the default (shortest path) routing behavior and forward packets based on the criteria you specify. A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. Policy-based routing is applied to incoming packets on a per interface basis before normal routing. The ZyWALL does not perform normal routing on packets that match any of the policy routes.

ZYXEL ZYWALL 2 WG - Policy Route Edit - 1
Figure 202 Edit IP Policy Route

The following table describes the labels in this screen.

Table 120 ADVANCED >POLICY ROUTE >Edit

LABELDESCRIPTION
Criteria
ActiveSelect the check box to activate the policy.
Rule IndexThis is the index number of the policy route.
IP ProtocolSelect Predefined and then the IP protocol from ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51). Otherwise, select Custom and enter a number from 0 to 255.
Type of ServicePrioritize incoming network traffic by choosing from Any, Normal, Min Delay, Max Thruput, Max Reliable or Mix Cost.
PrecedencePrecedence value of the incoming packet. Select a value from 0 to 7 or Any.
Packet LengthType a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length.
Length ComparisonChoose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal.
ApplicationSelect a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom. You can also configure the source and destination port numbers if you set IP protocol to TCP or UDP.FTP (File Transfer Program) is a program to enable fast transfer of files, including large files that may not be possible by e-mail. Select FTP to configure the policy rule for TCP packets with a port 21 destination.H.323 is a protocol used for multimedia communications over networks, for example NetMeeting. Select H.323 to configure the policy rule for TCP packets with a port 1720 destination.Note: If you select H.323, make sure you also use the ALG screen to turn on the H.323 ALG.SIP (Session Initiation Protocol) is a signaling protocol used in Internet telephony, instant messaging, events notification and conferencing. The ZyWALL supports SIP traffic pass-through. Select SIP to configure the policy rule for UDP packets with a port 5060 destination.Note: If you select SIP, make sure you also use the ALG screen to turn on the SIP ALG.
Source
InterfaceUse the check box to select LAN, DMZ, WAN 1, WAN 2 and/or WLAN.
Starting IP AddressEnter the source starting IP address.
Ending IP AddressEnter the source ending IP address.
Starting PortEnter the source starting port number. This field is applicable only when you select TCP or UDP in the IP Protocol field and Custom in the Application field.
Ending PortEnter the source ending port number. This field is applicable only when you select TCP or UDP in the IP Protocol field and Custom in the Application field.
Destination
Starting IP AddressEnter the destination starting IP address.
Ending IP AddressEnter the destination ending IP address.
Starting PortEnter the destination starting port number. This field is applicable only when you select TCP or UDP in the IP Protocol field and Custom in the Application field.
Ending PortEnter the destination ending port number. This field is applicable only when you select TCP or UDP in the IP Protocol field and Custom in the Application field.
Action Applies toSpecifies whether action should be taken on criteria Matched or Not Matched.
Routing Action
GatewaySelect User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router on the same segment as your ZyWALL's LAN or WAN interface. Select WAN Interface to have the ZyWALL send traffic that matches the policy route through a specific WAN interface. Select the WAN interface from the drop-down list box. Select the Use another interface when the specified WAN interface is not available. check box to have the ZyWALL send traffic that matches the policy route through the other WAN interface if it cannot send the traffic through the WAN interface you selected. This option is only available when you select WAN Interface.
Converted Type of ServiceSet the new TOS value of the outgoing packet. Prioritize incoming network traffic by choosing Don’t Change, Normal, Min Delay, Max Thruput, Max Reliable or Min Cost.
Converted PrecedenceSet the new outgoing packet precedence value. Values are 0 to 7 or Don’t Change.
LogSelect Yes from the drop-down list box to make an entry in the system log when a policy is executed.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

Bandwidth Management

This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes.

20.1 Bandwidth Management Overview

Bandwidth management allows you to allocate an interface's outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay. With the use of real-time applications such as Voice-over-IP (VoIP) increasing, the requirement for bandwidth allocation is also increasing.

Bandwidth management addresses questions such as:

  • Who gets how much access to specific applications?
  • What priority level should you give to each type of traffic?
  • Which traffic must have guaranteed delivery?
  • How much bandwidth should be allotted to guarantee delivery?

Bandwidth management also allows you to configure the allowed output for an interface to match what the network can handle. This helps reduce delays and dropped packets at the next routing device. For example, you can set the WAN interface speed to 1024 kbps (or less) if the broadband device connected to the WAN port has an upstream speed of 1024 kbps.

20.2 Bandwidth Classes and Filters

Use bandwidth classes and sub-classes to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth class (or sub-class) based on a specific application and/or subnet. Use the Class Setup screen (see Section 20.12.1 on page 364) to set up a bandwidth class's name, bandwidth allotment, and bandwidth filter. You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure sub-classes with filters for any classes that you configure without filters. The ZyWALL leaves the bandwidth budget allocated and unused for a class that does not have a filter or sub-classes with filters. View your configured bandwidth classes and sub-classes in the Class Setup screen (see Section 20.12 on page 363 for details).

The total of the configured bandwidth budgets for sub-classes cannot exceed the configured bandwidth budget speed of the parent class.

20.3 Proportional Bandwidth Allocation

Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth.

20.4 Application-based Bandwidth Management

You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E-mail and Video for example).

20.5 Subnet-based Bandwidth Management

You can create bandwidth classes based on subnets.

The following figure shows LAN subnets. You could configure one bandwidth class for subnet A and another for subnet B.

ZYXEL ZYWALL 2 WG - Subnet-based Bandwidth Management - 1
Figure 203 Subnet-based Bandwidth Management Example

20.6 Application and Subnet-based Bandwidth Management

You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.

Table 121 Application and Subnet-based Bandwidth Management Example

TRAFFIC TYPEFROM SUBNET AFROM SUBNET B
VoIP64 Kbps64 Kbps
Web64 Kbps64 Kbps
FTP64 Kbps64 Kbps

Table 121 Application and Subnet-based Bandwidth Management Example

TRAFFIC TYPEFROM SUBNET AFROM SUBNET B
E-mail64 Kbps64 Kbps
Video64 Kbps64 Kbps

20.7 Scheduler

The scheduler divides up an interface's bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.

20.7.1 Priority-based Scheduler

With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class's priority number is, the higher the priority. Assign real-time applications (like those using audio or video) a higher priority number to provide smoother operation.

20.7.2 Fairness-based Scheduler

The ZyWALL divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface's bandwidth.

20.7.3 Maximize Bandwidth Usage

The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a class is not using) among the bandwidth classes that require more bandwidth.

When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface's available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels. When only one class requires more bandwidth, the ZyWALL gives extra bandwidth to that class.

When multiple classes require more bandwidth, the ZyWALL gives the highest priority classes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority classes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among classes with the same priority level.

20.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic

Do the following three steps to configure the ZyWALL to allow bandwidth for traffic that is not defined in a bandwidth filter.

1 Leave some of the interface's bandwidth unbudgeted.

2 Do not enable the interface's Maximize Bandwidth Usage option.
3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 20.8 on page 359).

20.7.5 Maximize Bandwidth Usage Example

Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class's bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.

Table 122 Maximize Bandwidth Usage Example

BANDWIDTH CLASSES AND ALLOTMENTS
Root Class: 10240 kbpsAdministration: 2048 kbps
Sales: 2048 kbps
Marketing: 2048 kbps
Research: 2048 kbps

The ZyWALL divides up the unbudgeted 2048 kbps among the classes that require more bandwidth. If the administration department only uses 1024 kbps of the budgeted 2048 kbps, the ZyWALL also divides the remaining 1024 kbps among the classes that require more bandwidth. Therefore, the ZyWALL divides a total of 3072 kbps of unbudgeted and unused bandwidth among the classes that require more bandwidth.

20.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth

The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets.

Table 123 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example

BANDWIDTH CLASSES, PRIORITY AND ALLOTMENTS
Root Class: 10240 kbpsAdministration: Priority 4, 1024 kbps
Sales: Priority 6, 3584 kbps
Marketing: Priority 6, 3584 kbps
Research: Priority 5, 2048 kbps

Suppose that all of the classes except for the administration class need more bandwidth.

  • Each class gets up to its budgeted bandwidth. The administration class only uses 1024 kbps of its budgeted 2048 kbps.
  • The sales and marketing are first to get extra bandwidth because they have the highest priority (6). If they each require 1536 kbps or more of extra bandwidth, the ZyWALL divides the total 3072 kbps total of unbudgeted and unused bandwidth equally between the sales and marketing departments (1536 kbps extra to each for a total of 3584 kbps for each) because they both have the highest priority level.
  • Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes.

20.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth

The following table shows the amount of bandwidth that each class gets.

Table 124 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example

BANDWIDTH CLASSES AND ALLOTMENTS
Root Class: 10240 kbpsAdministration: 1024 kbps
Sales: 3072 kbps
Marketing: 3072 kbps
Research: 3072 kbps

Suppose that all of the classes except for the administration class need more bandwidth.

  • Each class gets up to its budgeted bandwidth. The administration class only uses 1024 kbps of its budgeted 2048 kbps.
  • The ZyWALL divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes. 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps.

20.8 Bandwidth Borrowing

Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface.

Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class's unused bandwidth. A parent class's unused bandwidth is given to the highest priority sub-class first. The sub-class can also borrow bandwidth from a higher parent class (grandparent class) if the sub-class's parent class is also configured to borrow bandwidth from its parent class. This can go on for as many levels as are configured to borrow bandwidth from their parent class (see Section 20.8.1 on page 359).

The total of the bandwidth allotments for sub-classes cannot exceed the bandwidth allotment of their parent class. The ZyWALL uses the scheduler to divide a parent class's unused bandwidth among the sub-classes.

20.8.1 Bandwidth Borrowing Example

Here is an example of bandwidth management with classes configured for bandwidth borrowing. The classes are set up based on departments and individuals within certain departments.

Refer to the product specifications in the appendix to see how many class levels you can configure on your ZyWALL.

Table 125 Bandwidth Borrowing Example

BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS
Root Class:Administration: Borrowing Enabled
Sales: Borrowing DisabledSales USA: Borrowing EnabledBill: Borrowing Enabled
Amy: Borrowing Disabled
Sales Asia: Borrowing DisabledTina: Borrowing Enabled
Fred: Borrowing Disabled
Marketing: Borrowing Enabled
Research: Borrowing EnabledSoftware: Borrowing Enabled
Hardware: Borrowing Enabled
  • The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled.
  • The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.
  • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled.
  • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled.
  • The Research Software and Hardware classes can both borrow unused bandwidth from the Research class because the Research Software and Hardware classes both have bandwidth borrowing enabled.
  • The Research Software and Hardware classes can also borrow unused bandwidth from the Root class because the Research class also has bandwidth borrowing enabled.

20.9 Maximize Bandwidth Usage With Bandwidth Borrowing

If you configure both maximize bandwidth usage (on the interface) and bandwidth borrowing (on individual sub-classes), the ZyWALL functions as follows.

1 The ZyWALL sends traffic according to each bandwidth class's bandwidth budget.
2 The ZyWALL assigns a parent class's unused bandwidth to its sub-classes that have more traffic than their budgets and have bandwidth borrowing enabled. The ZyWALL gives priority to sub-classes of higher priority and treats classes of the same priority equally.
3 The ZyWALL assigns any remaining unused or unbudgeted bandwidth on the interface to any class that requires it. The ZyWALL gives priority to classes of higher priority and treats classes of the same level equally.

4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth, the ZyWALL assigns it to traffic that does not match any of the classes.

20.10 Over Allotment of Bandwidth

It is possible to set the bandwidth management speed for an interface higher than the interface's actual transmission speed. Higher priority traffic gets to use up to its allocated bandwidth, even if it takes up all of the interface's available bandwidth. This could stop lower priority traffic from being sent. The following is an example.

Table 126 Over Allotment of Bandwidth Example

BANDWIDTH CLASSES, ALLOTMENTSPRIORITY
Actual outgoing bandwidth available on the interface: 1000 kbps
Root Class: 1500 kbps (same as Speed setting)VoIP traffic (Service = SIP): 500 Kbps7
NetMeeting traffic (Service = H.323): 500 kbps7
FTP (Service = FTP): 500 Kbps3

If you use VoIP and NetMeeting at the same time, the device allocates up to 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP. As a result, FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth.

Suppose you try to browse the web too. In this case, VoIP, NetMeeting and FTP all have higher priority, so they get to use the bandwidth first. You can only browse the web when VoIP, NetMeeting, and FTP do not use all 1000 Kbps of available bandwidth.

20.11 Configuring Summary

Click ADVANCED > BW MGMT to open the Summary screen.

Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface.

ZYXEL ZYWALL 2 WG - Configuring Summary - 1
Figure 204 ADVANCED > BW MGMT > Summary

The following table describes the labels in this screen.

Table 127 ADVANCED > BW MGMT > Summary

LABELDESCRIPTION
ClassThese read-only labels represent the physical interfaces. Select an interface's check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic's source.Traffic redirect or IP alias may cause LAN-to-LAN or DMZ-to-DMZ traffic to pass through the ZyWALL and be managed by bandwidth management.
ActiveSelect an interface's check box to enable bandwidth management on that interface.
Speed (kbps)Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface's root class (see Section 20.12 on page 363). The recommendation is to set this speed to match what the device connected to the port can handle. For example, set the WAN interface speed to 1000 kbps if the broadband device connected to the WAN port has an upstream speed of 1000 kbps.The recommendation is to set this speed to match the interface's actual transmission speed. For example, set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps.You can set this number higher than the interface's actual transmission speed. This will stop lower priority traffic from being sent if higher priority traffic uses all of the actual bandwidth.You can also set this number lower than the interface's actual transmission speed. If you do not enable Max Bandwidth Usage, this will cause the ZyWALL to not use some of the interface's available bandwidth.
SchedulerSelect either Priority-Based or Fairness-Based from the drop-down menu to control the traffic flow.Select Priority-Based to give preference to bandwidth classes with higher priorities.Select Fairness-Based to treat all bandwidth classes equally. See Section 20.7 on page 357.
Maximize Bandwidth UsageSelect this check box to have the ZyWALL divide up all of the interface's unallocated and/or unused bandwidth among the bandwidth classes that require bandwidth. Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class (see Section 20.7.4 on page 357) or you want to limit the speed of this interface (see the Speed field description).
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

20.12 Configuring Class Setup

The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click "+" to expand the class tree or click "-to collapse the class tree. Each interface has a permanent root class. The bandwidth budget of the root class is equal to the speed you configured on the interface (see Section 20.11 on page 361 to configure the speed of the interface). Configure sub-class layers for the root class.

To add or delete child classes on an interface, click ADVANCED > BW MGMT > Class Setup. The screen is shown here with example classes.

ZYXEL ZYWALL 2 WG - Configuring Class Setup - 1
Figure 205 ADVANCED > BW MGMT > Class Setup

The following table describes the labels in this screen.

Table 128 ADVANCED > BW MGMT > Class Setup

LABELDESCRIPTION
InterfaceSelect an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming. So, in order to limit the download bandwidth of the LAN users, set the bandwidth management class on the LAN. In order to limit the upload bandwidth, set the bandwidth management class on the corresponding WAN interface.
Bandwidth ManagementThis field displays whether bandwidth management on the interface you selected in the field above is enabled (Active) or not (Inactive).
After you select an interface, the bandwidth management classes configured for the interface display. The name, bandwidth and priority display for each class. “borrow” also displays if the class is set to use bandwidth from its parent class if the parent class is not using up its bandwidth budget.
Add Sub-ClassClick Add Sub-class to add a sub-class.
EditClick Edit to configure the selected class. You cannot edit the root class.
DeleteClick Delete to delete the class and all its sub-classes. You cannot delete the root class.
StatisticsClick Statistics to display the status of the selected class.
Enabled classes Search OrderThis list displays the interface's active bandwidth management classes (the ones that have the bandwidth filter enabled). The ZyWALL applies the classes in the order that they appear here. Once a connection matches a bandwidth management class, the ZyWALL applies the class's rules and does not check the connection against any other bandwidth management classes.
Search OrderThis is the index number of an individual bandwidth management class.
Class NameThis is the name that identifies a bandwidth management class.
ServiceThis is the service that this bandwidth management class is configured to manage.
Destination IP AddressThis is the destination IP address for connections to which this bandwidth management class applies.
Destination PortThis is the destination port for connections to which this bandwidth management class applies.
Source IP AddressThis is the source IP address for connections to which this bandwidth management class applies.
Source PortThis is the source port for connections to which this bandwidth management class applies.
Protocol IDThis is the protocol ID (service type) number for connections to which this bandwidth management class applies. For example: 1 for ICMP, 6 for TCP or 17 for UDP.
MoveType a class's index number and the number for where you want to put that class. Click Move to move the class to the number that you typed. The ordering of your classes is important as they are applied in order of their numbering.

20.12.1 Bandwidth Manager Class Configuration

Configure a bandwidth management class in the Class Setup screen. You must use the Summary screen to enable bandwidth management on an interface before you can configure classes for that interface.

Click ADVANCED > BW MGMT > Class Setup > Add Sub-Class or Edit to open the following screen. Use this screen to add a child class.

ZYXEL ZYWALL 2 WG - Bandwidth Manager Class Configuration - 1
Figure 206 ADVANCED > BW MGMT > Class Setup > Add Sub-Class

The following table describes the labels in this screen.

Table 129 ADVANCED > BW MGMT > Class Setup > Add Sub-Class

LABELDESCRIPTION
Class Configuration
Class NameUse the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Bandwidth Budget (kbps)Specify the maximum bandwidth allowed for the class in kbps. The recommendation is a setting between 20 kbps and 20000 kbps for an individual class.
PriorityEnter a number between 0 and 7 to set the priority of this class. The higher the number, the higher the priority. The default setting is 3.
Borrow bandwidth from parent classSelect this option to allow a sub-class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget.Bandwidth borrowing is governed by the priority of the sub-classes. That is, a sub-class with the highest priority (7) is the first to borrow bandwidth from its parent class.Do not select this for the classes directly below the root class if you want to leave bandwidth available for other traffic types (see Section 20.7.4 on page 357) or you want to set the interface's speed to match what the next device in network can handle (see the Speed field description in Table 127 on page 362).
Filter Configuration
Enable Bandwidth FilterSelect Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter when it performs bandwidth management.You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
ServiceThis field simplifies bandwidth class configuration by allowing you to select a predefined application. When you select a predefined application, you do not configure the rest of the bandwidth filter fields (other than enabling or disabling the filter).FTP (File Transfer Program) is a program to enable fast transfer of files, including large files that may not be possible by e-mail. Select FTP from the drop-down list box to configure the bandwidth filter for TCP packets with a port 21 destination.H.323 is a protocol used for multimedia communications over networks, for example NetMeeting. Select H.323 from the drop-down list box to configure the bandwidth filter for TCP packets with a port 1720 destination.Note: If you select H.323, make sure you also use the ALG screen to turn on the H.323 ALG.SIP (Session Initiation Protocol) is a signaling protocol used in Internet telephony, instant messaging, events notification and conferencing. The ZyWALL supports SIP traffic pass-through. Select SIP from the drop-down list box to configure this bandwidth filter for UDP packets with a port 5060 destination. This option makes it easier to manage bandwidth for SIP traffic and is useful for example when there is a VoIP (Voice over Internet Protocol) device on your LAN.Note: If you select SIP, make sure you also use the ALG screen to turn on the SIP ALG.Select Custom from the drop-down list box if you do not want to use a predefined application for the bandwidth class. When you select Custom, you need to configure at least one of the following fields (other than the Subnet Mask fields which you only enter if you also enter a corresponding destination or source IP address).
Destination Address TypeDo you want your rule to apply to packets coming going to a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50) or a subnet? Select Single Address, Range Address or Subnet Address.
Destination IP AddressEnter the single IP address or the starting IP address in a range here.
Destination End Address / Subnet MaskIf you are configuring a range of IP addresses, enter the ending IP address here. If you are configuring a subnet of addresses, enter the subnet mask here.Refer to Appendix E on page 663 for more information on IP subnetting.
Destination PortEnter the starting and ending destination port numbers. Enter the same port number in both fields to specify a single port number. See Appendix F on page 671 for a table of services and port numbers.
Source Address TypeDo you want your rule to apply to packets coming from a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50) or a subnet? Select Single Address, Range Address or Subnet Address.
Source IP AddressEnter the single IP address or the starting IP address in a range here.
Source End Address / Subnet MaskIf you are configuring a range of IP addresses, enter the ending IP address here. If you are configuring a subnet of addresses, enter the subnet mask here. Refer to Appendix E on page 663 for more information on IP subnetting.
Source PortEnter the starting and ending destination port numbers. Enter the same port number in both fields to specify a single port number. See Appendix F on page 671 for a table of services and port numbers.
Protocol IDEnter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

Table 130 Services and Port Numbers

SERVICESPORT NUMBER
ECHO7
FTP (File Transfer Protocol)21
SMTP (Simple Mail Transfer Protocol)25
DNS (Domain Name System)53
Finger79
HTTP (Hyper Text Transfer protocol or WWW, Web)80
POP3 (Post Office Protocol)110
NNTP (Network News Transport Protocol)119
SNMP (Simple Network Management Protocol)161
SNMP trap162
PPTP (Point-to-Point Tunneling Protocol)1723

20.12.2 Bandwidth Management Statistics

Click ADVANCED > BW MGMT > Class Setup > Statistics to open the Bandwidth Management Statistics screen. This screen displays the selected bandwidth class's bandwidth usage and allotments.

ZYXEL ZYWALL 2 WG - Bandwidth Management Statistics - 1
Figure 207 ADVANCED > BW MGMT > Class Setup > Statistics

The following table describes the labels in this screen.

Table 131 ADVANCED > BW MGMT > Class Setup > Statistics

LABELDESCRIPTION
Class NameThis field displays the name of the class the statistics page is showing.
Budget (kbps)This field displays the amount of bandwidth allocated to the class.
Tx PacketsThis field displays the total number of packets transmitted.
Tx BytesThis field displays the total number of bytes transmitted.
Dropped PacketsThis field displays the total number of packets dropped.
Dropped BytesThis field displays the total number of bytes dropped.
Bandwidth Statistics for the Past 8 Seconds (t-8 to t-1)
This field displays the bandwidth statistics (in bps) for the past one to eight seconds. For example, t-1 means one second ago.
Automatic Refresh IntervalSelect a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
RefreshClick this button to update the screen's statistics immediately.
Clear CounterClick Clear Counter to clear all of the bandwidth management statistics.

20.13 Bandwidth Manager Monitor

Click ADVANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device's bandwidth usage and allotments.

ZYXEL ZYWALL 2 WG - Bandwidth Manager Monitor - 1
Figure 208 ADVANCED > BW MGMT > Monitor

The following table describes the labels in this screen.

Table 132 ADVANCED > BW MGMT > Monitor

LABELDESCRIPTION
InterfaceSelect an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
ClassThis field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes. If you do not enable maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes. A
Budget (kbps)This field displays the amount of bandwidth allocated to the bandwidth class.
Current Usage (kbps)This field displays the amount of bandwidth that each bandwidth class is using.
RefreshClick Refresh to update the page.

A. If you allocate all the root class's bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).

This chapter shows you how to configure the DNS screens.

21.1 DNS Overview

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, VPN, DDNS and the time server.

21.2 DNS Server Address Assignment

The ZyWALL can get the DNS server addresses in the following ways.

1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL's WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section 21.5.1 on page 372).

21.3 DNS Servers

There are three places where you can configure DNS setup on the ZyWALL.

1 Use the DNS System screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN, DDNS and the time server.
2 Use the DNS DHCP screen to configure the DNS server information that the ZyWALI sends to the DHCP client devices on the LAN, DMZ or WLAN.
3 Use the REMOTE MGMT DNS screen to configure the ZyWALL (in router mode) to accept or discard DNS queries.

21.4 Address Record

An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.

mail.myZyXEL.com.tw is also a FQDN, where "mail" is the host, "myZyXEL" is the second-level domain, and "com.tw" is the top level domain.

The ZyWALL allows you to configure address records about the ZyWALL itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server.

21.4.1 DNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.com to be aliased to the same IP address as yourhost.com. This feature is useful if you want to be able to use, for example, www.yourhost.com and still reach your hostname.

21.5 Name Server Record

A name server record contains a DNS server's IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN, DDNS and the time server. A domain zone may also be included. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.

21.5.1 Private DNS Server

In cases where you want to use domain names to access Intranet servers on a remote private network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the remote private network.

The following figure depicts an example where three VPN tunnels are created from ZyWALL A; one to branch office 2, one to branch office 3 and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the ZyWALL at branch office 1 uses the Intranet DNS server in headquarters.

ZYXEL ZYWALL 2 WG - Private DNS Server - 1
Figure 209 Private DNS Server Example

ZYXEL ZYWALL 2 WG - Private DNS Server - 2

If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network.

21.6 System Screen

Click ADVANCED > DNS to display the following screen. Use this screen to configure your ZyWALL's DNS address and name server records.

ZYXEL ZYWALL 2 WG - System Screen - 1
Figure 210 ADVANCED > DNS > System DNS

The following table describes the labels in this screen.

Table 133 ADVANCED > DNS > System DNS

LABELDESCRIPTION
Address RecordAn address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
#This is the index number of the address record.
FQDNThis is a host's fully qualified domain name.
WildcardThis column displays whether or not the DNS wildcard feature is enabled for this domain name.
IP AddressThis is the IP address of a host.
ModifyClick the edit icon to go to the screen where you can edit the record. Click the delete icon to remove an existing record. A window display asking you to confirm that you want to delete the record. Note that subsequent records move up by one when you take this action.
AddClick Add to open a screen where you can add a new address record. Refer to Table 134 on page 376 for information on the fields.

Table 133 ADVANCED >DNS > System DNS

LABELDESCRIPTION
Name Server RecordA name server record contains a DNS server's IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN, DDNS and the time server.When the ZyWALL needs to resolve a domain name, it checks it against the name server record entries in the order that they appear in this list.A “*” indicates a name server record without a domain zone. The default record is grayed out. The ZyWALL uses this default record if the domain name that needs to be resolved does not match any of the other name server records.A name server record with a domain zone is always put before a record without a domain zone.
#This is the index number of the name server record.
Domain ZoneA domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
FromThis field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user.
DNS ServerThis is the IP address of a DNS server.
ModifyClick a triangle icon to move the record up or down in the list.Click the edit icon to go to the screen where you can edit the record.Click the delete icon to remove an existing record. A window display asking you to confirm that you want to delete the record. Note that subsequent records move up by one when you take this action.
InsertClick Insert to open a screen where you can insert a new name server record.Refer to Table 135 on page 377 for information on the fields.

21.6.1 Adding an Address Record

Click Add in the System screen to open this screen. Use this screen to add an address record. An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. Configure address records about the ZyWALL itself or another device to keep a record of DNS names and addresses that people on your network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server. See Section 21.4 on page 372 for more on address records.

ZYXEL ZYWALL 2 WG - Adding an Address Record - 1
Figure 211 ADVANCED > DNS > Add (Address Record)

The following table describes the labels in this screen.

Table 134 ADVANCED > DNS > Add (Address Record)

LABELDESCRIPTION
FQDNType a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
IP AddressIf this entry is for one of the WAN ports on a ZyWALL with multiple WAN ports, select WAN Interface and select WAN 1 or WAN 2 from the drop-down list box. If this entry is for the WAN port on a ZyWALL with a single WAN port, select WAN Interface. For entries that are not for the WAN port(s), select Custom and enter the IP address of the host in dotted decimal notation.
Enable WildcardSelect the check box to enable DNS wildcard.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

21.6.2 Inserting a Name Server Record

Click Insert in the System screen to open this screen. Use this screen to insert a name server record. A name server record contains a DNS server's IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN, DDNS and the time server. A domain zone may also be included. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.

ZYXEL ZYWALL 2 WG - Inserting a Name Server Record - 1
Figure 212 ADVANCED > DNS > Insert (Name Server Record)

The following table describes the labels in this screen.

Table 135 ADVANCED > DNS > Insert (Name Server Record)

LABELDESCRIPTION
Domain ZoneThis field is optional.A domain zone is a fully qualified domain name without the host. For example,zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domainname. For example, whenever the ZyWALL receives needs to resolve azyxel.com.tw domain name, it can send a query to the recorded name server IPaddress.Leave this field blank if all domain zones are served by the specified DNS server(s).
DNS ServerSelect the DNS Server(s) from ISP radio button if your ISP dynamically assignsDNS server information. The fields below display the (read-only) DNS server IPaddress(es) that the ISP assigns. N/A displays for any DNS server IP address fieldsfor which the ISP does not assign an IP address. N/A displays for all of the DNSserver IP address fields if the ZyWALL has a fixed WAN IP address.Select Public DNS Server if you have the IP address of a DNS server. The IPaddress must be public or a private address on your local LAN. Enter the DNSserver's IP address in the field to the right.Public DNS Server entries with the IP address set to 0.0.0.0 are not allowed.Select Private DNS Server if the DNS server has a private IP address and is locatedbehind a VPN peer. Enter the DNS server's IP address in the field to the right.With a private DNS server, you must also configure the first DNS server entry for theLAN, DMZ and/or WLAN in the DNS DHCP screen to use DNS Relay.You must also configure a VPN rule since the ZyWALL uses a VPN tunnel when itrelays DNS queries to the private DNS server. The rule must include the LAN IPaddress of the ZyWALL as a local IP address and the IP address of the DNS serveras a remote IP address.Private DNS Server entries with the IP address set to 0.0.0.0 are not allowed.
ApplyClick Apply to save your changes back to the ZyWALL.
CancelClick Cancel to exit this screen without saving.

21.7 DNS Cache

DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period. A negative response means that the ZyWALL did not receive a response for a query it sent to a DNS server within the five second DNS timeout period.

When the ZyWALL receives DNS queries, it compares them against the DNS cache before querying a DNS server. If the DNS query matches a positive entry, the ZyWALL responses with the IP address from the entry. If the DNS query matches a negative entry, the ZyWALL replies that the DNS query failed.

21.8 Configure DNS Cache

To configure your ZyWALL's DNS caching, click ADVANCED > DNS > Cache. The screen appears as shown.

ZYXEL ZYWALL 2 WG - Configure DNS Cache - 1
Figure 213 ADVANCED >DNS > Cache

The following table describes the labels in this screen.

Table 136 ADVANCED > DNS > Cache

LABELDESCRIPTION
DNS Cache Setup
Cache Positive DNS ResolutionsSelect the check box to record the positive DNS resolutions in the cache.Caching positive DNS resolutions helps speed up the ZyWALL's processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN.
Maximum TTLType the maximum time to live (TTL) (60 to 3600 seconds). This sets how long the ZyWALL is to allow a positive resolution entry to remain in the DNS cache before discarding it.
Cache Negative DNS ResolutionsCaching negative DNS resolutions helps speed up the ZyWALL's processing of commonly queried domain names (for which DNS resolution has failed) and reduces the amount of traffic that the ZyWALL sends out to the WAN.
Negative Cache PeriodType the time (60 to 3600 seconds) that the ZyWALL is to allow a negative resolution entry to remain in the DNS cache before discarding it.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.
DNS Cache Entry
FlushClick this button to clear the cache manually. After you flush the cache, the ZyWALL must query the DNS servers again for any domain names that had been previously resolved.
RefreshClick this button to reload the cache.
#This is the index number of a record.
Cache TypeThis displays whether the response for the DNS request is positive or negative.
Domain NameThis is the domain name of a host.

Table 136 ADVANCED > DNS > Cache

LABELDESCRIPTION
IP AddressThis is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries.
Remaining Time (sec)This is the number of seconds left before the DNS resolution entry is discarded from the cache.
ModifyClick the delete icon to remove the DNS resolution entry from the cache.

21.9 Configuring DNS DHCP

Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyWALL sends to its LAN, DMZ or WLAN DHCP clients.

ZYXEL ZYWALL 2 WG - Configuring DNS DHCP - 1
Figure 214 ADVANCED > DNS > DHCP

The following table describes the labels in this screen.

Table 137 ADVANCED >DNS >DHCP

LABELDESCRIPTION
DNS Servers Assigned by DHCP ServerThe ZyWALL passes a DNS (Domain Name System) server IP address to the DHCP clients.
Selected InterfaceSelect an interface from the drop-down list box to configure the DNS servers for the specified interface.
DNSThese read-only labels represent the DNS servers.

Table 137 ADVANCED >DNS >DHCP

LABELDESCRIPTION
IPSelect From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply. Select DNS Relay to have the ZyWALL act as a DNS proxy. The ZyWALL's LAN, DMZ or WLAN IP address displays in the field to the right (read-only). The ZyWALL tells the DHCP clients on the LAN, DMZ or WLAN that the ZyWALL itself is the DNS server. When a computer on the LAN, DMZ or WLAN sends a DNS query to the ZyWALL, the ZyWALL forwards the query to the ZyWALL's system DNS server (configured in the DNS System screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you click Apply. Select None if you do not want to configure DNS servers. You must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

21.10 Dynamic DNS

Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.

First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.

ZYXEL ZYWALL 2 WG - Dynamic DNS - 1

You must go to the Dynamic DNS service provider's website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyWALL.

21.10.1 DYNDNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.

ZYXEL ZYWALL 2 WG - DYNDNS Wildcard - 1

If you have a private WAN IP address, then you cannot use Dynamic DNS.

21.10.2 High Availability

A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping.

21.11 Configuring Dynamic DNS

To change your ZyWALL's DDNS, click ADVANCED > DNS > DDNS. The screen appears as shown.

ZYXEL ZYWALL 2 WG - Configuring Dynamic DNS - 1
Figure 215 ADVANCED >DNS >DDNS

The following table describes the labels in this screen.

Table 138 ADVANCED >DNS>DDNS

LABELDESCRIPTION
Account Setup
ActiveSelect this check box to use dynamic DNS.
Service ProviderThis is the name of your Dynamic DNS service provider.

Table 138 ADVANCED >DNS >DDNS

LABELDESCRIPTION
UsernameEnter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed.
PasswordEnter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed.
My Domain Names
Domain Name 1~5Enter the host names in these fields.
DDNS TypeSelect the type of service that you are registered for from your Dynamic DNS service provider. Select Dynamic if you have the Dynamic DNS service. Select Static if you have the Static DNS service. Select Custom if you have the Custom DNS service.
OfflineThis option is available when Custom is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.
WildcardSelect the check box to enable DYNDNS Wildcard.
WAN InterfaceSelect the WAN interface to use for updating the IP address of the domain name.
IP Address Update PolicySelect Use WAN IP Address to have the ZyWALL update the domain name with the WAN interface's IP address. Select Use User-Defined and enter the IP address if you have a static IP address. Select Let DDNS Server Auto Detect only when there are one or more NAT routers between the ZyWALL and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address. Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server.
HASelect this check box to enable the high availability (HA) feature. High availability has the ZyWALL update a domain name with another interface's IP address when the normal WAN interface does not have a connection. If the WAN interface specified in the WAN Interface field does not have a connection, the ZyWALL will attempt to use the IP address of another WAN interface to update the domain name. When the WAN interfaces are in the active/passive operating mode, the ZyWALL will update the domain name with the IP address of whichever WAN interface has a connection, regardless of the setting in the WAN Interface field. Disable this feature and the ZyWALL will only update the domain name with an IP address of the WAN interface specified in the WAN Interface field. If that WAN interface does not have a connection, the ZyWALL will not update the domain name with another port's IP address. Note: If you enable high availability, DDNS can also function when the ZyWALL uses the dial backup port. DDNS does not function when the ZyWALL uses traffic redirect.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

Remote Management

This chapter provides information on the Remote Management screens.

22.1 Remote Management Overview

Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure.

ZYXEL ZYWALL 2 WG - Remote Management Overview - 1
Figure 216 Secure and Insecure Remote Management From the WAN

ZYXEL ZYWALL 2 WG - Remote Management Overview - 2

When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 11 on page 181 for details on configuring firewall rules.

You can also disable a service on the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces.

You may only have one remote management session running at a time. The ZyWALL automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.

1 Console port
2 SSH

3 Telnet
4 HTTPS and HTTP

Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

22.1.1 Remote Management Limitations

Remote management does not work when:

1 You have not enabled that service on the interface in the corresponding remote management screen.
2 You have disabled that service in one of the remote management screens.
3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately.
4 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.
5 There is a firewall rule that blocks it.
6 A filter is applied (through the SMT or the commands) to block a Telnet, FTP or Web service.

22.1.2 System Timeout

There is a default system management idle timeout of five minutes (three hundred seconds). The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the MAINTENANCE > General screen.

22.2 WWW (HTTP and HTTPS)

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys (see Chapter 15 on page 297 for more information).

HTTPS on the ZyWALL is used so that you may securely access the ZyWALL using the web configurator. The SSL protocol specifies that the SSL server (the ZyWALL) must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL), whereas the SSL client only should authenticate itself when the SSL server requires it to do so (select Authenticate Client Certificates in the REMOTE MGMT >

WWW screen). Authenticate Client Certificates is optional and if selected means the SSL-client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL.

Please refer to the following figure.

1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL's WS (web server).
2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL's WS (web server).

ZYXEL ZYWALL 2 WG - WWW (HTTP and HTTPS) - 1
Figure 217 HTTPS Implementation

ZYXEL ZYWALL 2 WG - WWW (HTTP and HTTPS) - 2

If you disable the HTTP service in the REMOTE MGMT > WWW screen, then the ZyWALL blocks all HTTP connection attempts.

22.3 WWW

Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to configure the ZyWALL's HTTP and HTTPS management settings.

ZYXEL ZYWALL 2 WG - WWW - 1
Figure 218 ADVANCED > REMOTE MGMT > WWW

The following table describes the labels in this screen.

Table 139 ADVANCED >REMOTE MGMT > WWW

LABELDESCRIPTION
HTTPS
Server CertificateSelect the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Authentication Client CertificatesSelect Authentication Client Certificates (optional) to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see Appendix H on page 691 on importing certificates for details).
Server PortThe HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL web configurator to use “https://ZyWALL IP Address:8443” as the URL.
Server AccessSelect the interface(s) through which a computer may access the ZyWALL using this service. You can allow only secure web configurator access by clearing all of the interface check boxes in the HTTP Server Access field and setting the HTTPS Server Access field to an interface(s).
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
HTTP
Server PortYou may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server AccessSelect the interface(s) through which a computer may access the ZyWALL using this service.
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ApplyClick Apply to save your customized settings and exit this screen.
ResetClick Reset to begin configuring this screen afresh.

22.4 HTTPS Example

If you haven't changed the default HTTPS port on the ZyWALL, then in your browser enter "https://ZyWALL IP Address/" as the web site address where "ZyWALL IP Address" is the IP address or domain name of the ZyWALL you wish to access.

22.4.1 Internet Explorer Warning Messages

When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL.

You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked.

ZYXEL ZYWALL 2 WG - Internet Explorer Warning Messages - 1
Figure 219 Security Alert Dialog Box (Internet Explorer)

22.4.2 Netscape Navigator Warning Messages

When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL.

If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.

Select Accept this certificate permanently to import the ZyWALL's certificate into the SSL client.

ZYXEL ZYWALL 2 WG - Netscape Navigator Warning Messages - 1
Figure 220 Security Certificate 1 (Netscape)

ZYXEL ZYWALL 2 WG - Netscape Navigator Warning Messages - 2
Figure 221 Security Certificate 2 (Netscape)

22.4.3 Avoiding the Browser Warning Messages

The following describes the main reasons that your browser displays warnings about the ZyWALL's HTTPS server certificate and what you can do to avoid seeing the warnings.

  • The issuing certificate authority of the ZyWALL's HTTPS server certificate is not one of the browser's trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self-signed certificate.

  • For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.

  • To have the browser trust the certificates issued by a certificate authority, import the certificate authority's certificate into your operating system as a trusted certificate. Refer to Appendix H on page 691 for details.

  • The actual IP address of the HTTPS server (the IP address of the ZyWALL's port that you are trying to access) does not match the common name specified in the ZyWALL's HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.

2a Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field.
2b Click CERTIFICATES. Find the certificate and check its Subject column. CN stands for certificate's common name (see Figure 224 on page 390 for an example).

Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL's actual IP address. You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address.

2a Create a new certificate for the ZyWALL that uses the IP address (of the ZyWALL's port that you are trying to access) as the certificate's common name. For example, to use HTTPS to access a LAN port with IP address 192.168.1.1, create a certificate that uses 192.168.1.1 as the common name.
2b Go to the remote management WWW screen and select the newly created certificate in the Server Certificate field. Click Apply.

22.4.4 Login Screen

After you accept the certificate, the ZyWALL login screen appears. The lock displayed in the bottom right of the browser status bar denotes a secure connection.

ZYXEL ZYWALL 2 WG - Login Screen - 1
Figure 222 Example: Lock Denoting a Secure Connection

Click Login and you then see the next screen.

The factory default certificate is a common default certificate for all ZyWALL models.

ZYXEL ZYWALL 2 WG - Login Screen - 2
Figure 223 Replace Certificate

Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL's MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure.

ZYXEL ZYWALL 2 WG - Login Screen - 3
Figure 224 Device-specific Certificate

Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen.

ZYXEL ZYWALL 2 WG - Login Screen - 4
Figure 225 Common ZyWALL Certificate

22.5 SSH

You can use SSH (Secure SHell) to securely access the ZyWALL's SMT or command line interface. Specify which interfaces allow SSH access and from which IP address the access can come.

Unlike Telnet or FTP, which transmit data in plaintext (clear or unencrypted text), SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session.

ZYXEL ZYWALL 2 WG - SSH - 1
Figure 226 SSH Communication Over the WAN Example WAN

22.6 How SSH Works

The following table summarizes how a secure connection is established between two remote hosts.

ZYXEL ZYWALL 2 WG - How SSH Works - 1
Figure 227 How SSH Works

1 Host Identification

The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.

The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.

2 Encryption Method

Once the identification is verified, both the client and server must agree on the type of encryption method to use.

3 Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.

22.7 SSH Implementation on the ZyWALL

Your ZyWALL supports SSH version 1.5 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the ZyWALL for remote SMT management and file transfer on port 22. Only one SSH connection is allowed at a time.

22.7.1 Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH.

22.8 Configuring SSH

Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL's Secure Shell settings.

ZYXEL ZYWALL 2 WG - Configuring SSH - 1

It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

ZYXEL ZYWALL 2 WG - Configuring SSH - 2
Figure 228 ADVANCED > REMOTE MGMT > SSH

The following table describes the labels in this screen.

Table 140 ADVANCED > REMOTE MGMT > SSH

LABELDESCRIPTION
Server Host KeySelect the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 15 on page 297 for details).
Server PortYou may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server AccessSelect the interface(s) through which a computer may access the ZyWALL using this service.
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ApplyClick Apply to save your customized settings and exit this screen.
ResetClick Reset to begin configuring this screen afresh.

22.9 Secure Telnet Using SSH Examples

This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user's guide.

22.9.1 Example 1: Microsoft Windows

This section describes how to access the ZyWALL using the Secure Shell Client program.

1 Launch the SSH client and specify the connection information (IP address, port number or device name) for the ZyWALL.
2 Configure the SSH client to accept connection using SSH version 1.
3 A window displays prompting you to store the host key in your computer. Click Yes to continue.

Figure 229 SSH Example 1: Store Host Key

ZYXEL ZYWALL 2 WG - Example 1: Microsoft Windows - 1
Figure 230 SSH Example 2: Test

Enter the password to log in to the ZyWALL. The SMT main menu displays next.

22.9.2 Example 2: Linux

This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions.

1 Test whether the SSH service is available on the ZyWALL.

Enter "telnet 192.168.1.1 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1).

A message displays indicating the SSH protocol version supported by the ZyWALL.

$ telnet 192.168.1.1 22
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^」'.
SSH-1.5-1.0.0

2 Enter "ssh -1 192.168.1.1". This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type "yes" and press [ENTER].

Then enter the password to log in to the ZyWALL.

Figure 231 SSH Example 2: Log in

$ ssh -1 192.168.1.1
The authenticity of host '192.168.1.1' (192.168.1.1)' can't be
established.
RSA1 key fingerprint is
21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA1) to the list of
known hosts.
Administrator@192.168.1.1's password:

3 The SMT main menu displays next.

22.10 Secure FTP Using SSH Example

This section shows an example on file transfer using the OpenSSH client program. The configuration and connection steps are similar for other SSH client programs. Refer to your SSH client program user's guide.

1 Enter "sftp -1 192.168.1.1". This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type "Yes" and press [ENTER].
2 Enter the password to login to the ZyWALL.
3 Use the "put" command to upload a new firmware to the ZyWALL.

ZYXEL ZYWALL 2 WG - Secure FTP Using SSH Example - 1
Figure 232 Secure FTP: Firmware Upload Example

22.11 Telnet

You can use Telnet to access the ZyWALL's SMT or command line interface. Specify which interfaces allow Telnet access and from which IP address the access can come.

22.12 Configuring TELNET

Click ADVANCED > REMOTE MGMT > TELNET to open the following screen. Use this screen to specify which interfaces allow Telnet access and from which IP address the access can come.

ZYXEL ZYWALL 2 WG - Configuring TELNET - 1

It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

ZYXEL ZYWALL 2 WG - Configuring TELNET - 2
Figure 233 ADVANCED > REMOTE MGMT > Telnet

The following table describes the labels in this screen.

Table 141 ADVANCED > REMOTE MGMT > Telnet

LABELDESCRIPTION
Server PortYou may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server AccessSelect the interface(s) through which a computer may access the ZyWALL using this service.
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ApplyClick Apply to save your customized settings and exit this screen.
ResetClick Reset to begin configuring this screen afresh.

22.13 FTP

You can use FTP (File Transfer Protocol) to upload and download the ZyWALL's firmware and configuration files, please see the User's Guide chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.

To change your ZyWALL's FTP settings, click ADVANCED > REMOTE MGMT > FTP. The screen appears as shown. Use this screen to specify which interfaces allow FTP access and from which IP address the access can come.

ZYXEL ZYWALL 2 WG - FTP - 1

It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

ZYXEL ZYWALL 2 WG - FTP - 2
Figure 234 ADVANCED > REMOTE MGMT > FTP

The following table describes the labels in this screen.

Table 142 ADVANCED >REMOTE MGMT > FTP

LABELDESCRIPTION
Server PortYou may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Server AccessSelect the interface(s) through which a computer may access the ZyWALL using this service.
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ApplyClick Apply to save your customized settings.
ResetClick Reset to begin configuring this screen afresh.

22.14 SNMP

Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1). The next figure illustrates an SNMP management operation.

ZYXEL ZYWALL 2 WG - SNMP - 1

SNMP is only available if TCP/IP is configured.

ZYXEL ZYWALL 2 WG - SNMP - 2
Figure 235 SNMP Management Model

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

  • Get - Allows the manager to retrieve an object variable from the agent.
  • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
  • Set - Allows the manager to set values for object variables within an agent.
  • Trap - Used by the agent to inform the manager of some events.

22.14.1 Supported MIBs

The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.

22.14.2 SNMP Traps

The ZyWALL will send traps to the SNMP manager when any one of the following events occurs:

Table 143 SNMP Traps

TRAP #TRAP NAMEDESCRIPTION
0coldStart (defined in RFC-1215)A trap is sent after booting (power on).
1warmStart (defined in RFC-1215)A trap is sent after booting (software reboot).
4authenticationFailure (defined in RFC-1215)A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password).
6whyReboot (defined in ZYXEL-MIB)A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
6aFor intentional reboot :A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.).
6bFor fatal error :A trap is sent with the message of the fatal code if the system reboots because of fatal errors.

22.14.3 REMOTE MANAGEMENT: SNMP

To change your ZyWALL's SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown.

ZYXEL ZYWALL 2 WG - REMOTE MANAGEMENT: SNMP - 1
Figure 236 ADVANCED > REMOTE MGMT > SNMP

The following table describes the labels in this screen.

Table 144 ADVANCED >REMOTE MGMT > SNMP

LABELDESCRIPTION
SNMP Configuration
Get CommunityEnter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Set CommunityEnter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests.
Trap
CommunityType the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
DestinationType the IP address of the station to send your SNMP traps to.
SNMP
Service PortYou may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Service AccessSelect the interface(s) through which a computer may access the ZyWALL using this service.
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service.
ApplyClick Apply to save your customized settings.
ResetClick Reset to begin configuring this screen afresh.

22.15 DNS

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 8 on page 131 for more information.

Click ADVANCED > REMOTE MGMT > DNS to change your ZyWALL's DNS settings. Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL's DNS settings. This feature is not available when the ZyWALL is set to bridge mode.

ZYXEL ZYWALL 2 WG - DNS - 1
Figure 237 ADVANCED >REMOTE MGMT > DNS

The following table describes the labels in this screen.

Table 145 ADVANCED >REMOTE MGMT > DNS

LABELDESCRIPTION
Server PortThe DNS service port number is 53 and cannot be changed here.
Service AccessSelect the interface(s) through which a computer may send DNS queries to the ZyWALL.
Secure Client IP AddressA secure client is a “trusted” computer that is allowed to send DNS queries to the ZyWALL. Select All to allow any computer to send DNS queries to the ZyWALL. Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the ZyWALL.
ApplyClick Apply to save your customized settings.
ResetClick Reset to begin configuring this screen afresh.

22.16 Introducing Vantage CNM

Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details.

If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.

22.17 Configuring CNM

Vantage CNM is disabled on the device by default. Click ADVANCED > REMOTE MGMT > CNM to configure your device's Vantage CNM settings.

ZYXEL ZYWALL 2 WG - Configuring CNM - 1
Figure 238 ADVANCED > REMOTE MGMT > CNM

The following table describes the labels in this screen.

Table 146 ADVANCED > REMOTE MGMT > CNM

LABELDESCRIPTION
Registration Information
Registration StatusThis read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server. It will continue to display Registering until it successfully registers with the Vantage CNM server. It will not be able to register with the Vantage CNM server if: The Vantage CNM server is down. The Vantage CNM server IP address is incorrect. The Vantage CNM server is behind a NAT router or firewall that does not forward packets through to the Vantage CNM server. The encryption algorithms and/or encryption keys do not match between the ZyWALL and the Vantage CNM server.
Last Registration TimeThis field displays the last date (year-month-date) and time (hours-minutes-seconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.
RefreshClick Refresh to update the registration status and last registration time.
Vantage CNM Setup
EnableSelect this check box to allow Vantage CNM to manage your ZyWALL.
Vantage CNM Server AddressIf the Vantage server is on the same subnet as the ZyXEL device, enter the private or public IP address of the Vantage server.
If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router, enter the WAN IP address of the NAT router here and configure the NAT router to forward UDP port 1864 traffic to the Vantage CNM server.
If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 1864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this).
Encryption AlgorithmThe Encryption Algorithm field is used to encrypt communications between the ZyWALL and the Vantage CNM server. Choose from None (no encryption), DES or 3DES. The Encryption Key field appears when you select DES or 3DES. The ZyWALL must use the same encryption algorithm as the Vantage CNM server.
Encryption KeyType eight alphanumeric characters ("0" to "9", "a" to "z" or "A" to "Z") when you choose the DES encryption algorithm and 24 alphanumeric characters ("0" to "9", "a" to "z" or "A" to "Z") when you choose the 3DES encryption algorithm. The ZyWALL must use the same encryption key as the Vantage CNM server.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode.

23.1 Universal Plug and Play Overview

Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.

23.1.1 How Do I Know If I'm Using UPnP?

UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device.

23.1.2 NAT Traversal

UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:

  • Dynamic port mapping
  • Learning public IP addresses
  • Assigning lease times to mappings

Windows Messenger is an example of an application that supports NAT traversal and UPnP.

See Chapter 17 on page 329 for further information about NAT.

23.1.3 Cautions with UPnP

The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows multicast messages on the LAN only.

All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention.

23.1.4 UPnP and ZyXEL

ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).

See the following sections for examples of installing and using UPnP.

23.2 Configuring UPnP

Click ADVANCED > UPnP to display the UPnP screen.

ZYXEL ZYWALL 2 WG - Configuring UPnP - 1
Figure 239 ADVANCED >UPnP

The following table describes the fields in this screen.

Table 147 ADVANCED >UPnP

LABELDESCRIPTION
UPnP Setup
Device NameThis identifies the ZyXEL device in UPnP applications.
Enable the Universal Plug and Play (UPnP) featureSelect this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyWALL's IP address (although you must still enter the password to access the web configurator).
Allow users to make configuration changes through UPnPSelect this check box to allow UPnP-enabled applications to automatically configure the ZyWALL so that they can communicate through the ZyWALL, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application.

Table 147 ADVANCED >UPnP

LABELDESCRIPTION
Allow UPnP to pass through FirewallSelect this check box to allow traffic from UPnP-enabled applications to bypass the firewall.Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).
Outgoing WAN InterfaceSelect through which WAN port you want to send out traffic from UPnP-enabled applications. If the WAN port you select loses its connection, the ZyWALL attempts to use the other WAN port. If the other WAN port also does not work, the ZyWALL drops outgoing packets from UPnP-enabled applications.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

23.3 Displaying UPnP Port Mapping

Click ADVANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL.

ZYXEL ZYWALL 2 WG - Displaying UPnP Port Mapping - 1
Figure 240 ADVANCED > UPnP > Ports

The following table describes the labels in this screen.

Table 148 ADVANCED > UPnP > Ports

LABELDESCRIPTION
Reserve UPnP NAT rules in flash after system bootupSelect this check box to have the ZyWALL retain UPnP created NAT rules even after restarting. If you use UPnP and you set a port on your computer to be fixed for a specific service (for example FTP for file transfers), this option allows the ZyWALL to keep a record when your computer uses UPnP to create a NAT forwarding rule for that service.
WAN Interface in UseThis field displays through which WAN interface the ZyWALL is currently sending out traffic from UPnP-enabled applications. This field displays None when UPnP is disabled or neither of the WAN ports has a connection.
The following read-only table displays information about the UPnP-created NAT mapping rule entries in the ZyWALL's NAT routing table.
#This is the index number of the UPnP-created NAT mapping rule entry.
Remote HostThis field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port. When this field displays an external IP address, the NAT rule has the ZyWALL forward inbound packets to the Internal Client from that IP address only.
External PortThis field displays the port number that the ZyWALL “listens” on (on the WAN port) for connection requests destined for the NAT rule’s Internal Port and Internal Client. The ZyWALL forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN). If the field displays “0”, the ZyWALL ignores the Internal Port value and forwards requests on all external port numbers (that are otherwise unmapped) to the Internal Client.
ProtocolThis field displays the protocol of the NAT mapping rule (TCP or UDP).
Internal PortThis field displays the port number on the Internal Client to which the ZyWALL should forward incoming connection requests.
Internal ClientThis field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255.255.255.255 for UDP mappings.
EnabledThis field displays whether or not this UPnP-created NAT mapping rule is turned on. The UPnP-enabled device that connected to the ZyWALL and configured the UPnP-created NAT mapping rule on the ZyWALL determines whether or not the rule is enabled.
DescriptionThis field displays a text explanation of the NAT mapping rule.
Lease DurationThis field displays a dynamic port-mapping rule's time to live (in seconds). It displays “0” if the port mapping is static.
ApplyClick Apply to save your changes back to the ZyWALL.
RefreshClick Refresh update the screen's table.

23.4 Installing UPnP in Windows Example

This section shows how to install UPnP in Windows Me and Windows XP.

23.4.1 Installing UPnP in Windows Me

Follow the steps below to install UPnP in Windows Me.

1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs.
2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details.

ZYXEL ZYWALL 2 WG - Installing UPnP in Windows Me - 1

3 In the Communications window, select the Universal Plug and Play check box in the Components selection box.
4 Click OK to go back to the Add/Remove Programs Properties window and click Next.
5 Restart the computer when prompted.

ZYXEL ZYWALL 2 WG - Installing UPnP in Windows Me - 2

23.4.2 Installing UPnP in Windows XP

Follow the steps below to install UPnP in Windows XP.

1 Click Start, Settings and Control Panel.
2 Double-click Network Connections.
3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ....

The Windows Optional Networking Components Wizard window displays.

4 Select Networking Service in the Components selection box and click Details.

ZYXEL ZYWALL 2 WG - Installing UPnP in Windows XP - 1

ZYXEL ZYWALL 2 WG - Installing UPnP in Windows XP - 2

5 In the Networking Services window, select the Universal Plug and Play check box.
6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.

ZYXEL ZYWALL 2 WG - Installing UPnP in Windows XP - 3

23.5 Using UPnP in Windows XP Example

This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device.

Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.

23.5.1 Auto-discover Your UPnP-enabled Network Device

1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.
2 Right-click the icon and select Properties.

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 1

3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created.

You may edit or delete the port mappings or click Add to manually add port mappings.

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 2

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 3

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 4

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 5

When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.

4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.
5 Double-click the icon to display your current Internet connection status.

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 6

ZYXEL ZYWALL 2 WG - Auto-discover Your UPnP-enabled Network Device - 7

23.5.2 Web Configurator Easy Access

With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.

Follow the steps below to access the web configurator.

1 Click Start and then Control Panel.
2 Double-click Network Connections.
3 Select My Network Places under Other Places.

ZYXEL ZYWALL 2 WG - Web Configurator Easy Access - 1

4 An icon with the description for each UPnP-enabled device displays under Local Network.
5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays.

ZYXEL ZYWALL 2 WG - Web Configurator Easy Access - 2

6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device.

ZYXEL ZYWALL 2 WG - Web Configurator Easy Access - 3

ALG Screen

This chapter covers how to use the ZyWALL's ALG feature to allow certain applications to pass through the ZyWALL.

24.1 ALG Introduction

An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. The ZyWALL can function as an ALG to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL.

Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets' data payload. The ZyWALL examines and uses IP address and port number information embedded in the data stream. When a device behind the ZyWALL uses an application for which the ZyWALL has ALG service enabled, the ZyWALL translates the device's private IP address inside the data stream to a public IP address. It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application's traffic to come in from the WAN to the LAN.

24.1.1 ALG and NAT

The ZyWALL dynamically creates an implicit NAT session for the application's traffic from the WAN to the LAN.

The ALG on the ZyWALL supports all NAT mapping types, including One to One, Many to One, Many to Many Overload and Many One to One.

24.1.2 ALG and the Firewall

The ZyWALL uses the dynamic port that the session uses for data transfer in creating an implicit temporary firewall rule for the session's traffic. The firewall rule only allows the session's traffic to go through in the direction that the ZyWALL determines from its inspection of the data payload of the application's packets. The firewall rule is automatically deleted after the application's traffic has gone through.

24.1.3 ALG and Multiple WAN

When the ZyWALL has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The ZyWALL does not automatically change the connection to the secondary WAN interfaces.

If the primary WAN connection fails, the client needs to re-initialize the connection through the secondary WAN interfaces to have the connection go through the secondary WAN interfaces.

When the ZyWALL uses both of the WAN interfaces at the same time, you can configure routing policies to specify the WAN interfaces that the connection's traffic is to use.

24.2 FTP

File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. The FTP ALG allows TCP packets with a port 21 destination to pass through. If the FTP server is located on the LAN, you must also configure NAT port forwarding and firewall rules if you want to allow access to the server from the WAN.

24.3 H.323

H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. NetMeeting uses H.323.

24.4 RTP

When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP.

24.4.1 H.323 ALG Details

  • The H.323 ALG supports peer-to-peer H.323 calls.
  • The H.323 ALG handles H.323 calls that go through NAT or that the ZyWALL routes. You can also make other H.323 calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet.

  • The H.323 ALG allows calls to go out through NAT. For example, you could make a call from a private IP address on the LAN to a peer device on the WAN.

  • You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B.

ZYXEL ZYWALL 2 WG - H.323 ALG Details - 1
Figure 241 H.323 ALG Example

  • With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN, DMZ or WLAN. Use policy routing to have the H.323 calls from each of those LAN, DMZ or WLAN IP addresses go out through the same WAN IP address that calls come in on. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses.

For example, you configure firewall and port forwarding rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2.

ZYXEL ZYWALL 2 WG - H.323 ALG Details - 2
Figure 242 H.323 with Multiple WAN IP Addresses

  • When you configure the firewall and port forwarding to allow calls from the WAN to a specific IP address on the LAN, you can also use policy routing to have H.323 calls from other LAN, DMZ or WLAN IP addresses go out through a different WAN IP address. The policy routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN, DMZ or WLAN IP addresses.

For example, you configure the firewall and port forwarding to allow LAN IP address A to receive calls from the Internet through WAN IP address 1. You also use a policy route to have LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet.

ZYXEL ZYWALL 2 WG - H.323 ALG Details - 3
Figure 243 H.323 Calls from the WAN with Multiple Outgoing Calls

  • The H.323 ALG operates on TCP packets with a port 1720 destination.
  • The ZyWALL allows H.323 audio connections.
  • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.

24.5 SIP

The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.

SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks.

24.5.1 STUN

STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the VoIP device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the VoIP device to find the public IP address that NAT assigned, so the VoIP device can embed it in the SIP data stream. See RFC 3489 for details on STUN. You do not need to use STUN for devices behind the ZyWALL if you enable the SIP ALG.

24.5.2 SIP ALG Details

  • SIP clients can be connected to the LAN, WLAN or DMZ. A SIP server must be on the WAN
  • You can make and receive calls between the LAN and the WAN, between the WAN and the WAN and/or between the DMZ and the WAN. You cannot make a call between the LAN and the LAN, between the LAN and the DMZ, between the LAN and the WAN, between the DMZ and the DMZ, and so on.
  • The SIP ALG allows UDP packets with a port 5060 destination to pass through.
  • The ZyWALL allows SIP audio connections.

The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server.

ZYXEL ZYWALL 2 WG - SIP ALG Details - 1
Figure 244 SIP ALG Example

24.5.3 SIP Signaling Session Timeout

Most SIP clients have an "expire" mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.

If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period.

24.5.4 SIP Audio Session Timeout

If no voice packets go through the SIP ALG before the timeout period (default 5 minutes) expires, the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation.

24.6 ALG Screen

Click ADVANCED > ALG to open the ALG screen. Use the ALG screen to turn individual ALGs off or on and set the SIP timeout.

ZYXEL ZYWALL 2 WG - ALG Screen - 1

If the ZyWALL provides an ALG for a service, you must enable the ALG in order to perform bandwidth management on that service's traffic.

ZYXEL ZYWALL 2 WG - ALG Screen - 2
Figure 245 ADVANCED > ALG

The following table describes the labels in this screen.

Table 149 ADVANCED > ALG

LABELDESCRIPTION
Enable FTP ALGSelect this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
Enable H.323 ALGSelect this check box to allow H.323 sessions to pass through the ZyWALL. H.323 is a protocol used for audio communications over networks.
Enable SIP ALGSelect this check box to allow SIP sessions to pass through the ZyWALL. SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals over Internet Protocol.
SIP TimeoutMost SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout (default 60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. Enter the SIP signaling session timeout value.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

PART V

Reports, Logs and Maintenance

Logs Screens (423)

Maintenance (451)

This chapter contains information about configuring general log settings and viewing the ZyWALL's logs. Refer to Section 25.5 on page 434 for example log message explanations.

25.1 Configuring View Log

The web configurator allows you to look at all of the ZyWALL's logs in one location.

Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 25.3 on page 426). Options include logs about system maintenance, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies), attacks (such as DoS) and IPSec.

Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order.

ZYXEL ZYWALL 2 WG - Configuring View Log - 1
Figure 246 LOGS > View Log

The following table describes the labels in this screen.

Table 150 LOGS > View Log

LABELDESCRIPTION
DisplayThe categories that you select in the Log Settings page (see Section 25.3 on page 426) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
#This field displays the log number.
TimeThis field displays the time the log was recorded. See Section 26.4 on page 453 to configure the ZyWALL's time and date.
MessageThis field states the reason for the log.
SourceThis field lists the source IP address and the port number of the incoming packet.
DestinationThis field lists the destination IP address and the port number of the incoming packet.
NoteThis field displays additional information about the log entry.
Email Log NowClick Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Log Settings, see Section 25.3 on page 426).
RefreshClick Refresh to renew the log screen.
Clear LogClick Clear Log to delete all the logs.

25.2 Log Description Example

The following is an example of how a log displays in the command line interpreter and a description of the sample log. Refer to the appendices for more log message descriptions and details on using the command line interpreter to display logs.

time source destination notes message 5|06/08/2004 05:58:20 |172.21.4.187:137 ACCESS BLOCK Firewall default policy: UDP (W to W/ZW)

Table 151 Log Description Example

LABELDESCRIPTION
#This is log number five.
timeThe log was generated on June 8, 2004 at 5:58 and 20 seconds AM.
sourceThe log was generated due to a NetBIOS packet sent from IP address 172.21.4.187 port 137.
destinationThe NetBIOS packet was sent to the 172.21.255.255 subnet port 137. This was a NetBIOS UDP broadcast packet meant to discover devices on the network.

Table 151 Log Description Example

LABELDESCRIPTION
notesThe ZyWALL blocked the packet.
messageThe ZyWALL blocked the packet in accordance with the firewall's default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet. “W to W/ZW” indicates that the packet was traveling from the WAN to the WAN or the ZyWALL.

25.2.1 About the Certificate Not Trusted Log

myZyXEL.com and the update server use certificates signed by VeriSign to identify themselves. If the ZyWALL does not have a CA certificate signed by VeriSign as a trusted CA, the ZyWALL will not trust the certificate from myZyXEL.com and the update server. The ZyWALL will generate a log like "Due to error code(11), cert not trusted: SSL/TLS peer certif..." for every time it attempt to establish a (HTTPS) connection with myZyXEL.com and the update server. The V4.00 default configuration file includes a trusted CA certificate signed by VeriSign. If you upgraded to ZyNOS V4.00 firmware without uploading the V4.00 default configuration file, you can download a CA certificate signed by VeriSign from myZyXEL.com and import it into the ZyWALL as a trusted CA. This will stop the ZyWALL from generating this log every time it attempts to connect with myzyxel.com and the update server.

Follow the steps below to download the certificate from myZyXEL.com.

1 Go to http://www.myZyXEL.com and log in with your account.
2 Click Download Center and then Certificate Download.

Figure 247 myZyXEL.com: Download Center
ZYXEL ZYWALL 2 WG - About the Certificate Not Trusted Log - 1
3 Click the link in the Certificate Download screen.

ZYXEL ZYWALL 2 WG - About the Certificate Not Trusted Log - 2
Figure 248 myZyXEL.com: Certificate Download

25.3 Configuring Log Settings

To change your ZyWALL's log settings, click LOGS > Log Settings. The screen appears as shown.

Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.

An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites or web sites with restricted web features such as cookies, active X and so on. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black.

ZYXEL ZYWALL 2 WG - Configuring Log Settings - 1

Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent.

ZYXEL ZYWALL 2 WG - Configuring Log Settings - 2
Figure 249 LOGS > Log Settings

The following table describes the labels in this screen.

Table 152 LOGS > Log Settings

LABELDESCRIPTION
E-mail Log Settings
Mail ServerEnter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Mail SubjectType a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends.
Mail SenderEnter the e-mail address that you want to be in the from/sender line of the log e-mail message that the ZyWALL sends. If you activate SMTP authentication, the e-mail address must be able to be authenticated by the mail server as well.
Send Log ToLogs are sent to the e-mail address specified in this field. If this field is left blank, logs will not be sent via e-mail.
Send Alerts ToAlerts are sent to the e-mail address specified in this field. If this field is left blank, alerts will not be sent via e-mail.
Log ScheduleThis drop-down menu is used to configure the frequency of log messages being sent as E-mail: Daily Weekly Hourly When Log is Full None. If you select Weekly or Daily, specify a time of day when the E-mail should be sent. If you select Weekly, then also specify which day of the week the E-mail should be sent. If you select When Log is Full, an alert is sent when the log fills up. If you select None, no log messages are sent.
Day for Sending LogUse the drop down list box to select which day of the week to send the logs.
Time for Sending LogEnter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs.
SMTP AuthenticationSMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs.
User NameEnter the user name (up to 31 characters) (usually the user name of a mail account).
PasswordEnter the password associated with the user name above.
Syslog LoggingSyslog allows you to send system logs to a server. Syslog logging sends a log to an external syslog server.
ActiveClick Active to enable syslog logging.
Syslog ServerEnter the server name or IP address of the syslog server that will log the selected categories of logs.
Log FacilitySelect a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details.
Active Log and Alert
LogSelect the categories of logs that you want to record. Logs include alerts.
Send Immediate AlertSelect the categories of alerts for which you want the ZyWALL to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.
Log Consolidation
ActiveSome logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log. You can use the sys log consolidate msglist command to see what log messages will be consolidated.
Log Consolidation PeriodSpecify the time interval during which the ZyWALL merges logs with identical messages into one log.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

25.4 Configuring Reports

The Reports screen displays which computers on the LAN, DMZ or WLAN send and receive the most traffic, what kinds of traffic are used the most and which web sites are visited the most often. The ZyWALL can record and display the following network usage details:

  • Web sites visited the most often
    Number of times the most visited web sites were visited
  • The most-used protocols or service ports
  • The amount of traffic for the most used protocols or service ports
  • The LAN, DMZ or WLAN IP addresses to and/or from which the most traffic has been sent
  • How much traffic has been sent to and from the LAN, DMZ or WLAN IP addresses to and/or from which the most traffic has been sent

ZYXEL ZYWALL 2 WG - Configuring Reports - 1

The web site hit count may not be 100% accurate because sometimes when an individual web page loads, it may contain references to other web sites that also get counted as hits.

The ZyWALL records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyWALL may count these as hits, thus the web hit count is not (yet) 100% accurate.

Click LOGS > Reports to display the following screen.

ZYXEL ZYWALL 2 WG - Configuring Reports - 2
Figure 250 LOGS > Reports

ZYXEL ZYWALL 2 WG - Configuring Reports - 3

Enabling the ZyWALL's reporting function decreases the overall throughput by about 1 Mbps.

The following table describes the labels in this screen.

Table 153 LOGS > Reports

LABELDESCRIPTION
Collect StatisticsSelect the check box and click Apply to have the ZyWALL record report data.
Send Raw Traffic Statistics to Syslog Server for AnalysisSelect the check box and click Apply to have the ZyWALL send unprocessed traffic statistics to a syslog server for analysis. You must have the syslog server already configured in the Log Settings screen.
ApplyClick Apply to save your changes to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.
InterfaceSelect on which interface (LAN, DMZ or WLAN) the logs will be collected. The logs on the DMZ, LAN or WLAN IP alias 1 and 2 are also recorded.
Report TypeUse the drop-down list box to select the type of reports to display. Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited. Protocol/Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports. Host IP Address displays the LAN, DMZ or WLAN IP addresses to and /or from which the most traffic has been sent and how much traffic has been sent to and from those IP addresses.
RefreshClick Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen.
FlushClick Flush to discard the old report data and update the report display.

ZYXEL ZYWALL 2 WG - Configuring Reports - 4

All of the recorded reports data is erased when you turn off the ZyWALL.

25.4.1 Viewing Web Site Hits

In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.

ZYXEL ZYWALL 2 WG - Viewing Web Site Hits - 1
Figure 251 LOGS > Reports: Web Site Hits Example

The following table describes the label in this screen.

Table 154 LOGS > Reports: Web Site Hits Report

LABELDESCRIPTION
Web SiteThis column lists the domain names of the web sites visited most often from computers on the LAN, DMZ or WLAN. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first. The ZyWALL counts each page viewed in a web site as another hit on the web site.
HitsThis column lists how many times each web site has been visited. The count starts over at 0 if a web site passes the hit count limit (see Table 157 on page 434).

25.4.2 Viewing Host IP Address

In the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.

ZYXEL ZYWALL 2 WG - Viewing Host IP Address - 1

Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses. The ZyWALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a different computer.

ZYXEL ZYWALL 2 WG - Viewing Host IP Address - 2
Figure 252 LOGS > Reports: Host IP Address Example

The following table describes the labels in this screen.

Table 155 LOGS > Reports: Host IP Address

LABELDESCRIPTION
IP AddressThis column lists the LAN, DMZ or WLAN IP addresses to and/or from which the most traffic has been sent. The LAN, DMZ or WLAN IP addresses are listed in descending order with the LAN, DMZ or WLAN IP address to and/or from which the most traffic was sent listed first.
DirectionThis field displays Incoming to denote traffic that is coming in from the WAN to the LAN, DMZ or WLAN. This field displays Outgoing to denote traffic that is going out from the LAN, DMZ or WLAN to the WAN.
AmountThis column displays how much traffic has gone to and from the listed LAN, DMZ or WLAN IP addresses. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic sent to and from the LAN, DMZ or WLAN IP address. The count starts over at 0 if the total traffic sent to and from a LAN, DMZ or WLAN IP passes the bytes count limit (see Table 157 on page 434).

25.4.3 Viewing Protocol/Port

In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.

ZYXEL ZYWALL 2 WG - Viewing Protocol/Port - 1
Figure 253 LOGS > Reports: Protocol/Port Example

The following table describes the labels in this screen.

Table 156 LOGS > Reports: Protocol/ Port

LABELDESCRIPTION
Protocol/PortThis column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
DirectionThis field displays Incoming to denote traffic that is coming in from the WAN to the LAN, DMZ or WLAN. This field displays Outgoing to denote traffic that is going out from the LAN, DMZ or WLAN to the WAN.
AmountThis column lists how much traffic has been sent and/or received for each protocol or service port. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 157 on page 434).

25.4.4 System Reports Specifications

The following table lists detailed specifications on the reports feature.

Table 157 Report Specifications

LABELDESCRIPTION
Number of web sites/protocols or ports/IP addresses listed:20
Hit count limit:Up to 232 hits can be counted per web site. The count starts over at 0 if it passes four billion.
Bytes count limit:Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes.

25.5 Log Descriptions

This section provides descriptions of example log messages.

Table 158 System Maintenance Logs

LOGMESSAGEDESCRIPTION
Time calibration is successfulThe router has adjusted its time based on information from the time server.
Time calibration failedThe router failed to get information from the time server.
WAN interface gets IP:%sA WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
DHCP client IP expiredA DHCP client's IP address has expired.
DHCP server assigns %sThe DHCP server assigned an IP address to a client.
Successful SMT loginSomeone has logged on to the router's SMT interface.
SMT login failedSomeone has failed to log on to the router's SMT interface.
Successful WEB loginSomeone has logged on to the router's web configurator interface.
WEB login failedSomeone has failed to log on to the router's web configurator interface.
Successful TELNET loginSomeone has logged on to the router via telnet.
TELNET login failedSomeone has failed to log on to the router via telnet.
Successful FTP loginSomeone has logged on to the router via FTP.
FTP login failedSomeone has failed to log on to the router via FTP.
NAT Session Table is Full!The maximum number of NAT session table entries has been exceeded and the table is full.
Starting Connectivity MonitorStarting Connectivity Monitor.
Time initialized by Daytime ServerThe router got the time and date from the Daytime server.
Time initialized by Time serverThe router got the time and date from the time server.
Time initialized by NTP serverThe router got the time and date from the NTP server.
Connect to Daytime server failThe router was not able to connect to the Daytime server.
Connect to Time server failThe router was not able to connect to the Time server.
Connect to NTP server failThe router was not able to connect to the NTP server.
Too large ICMP packet has been droppedThe router dropped an ICMP packet that was too large.
SMT Session BeginAn SMT management session has started.
SMT Session EndAn SMT management session has ended.
Configuration Change: PC = 0x%x, Task ID = 0x%xThe router is saving configuration changes.
Successful SSH loginSomeone has logged on to the router's SSH server.
SSH login failedSomeone has failed to log on to the router's SSH server.
Successful HTTPS loginSomeone has logged on to the router's web configurator interface using HTTPS protocol.
HTTPS login failedSomeone has failed to log on to the router's web configurator interface using HTTPS protocol.
DNS server %s was not responding to last 32 consecutive queries...The specified DNS server did not respond to the last 32 consecutive queries.
DDNS update IP:%s (host %d) successfullyThe device updated the IP address of the specified DDNS host name.
SMTP successfullyThe device sent an e-mail.
myZyXEL.com registration successfulRegistration of the device with myZyXEL.com was successful.
Trial service registration successfulRegistration for a trial service was successful.
Service upgrade successfulRegistration for a service upgrade was successful.
Service refresh successfulThe device successfully refreshed service information from myZyXEL.com.
Content Filter trial service activation successfullyThe content filtering trial service was successfully activated for this device.
%sThe myZyXEL.com service registration failed due to the error listed. If you are unable to register for services at myZYXEL.com, the error message displayed in this log may be useful when contacting customer support.

Table 159 System Error Logs

LOGMESSAGEDESCRIPTION
%sexceeds the max. number of session per host!This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
setNetBIOSFilter:%XThe router failed to allocate memory for the NetBIOS filter settings.
readNetBIOSFilter:%XThe router failed to allocate memory for the NetBIOS filter settings.
WAN connection is down.A WAN connection is down. You cannot access the network through this interface.
Dial Backup startsDial backup started working.
Dial Backup endsDial backup stopped working.
DHCP Server cannot assign the static IP %S (out of range).The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the specified static DHCP IP addresses are no longer valid.
The DHCP static IP %s is conflict.The static DHCP IP address conflicts with another host.
SMTP fail (%s)The device failed to send an e-mail (error message included).
SMTP authentication fail (%s)The device failed to authenticate with the SMTP server (error message included).

Table 160 Access Control Logs

LOGMESSAGEDESCRIPTION
Firewall default policy: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy's setting.
Firewall rule [NOT] match: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>, <rule:%d>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule.
Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall allowed a triangle route session to pass through.
Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The router blocked a packet that didn't have a corresponding NAT table entry.
Router sent blocked web site message: TCPThe router sent a message to notify a user that the router blocked access to a web site that the user requested.
Exceed maximum sessions per host (%d).The device blocked a session because the host's connections exceeded the maximum sessions per host.
Firewall allowed a packet that matched a NAT session: [ TCP | UDP ]A packet from the WAN (TCP or UDP) matched a cone NAT session and the device forwarded it to the LAN.

Table 161 TCP Reset Logs

LOGMESSAGEDESCRIPTION
Under SYN flood attack, sent TCP RSTThe router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.)
Exceed TCP MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen.
Peer TCP state out of order, sent TCP RSTThe router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.
Firewall session time out, sent TCP RSTThe router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout: 3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 seconds
Exceed MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > "Maximum Incomplete High", the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < "Maximum Incomplete Low".
Access block, sent TCP RSTThe router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst").

Table 162 Packet Filter Logs

LOGMESSAGEDESCRIPTION
[TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set:%d, rule:%d)Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.

Fortype and code details,see Table 175 on page 447.

Table 163 ICMP Logs

LOGMESSAGEDESCRIPTION
Firewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>ICMP access matched the default policy and was blocked or forwarded according to the user's setting.
Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>ICMP access matched (or didn't match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule.
Triangle route packet forwarded: ICMPThe firewall allowed a triangle route session to pass through.
Packet without a NAT table entry blocked: ICMPThe router blocked a packet that didn't have a corresponding NAT table entry.
Unsupported/out-of-order ICMP: ICMPThe firewall does not support this kind of ICMP packets or the ICMP packets are out of order.
Router reply ICMP packet: ICMPThe router sent an ICMP reply packet to the sender.

Table 164 CDR Logs

LOGMESSAGEDESCRIPTION
board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %sThe router received the setup requirements for a call. "call" is the reference (count) number of the call. "dev" is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or "ch" is the call channel ID. For example, "board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.
board %d line %d channel %d, call %d, %s C02 OutCall Connected %d %sThe PPPoE, PPTP or dial-up call is connected.
board %d line %d channel %d, call %d, %s C02 Call TerminatedThe PPPoE, PPTP or dial-up call was disconnected.

Table 165 PPP Logs

LOGMESSAGEDESCRIPTION
ppp:LCP StartingThe PPP connection's Link Control Protocol stage has started.
ppp:LCP OpeningThe PPP connection's Link Control Protocol stage is opening.
ppp:CHAP OpeningThe PPP connection's Challenge Handshake Authentication Protocol stage is opening.
ppp:IPCP StartingThe PPP connection's Internet Protocol Control Protocol stage is starting.
ppp:IPCP OpeningThe PPP connection's Internet Protocol Control Protocol stage is opening.
ppp:LCP ClosingThe PPP connection's Link Control Protocol stage is closing.
ppp:IPCP ClosingThe PPP connection's Internet Protocol Control Protocol stage is closing.

Table 166 UPnP Logs

LOGMESSAGEDESCRIPTION
UPnP pass through FirewallUPnP packets can pass through the firewall.

Table 167 Content Filtering Logs

LOGMESSAGEDESCRIPTION
%s: Keyword blockingThe content of a requested web page matched a user defined keyword.
%s: Not in trusted web listThe web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.
%s: Forbidden Web siteThe web site is in the forbidden web site list.
%s: Contains ActiveXThe web site contains ActiveX.
%s: Contains Java appletThe web site contains a Java applet.
%s: Contains cookieThe web site contains a cookie.
%s: Proxy mode detectedThe router detected proxy mode in the packet.
%sThe content filter server responded that the web site is in the blocked category list, but it did not return the category type.
%s: %sThe content filter server responded that the web site is in the blocked category list, and returned the category type.
%s (cache hit)The system detected that the web site is in the blocked list from the local cache, but does not know the category type.
%s :%s (cache hit)The system detected that the web site is in blocked list from the local cache, and knows the category type.
%s: Trusted Web siteThe web site is in a trusted domain.
%sWhen the content filter is not on according to the time schedule or you didn't select the "Block Matched Web Site" check box, the system forwards the web content.
Waiting content filter server timeoutThe external content filtering server did not respond within the timeout period.
DNS resolving failedThe ZyWALL cannot get the IP address of the external content filtering via DNS query.
Creating socket failedThe ZyWALL cannot issue a query because TCP/IP socket creation failed, port:port number.
Connecting to content filter server failThe connection to the external content filtering server failed.
License key is invalidThe external content filtering license key is invalid.

For type and code details, see Table 175 on page 447.

Table 168 Attack Logs

LOGMESSAGEDESCRIPTION
attack [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.
attack ICMP (type:%d, code:%d)The firewall detected an ICMP attack.
land [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.
land ICMP (type:%d, code:%d)The firewall detected an ICMP land attack.
ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected an IP spoofing attack on the WAN port.
ip spoofing - WAN ICMP (type:%d, code:%d)Thefirewall detected an ICMP IP spoofing attack on the WAN port.
icmp echo : ICMP (type:%d, code:%d)Thefirewall detected an ICMP echo attack.
syn flood TCPThefirewall detected a TCP syn flood attack.
ports scan TCPThefirewall detected a TCP port scan attack.
teardrop TCPThefirewall detected a TCP teardrop attack.
teardrop UDPThefirewall detected an UDP teardrop attack.
teardrop ICMP (type:%d, code:%d)Thefirewall detected an ICMP teardrop attack.
illegal command TCPThefirewall detected a TCP illegal command attack.
NetBIOS TCPThefirewall detected a TCP NetBIOS attack.
ip spoofing - no routing entry [ TCP | UDP | IGMP | ESP | GRE | OSPF ]Thefirewall classified a packet with no source routing entry as an IP spoofing attack.
ip spoofing - no routing entry ICMP (type:%d, code:%d)Thefirewall classified an ICMP packet with no source routing entry as an IP spoofing attack.
vulnerability ICMP (type:%d, code:%d)Thefirewall detected an ICMP vulnerability attack.
traceroute ICMP (type:%d, code:%d)Thefirewall detected an ICMP traceroute attack.
ports scan UDPThefirewall detected a UDP port scan attack.
Firewall sent TCP packet in response to DoS attack TCPThefirewall sent TCP packet in response to a DoS attack
ICMP Source Quench ICMPThefirewall detected an ICMP Source Quench attack.
ICMP Time Exceed ICMPThefirewall detected an ICMP Time Exceed attack.
ICMP Destination Unreachable ICMPThefirewall detected an ICMP Destination Unreachable attack.
ping of death. ICMPThefirewall detected an ICMP ping of death attack.
smurf ICMPThefirewall detected an ICMP smurf attack.
IP address in FTP port command is different from the client IP address. It maybe a bounce attack.TheIP address in an FTP port command is different from the client IP address. It may be a bounce attack.
Fragment packet size is smaller than the MTU size of output interface.Thefragment packet size is smaller than the MTU size of output interface.

Table 169 Remote Management Logs

LOGMESSAGEDESCRIPTION
Remote Management: FTP deniedAttempted use of FTP service was blocked according to remote management settings.
Remote Management: TELNET deniedAttempted use of TELNET service was blocked according to remote management settings.
Remote Management: HTTP or UPnP deniedAttempted use of HTTP or UPnP service was blocked according to remote management settings.
Remote Management: WWW deniedAttempted use of WWW service was blocked according to remote management settings.
Remote Management: HTTPS deniedAttempted use of HTTPS service was blocked according to remote management settings.
Remote Management: SSH deniedAttempted use of SSH service was blocked according to remote management settings.
Remote Management: ICMP Ping response deniedAttempted use of ICMP service was blocked according to remote management settings.
Remote Management: SNMP deniedAttempted use of SNMP service was blocked according to remote management settings.
Remote Management: DNS deniedAttempted use of DNS service was blocked according to remote management settings.

Table 170 IPSec Logs

LOGMESSAGEDESCRIPTION
Discard REPLAY packetThe router received and discarded a packet with an incorrect sequence number.
Inbound packet authentication failedThe router received a packet that has been altered. A third party may have altered or tampered with the packet.
Receive IPSec packet, but no corresponding tunnel existsThe router dropped an inbound packet for which SPI could not find a corresponding phase 2 SA.
Rule <%d> idle time out, disconnectThe router dropped a connection that had outbound traffic and no inbound traffic for a certain time period. You can use the "ipsec timer chkconn" CI command to set the time period. The default value is 2 minutes.
WAN IP changed to <IP>The router dropped all connections with the "MyIP" configured as "0.0.0.0" when the WAN IP address changed.
Inbound packet decryption failedPlease check the algorithm configuration.
Cannot find outbound SA for rule <%d>A packet matches a rule, but there is no phase 2 SA for outbound traffic.
Rule [%s] sends an echo request to peerThe device sent a ping packet to check the specified VPN tunnel's connectivity.
Rule [%s] receives an echo reply from peerThe device received a ping response when checking the specified VPN tunnel's connectivity.

Table 171 IKE Logs

LOGMESSAGEDESCRIPTION
Active connection allowed exceededThe IKE process for a new connection failed because the limit of simultaneous phase 2 SAs has been reached.
Start Phase 2: Quick ModePhase 2 Quick Mode has started.
Verifying Remote ID failed:The connection failed during IKE phase 2 because the router and the peer's Local/Remote Addresses don't match.
Verifying Local ID failed:The connection failed during IKE phase 2 because the router and the peer's Local/Remote Addresses don't match.
IKE Packet RetransmitThe router retransmitted the last packet sent because there was no response from the peer.
Failed to send IKE PacketAn Ethernet error stopped the router from sending IKE packets.
Too many errors! Deleting SAAn SA was deleted because there were too many errors.
Phase 1 IKE SA process doneThe phase 1 IKE SA process has been completed.
Duplicate requests with the same cookieThe router received multiple requests from the same peer while still processing the first IKE packet from the peer.
IKE Negotiation is in processThe router has already started negotiating with the peer for the connection, but the IKE process has not finished yet.
No proposal chosenPhase 1 or phase 2 parameters don't match. Please check all protocols / settings. Ex. One device being configured for 3DES and the other being configured for DES causes the connection to fail.
Local / remote IPs of incoming request conflict with rule <%d>The security gateway is set to "0.0.0.0" and the router used the peer's "Local Address" as the router's "Remote Address". This information conflicted with static rule #d; thus the connection is not allowed.
Cannot resolve Secure Gateway Addr for rule <%d>The router couldn't resolve the IP address from the domain name that was used for the secure gateway address.
Peer ID: <peer id> <My remote type> -<My local type>The displayed ID information did not match between the two ends of the connection.
vs. My Remote <My remote> - <My remote>The displayed ID information did not match between the two ends of the connection.
vs. My Local <My local> -<My local>The displayed ID information did not match between the two ends of the connection.
Send <packet>A packet was sent.
Recv <packet>IKE uses ISAKMP to transmit data. Each ISAKMP packet contains many different types of payloads. All of them show in the LOG. Refer to RFC2408 - ISAKMP for a list of all ISAKMP payload types.
Recv <Main or Aggressive> Mode request from <IP>The router received an IKE negotiation request from the peer address specified.
Send <Main or Aggressive> Mode request to <IP>The router started negotiation with the peer.
Invalid IP <Peer local> / <Peer local>The peer's "Local IP Address" is invalid.
Remote IP <Remote IP> / <Remote IP> conflictsThe security gateway is set to "0.0.0.0" and the router used the peer's "Local Address" as the router's "Remote Address". This information conflicted with static rule #d; thus the connection is not allowed.
Phase 1 ID type mismatchThis router's "Peer ID Type" is different from the peer IPSec router's "Local ID Type".
Phase 1 ID content mismatchThis router's "Peer ID Content" is different from the peer IPSec router's "Local ID Content".
No known phase 1 ID type foundThe router could not find a known phase 1 ID in the connection attempt.
ID type mismatch. Local / Peer: <Local ID type/Peer ID type>The phase 1 ID types do not match.
ID content mismatchThe phase 1 ID contents do not match.
Configured Peer ID Content: <Configured Peer ID Content>The phase 1 ID contents do not match and the configured "Peer ID Content" is displayed.
Incoming ID Content: <Incoming Peer ID Content>The phase 1 ID contents do not match and the incoming packet's ID content is displayed.
Unsupported local ID Type: <%d>The phase 1 ID type is not supported by the router.
Build Phase 1 IDThe router has started to build the phase 1 ID.
Adjust TCP MSS to %dThe router automatically changed the TCP Maximum Segment Size value after establishing a tunnel.
Rule <%d> input idle time out, disconnectThe tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout period.
XAUTH succeed!Username: <Username>The router used extended authentication to authenticate the listed username.
XAUTH fail!Username: <Username>The router was not able to use extended authentication to authenticate the listed username.
Rule [%d] Phase 1 negotiation mode mismatchThe listed rule's IKE phase 1 negotiation mode did not match between the router and the peer.
Rule [%d] Phase 1 encryption algorithm mismatchThe listed rule's IKE phase 1 encryption algorithm did not match between the router and the peer.
Rule [%d] Phase 1 authentication algorithm mismatchThe listed rule's IKE phase 1 authentication algorithm did not match between the router and the peer.
Rule [%d] Phase 1 authentication method mismatchThe listed rule's IKE phase 1 authentication method did not match between the router and the peer.
Rule [%d] Phase 1 key group mismatchThe listed rule's IKE phase 1 key group did not match between the router and the peer.
Rule [%d] Phase 2 protocol mismatchThe listed rule's IKE phase 2 protocol did not match between the router and the peer.
Rule [%d] Phase 2 encryption algorithm mismatchThe listed rule's IKE phase 2 encryption algorithm did not match between the router and the peer.
Rule [%d] Phase 2 authentication algorithm mismatchThe listed rule's IKE phase 2 authentication algorithm did not match between the router and the peer.
Rule [%d] Phase 2 encapsulation mismatchThe listed rule's IKE phase 2 encapsulation did not match between the router and the peer.
Rule [%d]> Phase 2 pfs mismatchThe listed rule's IKE phase 2 perfect forward secret (PFS) setting did not match between the router and the peer.
Rule [%d] Phase 1 ID mismatchThe listed rule's IKE phase 1 ID did not match between the router and the peer.
Rule [%d] Phase 1 hash mismatchThe listed rule's IKE phase 1 hash did not match between the router and the peer.
Rule [%d] Phase 1 preshared key mismatchThe listed rule's IKE phase 1 pre-shared key did not match between the router and the peer.
Rule [%d] Tunnel built successfullyThe listed rule's IPSec tunnel has been built successfully.
Rule [%d] Peer's public key not foundThe listed rule's IKE phase 1 peer's public key was not found.
Rule [%d] Verify peer's signature failedThe listed rule's IKE phase 1 verification of the peer's signature failed.
Rule [%d] Sending IKE requestIKE sent an IKE request for the listed rule.
Rule [%d] Receiving IKE requestIKE received an IKE request for the listed rule.
Swap rule to rule [%d]The router changed to using the listed rule.
Rule [%d] Phase 1 key length mismatchThe listed rule's IKE phase 1 key length (with the AES encryption algorithm) did not match between the router and the peer.
Rule [%d] phase 1 mismatchThe listed rule's IKE phase 1 did not match between the router and the peer.
Rule [%d] phase 2 mismatchThe listed rule's IKE phase 2 did not match between the router and the peer.
Rule [%d] Phase 2 key length mismatchThe listed rule's IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer.
Remote Gateway Addr in rule [%s] is changed to %s"The IP address for the domain name of the peer gateway in the listed rule changed to the listed IP address.
New My ZyWALL Addr in rule [%s] is changed to %sThe IP address for the domain name of the ZyWALL in the listed rule changed to the listed IP address.
Remote Gateway Addr has changed, tunnel [%s] will be deletedThe listed tunnel will be deleted because the remote gateway's IP address changed.
My ZyWALL Addr has changed, tunnel [%s] will be deletedThe listed tunnel will be deleted because the ZyWALL's IP address changed.

Table 172 PKI Logs

LOGMESSAGEDESCRIPTION
Enrollment successfulThe SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port.
Enrollment failedThe SCEP online certificate enrollment failed. The Destination field records the certification authority server's IP address and port.
Failed to resolve <SCEP CA server url>The SCEP online certificate enrollment failed because the certification authority server's address cannot be resolved.
Enrollment successfulThe CMP online certificate enrollment was successful. The Destination field records the certification authority server's IP address and port.
Enrollment failedThe CMP online certificate enrollment failed. The Destination field records the certification authority server's IP address and port.
Failed to resolve <CMPCA server url>The CMP online certificate enrollment failed because the certification authority server's IP address cannot be resolved.
Rcvd ca cert: <subjectname>The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Rcvd user cert: <subjectname>The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Rcvd CRL <size>: <issuer name>The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Rcvd ARL <size>: <issuer name>The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received ca certThe router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received user certThe router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received CRLThe router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received ARLThe router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field.
Rcvd data <size> too large! Max size allowed: <max size>The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.
Cert trusted: <subjectname>The router has verified the path of the certificate with the listed subject name.
Due to <reason codes>, cert not trusted: <subject name>Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. Please see Table 173 on page 446 for the corresponding descriptions of the codes.

Table 173 Certificate Path Verification Failure Reason Codes

CODEDESCRIPTION
1Algorithm mismatch between the certificate and the search constraints.
2Key usage mismatch between the certificate and the search constraints.
3Certificate was not valid in the time interval.
4(Not used)
5Certificate is not valid.
6Certificate signature was not verified correctly.
7Certificate was revoked by a CRL.
8Certificate was not added to the cache.
9Certificate decoding failed.
10Certificate was not found (anywhere).
11Certificate chain looped (did not find trusted root).
12Certificate contains critical extension that was not handled.
13Certificate issuer was not valid (CA specific information missing).
14(Not used)
15CRL is too old.
16CRL is not valid.
17CRL signature was not verified correctly.
18CRL was not found (anywhere).
19CRL was not added to the cache.
20CRL decoding failed.
21CRL is not currently valid, but in the future.
22CRL contains duplicate serial numbers.
23Time interval is not continuous.
24Time information not available.
25Database method failed due to timeout.
26Database method failed.
27Path was not verified.
28Maximum path length reached.

Table 174 ACL Setting Notes

PACKET DIRECTIONDIRECTIONDESCRIPTION
(L to W)LAN to WANACL set for packets traveling from the LAN to the WAN.
(W to L)WAN to LANACL set for packets traveling from the WAN to the LAN.
(D to L)DMZ to LANACL set for packets traveling from the DMZ to the LAN.
(D to W)DMZ to WANACL set for packets traveling from the DMZ to the WAN.
(W to D)WAN to DMZACL set for packets traveling from the WAN to the DMZ.
(L to D)LAN to DMZACL set for packets traveling from the LAN to the DMZ.
(L to L/ZW)LAN to LAN/ZyWALLACL set for packets traveling from the LAN to the LAN or the ZyWALL.
(W to W/ZW)WAN to WAN/ZyWALLACL set for packets traveling from the WAN to the WAN or the ZyWALL.
(D to D/ZW)DMZ to DMZ/ZyWALLACL set for packets traveling from the DMZ to the DM or the ZyWALL.
(L to WL)LAN to WLANACL set for packets traveling from the LAN to the WLAN.
(WL to L)WLAN to LANACL set for packets traveling from the WLAN to the LAN.
(W to WL)WAN to WLANACL set for packets traveling from the WAN to the WLAN.
(WL to W)WLAN to WANACL set for packets traveling from the WLAN to the WAN.
(D to WL)DMZ to WLANACL set for packets traveling from the DMZ to the WLAN.
(WL to D)WLAN to DMZACL set for packets traveling from the WLAN to the DMZ.
(WL to WL)WLAN to WLAN/ZyWALLACL set for packets traveling from the WLAN to the WLAN or the ZyWALL.

Table 175 ICMP Notes

TYPECODEDESCRIPTION
0Echo Reply
0Echo reply message
3Destination Unreachable
0Net unreachable
1Host unreachable
2Protocol unreachable
3Port unreachable
4A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)
5Source route failed
4Source Quench
0A gateway may discard internet histograms if it does not have the buffer space needed to queue the histograms for output to the next network on the route to the destination network.
5Redirect
0Redirect histograms for the Network
1Redirect histograms for the Host
2Redirect histograms for the Type of Service and Network
3Redirect histograms for the Type of Service and Host
8Echo
0Echo message
11Time Exceeded
0Time to live exceeded in transit
1Fragment reassembly time exceeded
12Parameter Problem
0Pointer indicates the error
13Timestamp
0Timestamp request message
14Timestamp Reply
0Timestamp reply message
15Information Request
0Information request message
16Information Reply
0Information reply message

25.6 Syslog Logs

There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs.

Table 176 Syslog Logs

LOGMESSAGEDESCRIPTION
Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address>" cat="<category>"This message is sent by the system ("RAS" displays as the system name if you haven't configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. The definition of messages and notes are defined in the other log tables. The "devID" is the MAC address of the router's LAN port. The "cat" is the same as the category in the router's logs.
Traffic Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="Traffic Log" note="Traffic Log" devID="<mac address>" cat="Traffic Log" duration=seconds sent=sentBytes rcvd=receiveBytes dir="<from:to>" protoID=IPProtocolID proto="serviceName" trans="IPSec/Normal"This message is sent by the device when the connection (session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display "Traffic Log". The "proto" field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN", "LAN:DMZ", "LAN:DEV" for example).
Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1>" ob_mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="<category>"This message is sent by the device ("RAS" displays as the system name if you haven't configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. The definition of messages and notes are defined in the other log tables. OB is the Out Break flag and the mac address of the Out Break PC.
Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="0|1" ob.mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="Anti Virus" encode="< uu | b64>"This message is sent by the device ("RAS" displays as the system name if you haven't configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. The "encode" message indicates the mail attachments encoding method. The definition of messages and notes are defined in the Anti-Virus log descriptions.
Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1)" ob.mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="IDP" class="<idf class>" sid="<idf sid> act="<idf action>" count="1"This message is sent by the device ("RAS" displays as the system name if you haven't configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. The definition of messages and notes are defined in the IDP log descriptions.
Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1" ob.mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="Anti Spam" 1stReIP="<IP>"This message is sent by the device ("RAS" displays as the system name if you haven't configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. 1stReIP is the IP address of the first mail relay server. The definition of messages and notes are defined in the Anti-Spam log descriptions.

The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.

Table 177 RFC-2408 ISAKMP Payload Types

LOG DISPLAYPAYLOAD TYPE
SASecurity Association
PROPProposal
TRANSTransform
KEKey Exchange
IDIdentification
CERCertificate
CER_REQCertificate Request
HASHHash
SIGSignature
NONCENonce
NOTFYNotification
DELDelete
VIDVendor ID

Maintenance

This chapter displays information on the maintenance screens.

26.1 Maintenance Overview

The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL.

26.2 General Setup and System Name

General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".

  • In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.
  • In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.
  • In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyWALL System Name.

26.2.1 General Setup

Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information.

ZYXEL ZYWALL 2 WG - General Setup - 1
Figure 254 MAINTENANCE > General Setup

The following table describes the labels in this screen.

Table 178 MAINTENANCE > General Setup

LABELDESCRIPTION
General Setup
System NameChoose a descriptive name for identification purposes. It is recommended you enter your computer's "Computer name" in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "-" are accepted.
Domain NameThe Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name), the domain name can be assigned from the ZyWALL via DHCP. Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name.
Administrator Inactivity TimerType how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

26.3 Configuring Password

Click MAINTENANCE > Password to open the following screen. Use this screen to change the ZyWALL's management password.

ZYXEL ZYWALL 2 WG - Configuring Password - 1
Figure 255 MAINTENANCE > Password

The following table describes the labels in this screen.

Table 179 MAINTENANCE > Password

LABELDESCRIPTION
Old PasswordType the default password or the existing password you use to access the system in this field. If you forget the password, you may have to use the hardware RESET button. This restores the default password of 1234.
New PasswordType your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type.
Retype to ConfirmType the new password again for confirmation.
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

26.4 Time and Date

The ZyWALL's Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL.

To change your ZyWALL's time and date, click MAINTENANCE > Time and Date. The screen appears as shown. Use this screen to configure the ZyWALL's time based on your local time zone.

ZYXEL ZYWALL 2 WG - Time and Date - 1
Figure 256 MAINTENANCE > Time and Date

The following table describes the labels in this screen.

Table 180 MAINTENANCE > Time and Date

LABELDESCRIPTION
Current Time and Date
Current TimeThis field displays the ZyWALL's present time.
Current DateThis field displays the ZyWALL's present date.
Time and Date Setup
ManualSelect this radio button to enter the time and date manually. If you configure a new time and date, Time Zone and Daylight Saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.
New Time (hh:mm:ss)This field displays the last updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply.
New Date (yyyy-mm-dd)This field displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.
Get from Time ServerSelect this radio button to have the ZyWALL get the time and date from the time server you specified below.
Time ProtocolSelect the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.The main difference between them is the format.Daytime (RFC 867) format is day/month/year/time zone of the server.Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0.The default, NTP (RFC 1305), is similar to Time (RFC 868).
Time Server AddressEnter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information.
Synchronize NowClick this button to have the ZyWALL get the time and date from a time server (see the Time Server Address field). This also saves your changes (including the time server address).
Time Zone Setup
Time ZoneChoose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT).
Enable Daylight SavingDaylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Select this option if you use Daylight Saving Time.
Start DateConfigure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, April and type 2 in the o'clock field.Daylight Saving Time starts in the European Union on the last Sunday of March.All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
End DateConfigure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Last, Sunday, October and type 2 in the o'clock field.Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
ApplyClick Apply to save your changes back to the ZyWALL.
ResetClick Reset to begin configuring this screen afresh.

26.5 Pre-defined NTP Time Server Pools

When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools. These are virtual clusters of time servers that use a round robin method to provide different NTP servers to clients.

The ZyWALL continues to use the NTP time server pools if you do not specify a time server or it cannot synchronize with the time server you specified.

ZYXEL ZYWALL 2 WG - Pre-defined NTP Time Server Pools - 1

The ZyWALL can use the NTP time server pools regardless of the time protocol you select.

When the ZyWALL uses the NTP time server pools, it randomly selects one pool and tries to synchronize with a server in it. If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time server pools have been tried.

26.5.1 Resetting the Time

The ZyWALL resets the time in the following instances:

  • When you click Synchronize Now.
  • On saving your changes.
  • When the ZyWALL starts up.
    24-hour intervals after starting.

26.5.2 Time Server Synchronization

Click the Synchronize Now button to get the time and date from the predefined time server or the time server you specified in the Time Server Address field.

When the System Time and Date Synchronization in Process screen appears, wait up to one minute.

ZYXEL ZYWALL 2 WG - Time Server Synchronization - 1
Figure 257 Synchronization in Process

Click the Return button to go back to the Time and Date screen after the time and date is updated successfully.

ZYXEL ZYWALL 2 WG - Time Server Synchronization - 2
Figure 258 Synchronization is Successful

If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.

ZYXEL ZYWALL 2 WG - Time Server Synchronization - 3
Figure 259 Synchronization Fail

26.6 Introduction To Transparent Bridging

A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port. All future communications to that MAC address will only be sent on that port.

The bridge gradually builds a host MAC-address-to-port mapping table such as in the following example, during the learning process.

Table 181 MAC-address-to-port Mapping Table

HOST MAC ADDRESSPORT
00a0c51234563
00a0c5123478 (host A)1
00a0c512349a3
00a0c51234bc2
00a0c51234de4

For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.

The bridge takes one of these actions after it checks the destination address of an incoming frame with its internal table:

  • If the table contains an association between the destination address and any of the bridge's ports aside from the one on which the frame was received, the frame is forwarded out the associated port.
  • If no association is found, the frame is flooded to all ports except the inbound port. Broadcasts and multicasts also are flooded in this way.
  • If the associated port is the same as the incoming port, then the frame is dropped (filtered).

26.7 Transparent Firewalls

A transparent firewall (also known as a transparent, in-line, shadow, stealth or bridgingfirewall) has the following advantages over "router firewalls":

1 The use of a bridging firewall reduces configuration and deployment time because no networking configuration changes to your existing network (hosts, neighboring routers and the firewall itself) are needed. Just put it in-line with the network it is protecting. As it only moves frames between ports (after inspecting them), it is completely transparent.
2 Performance is improved as there's less processing overhead.
3 As a transparent bridge does not modify the frames it forwards, it is effectively "stealth" as it is invisible to attackers.

Bridging devices are most useful in complex environments that require a rapid or new firewall deployment. A transparent, bridging firewall can also be good for companies with several branch offices since the setups at these offices are often the same and it's likely that one design can be used for many of the networks. A bridging firewall could be configured at HQ, sent to the branches and then installed directly without additional configuration.

26.8 Configuring Device Mode (Router)

Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge.

In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.

In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.

You can use the firewall and VPN in bridge mode. See the user's guide for a list of other features that are available in bridge mode.

The following applies when the ZyWALL is in router mode.

ZYXEL ZYWALL 2 WG - Configuring Device Mode (Router) - 1
Figure 260 MAINTENANCE > Device Mode (Router Mode)

The following table describes the labels in this screen.

Table 182 MAINTENANCE > Device Mode (Router Mode)

LABELDESCRIPTION
Current Device Mode
Device ModeThis displays whether the ZyWALL is functioning as a router or a bridge.
Device Mode Setup
RouterWhen the ZyWALL is in router mode, there is no need to select or clear this radio button.
IP AddressClick LAN, WAN, DMZ or WLAN to go to the LAN, WAN, DMZ or WLAN screen where you can view and/or change the corresponding settings.
BridgeSelect this radio button and configure the following fields, then click Apply to set the ZyWALL to bridge mode.
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation.
IP Subnet MaskEnter the IP subnet mask of the ZyWALL.
Gateway IP AddressEnter the gateway IP address.
ApplyClick Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the IP Address field to access the ZyWALL again.
ResetClick Reset to begin configuring this screen afresh.

26.9 Configuring Device Mode (Bridge)

Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge.

In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.

In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.

You can use the firewall and VPN in bridge mode. See the user's guide for a list of other features that are available in bridge mode.

ZYXEL ZYWALL 2 WG - Configuring Device Mode (Bridge) - 1
Figure 261 MAINTENANCE > Device Mode (Bridge Mode)

The following table describes the labels in this screen.

Table 183 MAINTENANCE > Device Mode (Bridge Mode)

LABELDESCRIPTION
Current Device Mode
Device ModeThis displays whether the ZyWALL is functioning as a router or a bridge.
Device Mode Setup
RouterSelect this radio button and click Apply to set the ZyWALL to router mode.
LAN Interface IP AddressEnter the IP address of your ZyWALL's LAN port in dotted decimal notation. 192.168.1.1 is the factory default.
LAN Interface Subnet MaskEnter the IP subnet mask of the ZyWALL's LAN port.
DHCPDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave the DHCP check box selected. Clear it to stop the ZyWALL from acting as a DHCP server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. If not, DHCP service is disabled and you must have another DHCP server on your LAN, or else the computers must be manually configured. When set as a server, fill in the rest of the DHCP setup fields.
IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.
Pool SizeThis field specifies the size, or count of the IP address pool.
BridgeWhen the ZyWALL is in bridge mode, there is no need to select or clear this radio button.
IP AddressClick Bridge to go to the Bridge screen where you can view and/or change the bridge settings.
ApplyClick Apply to save your changes back to the ZyWALL. After you click Apply, please wait for one minute and use the IP address you configured in the LAN Interface IP Address field to access the ZyWALL again.
ResetClick Reset to begin configuring this screen afresh.

26.10 F/W Upload Screen

Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See Section 42.5 on page 593 for upgrading firmware using FTP/TFTP commands.

Click MAINTENANCE > F/W UPGoad. Follow the instructions in this screen to upload firmware to your ZyWALL.

ZYXEL ZYWALL 2 WG - F/W Upload Screen - 1

Only upload firmware for your specific model!

ZYXEL ZYWALL 2 WG - F/W Upload Screen - 2
Figure 262 MAINTENANCE > Firmware Upload

The following table describes the labels in this screen.

Table 184 MAINTENANCE > Firmware Upload

LABELDESCRIPTION
File PathType in the location of the file you want to upload in this field or click Browse ... to find it.
Browse...Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
UploadClick Upload to begin the upload process. This process may take up to two minutes.

ZYXEL ZYWALL 2 WG - F/W Upload Screen - 3

Do not turn off the ZyWALL while firmware upload is in progress!

After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again.

ZYXEL ZYWALL 2 WG - F/W Upload Screen - 4
Figure 263 Firmware Upload In Process

The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

ZYXEL ZYWALL 2 WG - F/W Upload Screen - 5
Figure 264 Network Temporarily Disconnected

After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.

ZYXEL ZYWALL 2 WG - F/W Upload Screen - 6
Figure 265 Firmware Upload Error

26.11 Backup and Restore

See Section 42.5 on page 593 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.

ZYXEL ZYWALL 2 WG - Backup and Restore - 1
Figure 266 MAINTENANCE > Backup and Restore

26.11.1 Backup Configuration

Backup configuration allows you to back up (save) the ZyWALL's current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.

Click Backup to save the ZyWALL's current configuration to your computer.

26.11.2 Restore Configuration

Load a configuration file from your computer to your ZyWALL.

Table 185 Restore Configuration

LABELDESCRIPTION
File PathType in the location of the file you want to upload in this field or click Browse ... to find it.
Browse...Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them.
UploadClick Upload to begin the upload process.

ZYXEL ZYWALL 2 WG - Restore Configuration - 1

Do not turn off the ZyWALL while configuration file upload is in progress.

After you see a "restore configuration successful" screen, you must then wait one minute before logging into the ZyWALL again.

ZYXEL ZYWALL 2 WG - Restore Configuration - 2
Figure 267 Configuration Upload Successful

The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

ZYXEL ZYWALL 2 WG - Restore Configuration - 3
Figure 268 Network Temporarily Disconnected

If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer's IP address.

If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen.

ZYXEL ZYWALL 2 WG - Restore Configuration - 4
Figure 269 Configuration Upload Error

26.11.3 Back to Factory Defaults

Click the Reset button to clear all user-entered configuration information and return the ZyWALL to its factory defaults as shown on the screen. The following warning screen appears.

ZYXEL ZYWALL 2 WG - Back to Factory Defaults - 1
Figure 270 Reset Warning Message

You can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 57 for more information on the RESET button.

26.12 Restart Screen

System restart allows you to reboot the ZyWALL without turning the power off.

Click MAINTENANCE > Restart. Click Restart to have the ZyWALL reboot. Restart is different to reset; (see Section 26.11.3 on page 465) reset returns the device to its default configuration.

ZYXEL ZYWALL 2 WG - Restart Screen - 1
Figure 271 MAINTENANCE > Restart

PART VI

SMT and

Troubleshooting

Introducing the SMT (469)

SMT Menu 1 - General Setup (477)

WAN and Dial Backup Setup (483)

LAN Setup (497)

Internet Access (503)

DMZ Setup (509)

Route Setup (513)

Wireless Setup (517)

Remote Node Setup (521)

IP Static Route Setup (529)

Network Address Translation (NAT) (533)

Introducing the ZyWALL Firewall (553)

Filter Configuration (555)

SNMP Configuration (571)

System Information & Diagnosis (573)

Firmware and Configuration File Maintenance (585)

System Maintenance Menus 8 to 10 (599)

Remote Management (607)

IP Policy Routing (611)

Call Scheduling (619)

Troubleshooting (623)

Introducing the SMT

This chapter explains how to access the System Management Terminal and gives an overview of its menus.

27.1 Introduction to the SMT

The ZyWALL's SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus.

27.2 Accessing the SMT via the Console Port

Make sure you have the physical connection properly set up as described in the Quick Start Guide.

When configuring using the console port, you need a computer equipped with communications software configured to the following parameters:

  • VT100 terminal emulation.
    9600 Baud.
  • No parity, 8 data bits, 1 stop bit, flow control set to none.

27.2.1 Initial Screen

When you turn on your ZyWALL, it performs several internal tests as well as line initialization.

After the tests, the ZyWALL asks you to press [ENTER] to continue, as shown next.

Figure 272 Initial Screen

ZYXEL ZYWALL 2 WG - Initial Screen - 1
Figure 273 Password Screen

27.2.2 Entering the Password

The login screen appears after you press [ENTER], prompting you to enter the password, as shown below.

For your first login, enter the default password "1234". As you type the password, the screen displays an "X" for each character you type.

Please note that if there is no activity for longer than five minutes after you log in, your ZyWALL will automatically log you out and display a blank screen. If you see a blank screen, press [ENTER] to bring up the login screen again.

Enter Password :XXXX

27.3 Navigating the SMT Interface

The SMT is an interface that you use to configure your ZyWALL.

Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.

Table 186 Main Menu Commands

OPERATIONKEYSTROKESDESCRIPTION
Move down to another menu[ENTER]To move forward to a submenu, type in the number of the desired submenu and press [ENTER].
Move up to a previous menu[ESC]Press the [ESC] key to move back to the previous menu.
Move to a “hidden” menuPress [SPACE BAR] to change No to Yes then press [ENTER].Fields beginning with “Edit” lead to hidden menus and have a default setting of No. Press [SPACE BAR] to change No to Yes, and then press [ENTER] to go to a “hidden” menu.

Table 186 Main Menu Commands

OPERATIONKEYSTROKESDESCRIPTION
Move the cursor[ENTER] or [UP]/[DOWN] arrow keysWithin a menu, press [ENTER] to move to the next field. You can also use the [UP]/[DOWN] arrow keys to move to the previous and the next field, respectively.When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu.
Entering informationFill in, or press [SPACE BAR], then press [ENTER] to select from choices.You need to fill in two types of fields. The first requires you to type in the appropriate information. The second allows you to cycle through the available choices by pressing [SPACE BAR].
Required fields<? >All fields with the symbol <?> must be filled in order be able to save the new configuration.
N/A fields<N/A>Some of the fields in the SMT will show a <N/A>. This symbol refers to an option that is Not Applicable.
Save your configuration[ENTER]Save your configuration by pressing [ENTER] at the message “Press ENTER to confirm or ESC to cancel”. Saving the data on the screen will take you, in most cases to the previous menu. Make sure you save your settings in each screen that you configure.
Exit the SMTType 99, then press [ENTER].Type 99 at the main menu prompt and press [ENTER] to exit the SMT interface.

27.3.1 Main Menu

After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next.

ZYXEL ZYWALL 2 WG - Main Menu - 1
Figure 274 Main Menu (Router Mode)

ZYXEL ZYWALL 2 WG - Main Menu - 2
Figure 275 Main Menu (Bridge Mode)

The following table describes the fields in this menu.

Table 187 Main Menu Summary

NO .MENU TITLEFUNCTION
1General SetupUse this menu to set up device mode, dynamic DNS and administrative information.
2WAN SetupUse this menu to clone a MAC address from a computer on your LAN and configure the backup WAN dial-up connection. You can also use this menu to configure 3G modem setting on the ZyWALL.
3LAN SetupUse this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings.
4Internet Access SetupConfigure your Internet access setup (Internet address, gateway, login, etc.) with this menu.
5DMZ SetupUse this menu to apply DMZ filters, and configure DHCP and TCP/IP settings for the DMZ port.
6Route SetupUse this menu to configure your WAN route assessment, traffic redirect properties and failover parameters.
7Wireless SetupUse this menu to configure WLAN DHCP and TCP/IP settings for the wireless LAN interface.
11Remote Node SetupUse this menu to configure detailed remote node settings (your ISP is also a remote node) as well as apply WAN filters.
12Static Routing SetupConfigure IP static routes in this menu.
15NAT SetupUse this menu to configure Network Address Translation.
21Filter and Firewall SetupConfigure filters and activate/deactivate the firewall.
22SNMP ConfigurationUse this menu to configure SNMP-related parameters.
23System PasswordChange your password in this menu (recommended).
24System MaintenanceFrom displaying system status to uploading firmware, this menu provides comprehensive system maintenance.
25IP Routing Policy SetupConfigure and display policies for use in IP policy routing.

Table 187 Main Menu Summary

NO .MENU TITLEFUNCTION
26Schedule SetupUse this menu to schedule outgoing calls.
99ExitUse this menu to exit (necessary for remote configuration).

27.3.2 SMT Menus Overview

The following table gives you an overview of your ZyWALL's various SMT menus.

Table 188 SMT Menus Overview

MENUSSUB MENUS
1 General Setup1.1 Configure Dynamic DNS1.1.1 DDNS Host Summary1.1.1 DDNS Edit Host
2 WAN Setup2.1 Advanced WAN Setup
3 LAN Setup3.1 LAN Port Filter Setup
3.2 TCP/IP and DHCP Ethernet Setup3.2.1 IP Alias Setup
4 Internet Access Setup
5 DMZ Setup5.1 DMZ Port Filter Setup
5.2 TCP/IP and DHCP Ethernet Setup5.2.1 IP Alias Setup
6 Route Setup6.1 Route Assessment
6.2 Traffic Redirect
6.3 Route Failover
7 Wireless Setup7.2 TCP/IP and DHCP Ethernet Setup7.2.1 IP Alias Setup
11 Remote Node Setup11.1 Remote Node Profile11.1.2 Remote Node Network Layer Options
11.1.4 Remote Node Filter
11.1.5 Traffic Redirect Setup (for the ZyWALL 5 only)
11.2 Remote Node Profile (3G WAN)11.2.2 Remote Node Network Layer Options
11.2.3 Remote Node Script
11.2.4 Remote Node Filter
11.3 Remote Node Profile (Backup ISP)11.3.1 Remote Node PPP Options
11.3.2 Remote Node Network Layer Options
11.3.3 Remote Node Script
11.3.4 Remote Node Filter
12 Static Routing Setup12.1 Edit Static Route Setup
15 NAT Setup15.1 Address Mapping Sets15.1.x Address Mapping Rules15.1.x.x Address Mapping Rule
15.2 NAT Server Sets15.2.x NAT Server Setup15.2.x.x - NAT Server Configuration
15.3 Trigger Ports15.3.x Trigger Port Setup
21 Filter and Firewall Setup21.1 Filter Set Configuration21.1.x Filter Rules Summary21.1.x.x Generic Filter Rule
21.1.x.x TCP/IP Filter Rule
21.2 Firewall Setup
22 SNMP Configuration
23 System Password
24 System Maintenance24.1 System Status
24.2 System Information and Console Port Speed24.2.1 System Information
24.2.2 Console Port Speed
24.3 Log and Trace24.3.1 View Error Log
24.3.2 Syslog Logging
24.3.4 Call-Triggering Packet
24.4 Diagnostic
24.5 Backup Configuration
24.6 Restore Configuration
24.7 Upload Firmware24.7.1 Upload System Firmware
24.7.2 Upload System Configuration File
24.8 Command Interpreter Mode
24.9 Call Control24.9.1 Budget Management
24.9.2 Call History
24.10 Time and Date Setting
24.11 Remote Management Setup
25 IP Routing Policy Summary25.1 IP Routing Policy Setup25.1.1 IP Routing Policy Setup
26 Schedule Setup26.1 Schedule Set Setup

27.4 Changing the System Password

Change the system password by following the steps shown next.

1 Enter 23 in the main menu to open Menu 23 - System Password as shown next.

ZYXEL ZYWALL 2 WG - Changing the System Password - 1
Figure 276 Menu 23: System Password

2 Type your existing password and press [ENTER].
3 Type your new system password and press [ENTER].
4 Re-type your new system password for confirmation and press [ENTER].

Note that as you type a password, the screen displays an "x" for each character you type.

27.5 Resetting the ZyWALL

See Section 2.3 on page 57 for directions on resetting the ZyWALL.

SMT Menu 1 - General Setup

Menu 1 - General Setup contains administrative and system-related information.

28.1 Introduction to General Setup

Menu 1 - General Setup contains administrative and system-related information.

28.2 Configuring General Setup

1 Enter 1 in the main menu to open Menu 1 - General Setup.
2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.

Figure 277 Menu 1: General Setup (Router Mode)

Menu 1 - General Setup System Name= Domain Name= Device Mode Router Mode Edit Dynamic DNS = No Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this menu.

Table 189 Menu 1: General Setup (Router Mode)

FIELDDESCRIPTION
System NameChoose a descriptive name for identification purposes. It is recommended you enter your computer's "Computer name" in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores “_” are accepted.
Domain NameEnter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. You can go to menu 24.8 and type "sys domain name" to see the current domain name used by your router. The domain name entered by you is given priority over the ISP assigned domain name. If you want to clear this field just press [SPACE BAR] and then [ENTER].
Device ModePress [SPACE BAR] and then [ENTER] to select Router Mode.
Edit Dynamic DNSPress [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

Figure 278 Menu 1: General Setup (Bridge Mode)

Menu 1 - General Setup

System Name=

Domain Name=

Device Mode= Bridge Mode

IP Address= 0.0.0.0

Network Mask= 0.0.0.0

Gateway= 0.0.0.0

First System DNS Server

IP Address= 0.0.0.0

Second System DNS Server

IP Address= 0.0.0.0

Third System DNS Server

IP Address= 0.0.0.0

Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields not previously discussed (see Table 189 on page 477).

Table 190 Menu 1: General Setup (Bridge Mode)

FIELDDESCRIPTION
Device ModePress [SPACE BAR] and then [ENTER] to select Bridge Mode.
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation.
Network MaskEnter the subnet mask of your ZyWALL.
GatewayEnter the gateway IP address.
First System DNS Server Second System DNS Server Third System DNS ServerEnter the DNS server's IP address(es) in the IP Address field(s) if you have the IP address(es) of the DNS server(s).

28.2.1 Configuring Dynamic DNS

To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next).

ZYXEL ZYWALL 2 WG - Configuring Dynamic DNS - 1
Figure 279 Menu 1.1: Configure Dynamic DNS

Follow the instructions in the next table to configure Dynamic DNS parameters.

Table 191 Menu 1.1: Configure Dynamic DNS

FIELDDESCRIPTION
Service ProviderThis is the name of your Dynamic DNS service provider.
ActivePress [SPACE BAR] to select Yes and then press [ENTER] to make dynamic DNS active.
UsernameEnter your user name.
PasswordEnter the password assigned to you.
Edit HostPress [SPACE BAR] and then [ENTER] to select Yes if you want to configure a DDNS host.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

28.2.1.1 Editing DDNS Host

To configure a DDNS host, follow the procedure below.

1 Configure your ZyWALL as a router in menu 1 or the MAINTENANCE Device Mode screen
2 Enter 1 in the main menu to open Menu 1 - General Setup.
3 Press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS
4 Press [SPACE BAR] and then [ENTER] to select Yes in the Edit Host field. Press [ENTER] to display Menu 1.1.1 - DDNS Host Summary.

ZYXEL ZYWALL 2 WG - Editing DDNS Host - 1
Figure 280 Menu 1.1.1: DDNS Host Summary

The following table describes the fields in this screen.

Table 192 Menu 1.1.1: DDNS Host Summary

FIELDDESCRIPTION
#This is the DDNS host index number.
SummaryThis displays the details about the DDNS host.
Select CommandPress [SPACE BAR] to choose from None, Edit, Delete, Next Page or Previous Page and then press [ENTER]. You must select a DDNS host in the next field when you choose the Edit or Delete commands. Select None and then press [ENTER] to go to the "Press ENTER to Confirm..." prompt. Use Edit to create or edit a rule. Use Delete to remove a rule. To edit or delete a DDNS host, first make sure you are on the correct page. When a rule is deleted, subsequent rules do not move up in the page list. Select Next Page or Previous Page to view the next or previous page of DDNS hosts (respectively).
Select RuleType the DDNS host index number you wish to edit or delete and then press [ENTER].
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel.

5 Select Edit in the Select Command field; type the index number of the DDNS host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 - DDNS Edit Host (see the next figure).

Figure 281 Menu 1.1.1: DDNS Edit Host

Menu 1.1.1 - DDNS Edit Host

Hostname=ZyWALL  
DDNS Type=DynamicDNS  
Enable Wildcard Option=Yes  
Enable Off Line Option=N/A  
Bind WAN=1  
HA=Yes  
IP Address Update Policy:  
    Let DDNS Server Auto Detect=Yes  
    Use User-Defined=N/A  
    Use WAN IP Address=N/A

Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this screen.

Table 193 Menu 1.1.1: DDNS Edit Host

FIELDDESCRIPTION
Host NameEnter your host name in this field.
DDNS TypePress [SPACE BAR] and then [ENTER] to select DynamicDNS if you have the Dynamic DNS service. Select StaticDNS if you have the Static DNS service. Select CustomDNS if you have the Custom DNS service.
Enable Wildcard OptionYour ZyWALL supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No. This field is N/A when you choose DDNS client as your service provider.
Enable Off Line OptionThis field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, http://www.dyndns.org/ traffic is redirected to a URL that you have previously specified (see www.dyndns.org for details).
Bind WANEnter the WAN interface to use for updating the IP address of the domain name.
HAPress [SPACE BAR] and then [ENTER] to select Yes to enable the high availability (HA) feature. If the WAN interface specified in the Bind WAN field does not have a connection, the ZyWALL will attempt to use the IP address of another WAN interface to update the domain name. When the WAN interfaces are in the active/passive operating mode, the ZyWALL will update the domain name with the IP address of whichever WAN interface has a connection, regardless of the setting in the Bind WAN field. Clear this check box and the ZyWALL will not update the domain name with an IP address if the WAN interface specified in the Bind WAN field does not have a connection. Note: If you enable high availability, DDNS can also function when the ZyWALL uses the dial backup port. DDNS does not function when the ZyWALL uses traffic redirect. Refer to Section 21.10.2 on page 381 for detailed information.
IP Address Update Policy:You can select Yes in either the Let DDNS Server Auto Detect field (recommended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL's WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the ZyWALL must have a public WAN IP address in order for DDNS to work.
Let DDNS Server Auto DetectOnly select this option when there are one or more NAT routers between the ZyWALL and the DDNS server. Press [SPACE BAR] to select Yes and then press [ENTER] to have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address. Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server.
Use User-DefinedPress [SPACE BAR] to select Yes and then press [ENTER] to update the IP address of the host name(s) to the IP address specified below. Only select Yes if the ZyWALL uses or is behind a static public IP address.
Use WAN IP AddressEnter the static public IP address if you select Yes in the Use User-Defined field.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

The IP address updates when you reconfigure menu 1 or perform DHCP client renewal.

WAN and Dial Backup Setup

This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1.

29.1 Introduction to WAN, 3G WAN and Dial Backup Setup

This chapter explains how to configure settings for your WAN interface(s), a 3G WAN connection and a dial backup connection using the SMT menus.

29.2 WAN Setup

From the main menu, enter 2 to open menu 2.

ZYXEL ZYWALL 2 WG - WAN Setup - 1
Figure 282 MAC Address Cloning in WAN Setup

The following table describes the fields in this screen.

Table 194 MAC Address Cloning in WAN Setup

FIELDDESCRIPTION
WAN 1 MAC Address
Assigned ByPress [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that computer whose IP you give in the following field.
IP AddressThis field is applicable only if you choose the IP address attached on LAN method in the Assigned By field. Enter the IP address of the computer on the LAN whose MAC you are cloning.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

29.3 Dial Backup

The Dial Backup port can be used in reserve, as a traditional dial-up connection should the broadband connection to the WAN port fail. To set up the auxiliary port (Dial Backup) for use in the event that the regular WAN connection is dropped, first make sure you have set up the switch and port connection (see the Quick Start Guide), then configure

1 Menu 2 - WAN Setup,
2 Menu 2.1 - Advanced WAN Setup and
3 Menu 11.3 - Remote Node Profile (Backup ISP)

Refer also to the section about traffic redirect for information on an alternate backup WAN connection.

29.3.1 Configuring Dial Backup in Menu 2

From the main menu, enter 2 to open menu 2.

ZYXEL ZYWALL 2 WG - Configuring Dial Backup in Menu 2 - 1
Figure 283 Menu 2: Dial Backup Setup

The following table describes the fields in this menu.

Table 195 Menu 2: Dial Backup Setup

FIELDDESCRIPTION
Dial-Backup:
ActiveUse this field to turn the dial-backup feature on (Yes) or off (No).
Port SpeedPress [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device. Available speeds are: 9600, 19200, 38400, 57600, 115200 or 230400 bps.
AT Command String:
InitEnter the AT command string to initialize the WAN device. Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands.
Edit Advanced SetupTo edit the advanced setup for the Dial Backup port, move the cursor to this field; press the [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 2.1 - Advanced Setup.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

29.3.2 Advanced WAN Setup

ZYXEL ZYWALL 2 WG - Advanced WAN Setup - 1

Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands.

To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].

Figure 284 Menu 2.1: Advanced WAN Setup 

Menu 2.1 - Advanced WAN Setup  
AT Command Strings: Call Control:  
    Dial= atdt Dial Timeout(sec) = 60  
    Drop= ~+---ath Retry Count= 0  
    Answer= ata Retry Interval(sec) = N/A  
    Drop Timeout(sec) = 20  
Drop DTR When Hang Up= Yes Call Back Delay(sec) = 15  
AT Response Strings:  
    CLID= NMBR =  
    Called Id=  
    Speed= CONNECT  
Press ENTER to Confirm or ESC to Cancel:

The following table describes fields in this menu.

Table 196 Advanced WAN Port Setup: AT Commands Fields

FIELDDESCRIPTION
AT Command Strings:
DialEnter the AT Command string to make a call.
DropEnter the AT Command string to drop a call. “~” represents a one second wait, e.g., “~~~+++~ath” can be used if your modem has a slow response time.
AnswerEnter the AT Command string to answer a call.
Drop DTR When Hang UpPress the [SPACE BAR] to choose either Yes or No. When Yes is selected (the default), the DTR (Data Terminal Ready) signal is dropped after the “AT Command String: Drop” is sent out.
AT Response Strings:
CLID (Calling Line Identification)Enter the keyword that precedes the CLID (Calling Line Identification) in the AT response string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication.
Called IdEnter the keyword preceding the dialed number.
SpeedEnter the keyword preceding the connection speed.

Table 197 Advanced WAN Port Setup: Call Control Parameters

FIELDDESCRIPTION
Call Control
Dial Timeout (sec)Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Retry CountEnter a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Retry Interval (sec)Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed. This applies before a phone number is blacklisted.
Drop Timeout (sec)Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation.
Call Back Delay (sec)Enter a number of seconds for the ZyWALL to wait between dropping a callback request call and dialing the co-responding callback call.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

29.3.3 Remote Node Profile (Backup ISP)

Enter 3 in Menu 11 - Remote Node Setup to open Menu 11.3 - Remote Node Profile (Backup ISP) (shown below) and configure the setup for your Dial Backup port connection. Not all fields are available on all models.

ZYXEL ZYWALL 2 WG - Remote Node Profile (Backup ISP) - 1
Figure 285 Menu 11.3: Remote Node Profile (Backup ISP)

The following table describes the fields in this menu.

Table 198 Menu 11.3: Remote Node Profile (Backup ISP)

FIELDDESCRIPTION
Rem Node NameEnter a descriptive name for the remote node. This field can be up to eight characters.
ActivePress [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node.
Outgoing
My LoginEnter the login name assigned by your ISP for this remote node.
My PasswordEnter the password assigned by your ISP for this remote node.
Retype to ConfirmEnter your password again to make sure that you have entered is correctly.
AuthenThis field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Pri Phone # Sec Phone #Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your ZyWALL dials the Secondary Phone number if available. Some areas require dialing the pound sign # before the phone number for local calls. Include a # symbol at the beginning of the phone numbers as required.
Edit IPThis field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section 29.3.4 on page 489 for more information.
Edit Script OptionsPress [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the dial backup remote node (Menu 11.3.3 - Remote Node Script). See Section 29.3.5 on page 490 for more information.
Telco Option
Allocated BudgetEnter the maximum number of minutes that this remote node may be called within the time period configured in the Period field. The default for this field is 0 meaning there is no budget control and no time limit for accessing this remote node.
Period(hr)Enter the time period (in hours) for how often the budget should be reset. For example, to allow calls to this remote node for a maximum of 10 minutes every hour, set the Allocated Budget to 10 (minutes) and the Period to 1 (hour).
SchedulesYou can apply up to four schedule sets here. For more details please refer to Chapter 46 on page 619.
Always OnPress [SPACE BAR] to select Yes to set this connection to be on all the time, regardless of whether or not there is any traffic. Select No to have this connection act as a dial-up connection.
Session Options
Edit Filter setsThis field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.3.4 to edit the filter sets. See Section 29.3.6 on page 492 for more details.
Idle TimeoutEnter the number of seconds of idle time (when there is no traffic from the ZyWALL to the remote node) that can elapse before the ZyWALL automatically disconnects the PPP connection. This option only applies when the ZyWALL initiates the call.
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

29.3.4 Editing TCP/IP Options

Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes.

Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options.

Figure 286 Menu 11.3.2: Remote Node Network Layer Options
Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment=Static Rem IP Addr = 0.0.0.0 Rem Subnet Mask = 0.0.0.0 My WAN Addr = 0.0.0.0 Network Address Translation SUA Only NAT Lookup Set = 255 Metric = 15 Private = No RIP Direction None Version = N/A Multicast = None Enter here to CONFIRM or ESC to CANCEL:

The following table describes the fields in this menu.

Table 199 Menu 11.3.2: Remote Node Network Layer Options

FIELDDESCRIPTION
IP Address AssignmentIf your ISP did not assign you a fixed IP address, press [SPACE BAR] and then [ENTER] to select Dynamic, otherwise select Static and enter the IP address and subnet mask in the following fields.
Rem IP AddressEnter the (fixed) IP address assigned to you by your ISP (static IP address assignment is selected in the previous field).
Rem Subnet MaskEnter the subnet mask associated with your static IP.
My WAN AddrLeave the field set to 0.0.0.0 to have the ISP or other remote router dynamically (automatically) assign your WAN IP address if you do not know it. Enter your WAN IP address here if you know it (static). This is the address assigned to your local ZyWALL, not the remote router.
Network Address TranslationNetwork Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Press [SPACE BAR] and then [ENTER] to select either Full Feature, None or SUA Only. Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set. See Chapter 17 on page 329 for a full discussion on this feature.

Table 199 Menu 11.3.2: Remote Node Network Layer Options

FIELDDESCRIPTION
NAT Lookup SetIf you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the Backup port. Refer to Section 37.2 on page 535 for more information.
MetricEnter a number from 1 to 15 to set this route's priority among the ZyWALL's routes. The smaller the number, the higher priority the route has.
PrivateThis parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
RIP DirectionPress [SPACE BAR] and then [ENTER] to select the RIP Direction from Both, None, In Only, Out Only and None.
VersionPress [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1, RIP-2B and RIP-2M.
MulticastIGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press the [SPACE BAR] to enable IP Multicasting or select None to disable it. See Section 6.5 on page 115 for more information on this feature.
Once you have completed filling in Menu 11.3.2 Remote Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11.3, or press [ESC] at any time to cancel.

29.3.5 Editing Login Script

For some remote gateways, text login is required before PPP negotiation is started. The ZyWALL provides a script facility for this purpose. The script has six programmable sets; each set is composed of an 'Expect' string and a 'Send' string. After matching a message from the server to the 'Expect' field, the ZyWALL returns the set's 'Send' string to the server.

For instance, a typical login sequence starts with the server printing a banner, a login prompt for you to enter the user name and a password prompt to enter the password:

Welcome to Acme, Inc.

Login: myLogin

Password:

To handle the first prompt, you specify "login: " as the 'Expect' string and "myLogin" as the 'Send' string in set 1. The reason for leaving out the leading "L" is to avoid having to know exactly whether it is upper or lower case. Similarly, you specify "word: " as the 'Expect' string and your password as the 'Send' string for the second prompt in set 2.

You can use two variables, USERNAME andPASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear. They are replaced with the outgoing login name and password in the remote node when the ZyWALL sees them in a 'Send' string. Please note that both variables must be entered exactly as shown. No other characters may appear before or after, either, i.e., they must be used alone in response to login and password prompts.

Please note that the ordering of the sets is significant, i.e., starting from set 1, the ZyWALL will wait until the 'Expect' string is matched before it proceeds to set 2, and so on for the rest of the script. When both the 'Expect' and the 'Send' fields of the current set are empty, the ZyWALL will terminate the script processing and start PPP negotiation. This implies two things: first, the sets must be contiguous; the sets after an empty one are ignored. Second, the last set should match the final message sent by the server. For instance, if the server prints:

login successful.

Starting PPP...

after you enter the password, then you should create a third set to match the final “PPP...” but without a “Send” string. Otherwise, the ZyWALL will start PPP prematurely right after sending your password to the server.

If there are errors in the script and it gets stuck at a set for longer than the "Dial Timeout" in menu 2 (default 60 seconds), the ZyWALL will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect.

Figure 287 Menu 11.3.3: Remote Node Script

Menu 11.3.3 - Remote Node Script  
Active= No  
Set 1: Set 5: Expect= Expect= Send= Set 2: Set 6: Expect= Expect= Send= Set 3: Expect= Send= Set 4: Expect= Send= Enter here to CONFIRM or ESC to CANCEL:

The following table describes the fields in this menu.

Table 200 Menu 11.3.3: Remote Node Script

FIELDDESCRIPTION
ActivePress [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them.
Set 1-6: ExpectEnter an Expect string to match. After matching the Expect string, the ZyWALL returns the string in the Send field.
Set 1-6: SendEnter a string to send out after the Expect string is matched.

29.3.6 Remote Node Filter

Move the cursor to the field Edit Filter Sets in menu 11.3, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.3.4 - Remote Node Filter.

Use menu 11.3.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. Please refer to Chapter 39 on page 555 for more information on defining the filters.

Figure 288 Menu 11.3.4: Remote Node Filter
Menu 11.3.4 - Remote Node Filter
Input Filter Sets: protocol filters device filters Output Filter Sets: protocol filters device filters Call Filter Sets: protocol filters device filters Enter here to CONFIRM or ESC to CANCEL:

29.4 3G WAN

3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices. See Section 8.12 on page 152 for more information.

To set up a 3G connection, you need to configure

1 Menu 2 - WAN Setup,
2 Menu 11.2 - Remote Node Profile (3G WAN)

29.4.1 3G Modem Setup

From the main menu, enter 2 to open menu 2 on the ZyWALL that supports a 3G card.

ZYXEL ZYWALL 2 WG - 3G Modem Setup - 1
Figure 289 3G Modem Setup in WAN Setup

The following table describes the fields in this screen.

Table 201 3G Modem Setup in WAN Setup

FIELDDESCRIPTION
3G Modem Setup
APNEnter the APN (Access Point Name) provided by your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 31 ASCII printable characters. Spaces are allowed.
PIN CodeA PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card. Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. If your ISP disabled PIN code authentication, enter an arbitrary number.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

29.4.2 Remote Node Profile (3G WAN)

Enter 2 in Menu 11 - Remote Node Setup to open Menu 11.2 - Remote Node Profile (3G WAN) (shown below) and configure the setup for your 3G connection.

ZYXEL ZYWALL 2 WG - Remote Node Profile (3G WAN) - 1
Figure 290 Menu 11.2: Remote Node Profile (3G WAN)

The following table describes the fields in this menu.

Table 202 Menu 11.2: Remote Node Profile (3G WAN)

FIELDDESCRIPTION
Rem Node NameEnter a descriptive name for the remote node. This field can be up to eight characters. WAN 2 denotes a 3G WAN connection but you can change that.
ActivePress [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node.
Outgoing
My LoginEnter the login name assigned by your ISP for this remote node.
My PasswordEnter the password assigned by your ISP for this remote node.
Retype to ConfirmEnter your password again to make sure that you have entered is correctly.
AuthenThis field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Pri Phone #Enter the phone number (dial string) used to dial up a connection to your service provider's base station. Your ISP should provide the phone number. For example, *99# is the dial string to establish a GPRS or 3G connection in Taiwan.
Edit IPThis field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section 29.3.4 on page 489 for more information.
Edit Script OptionsPress [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the dial backup remote node (Menu 11.3.3 - Remote Node Script). See Section 29.3.5 on page 490 for more information.
Always OnPress [SPACE BAR] to select Yes to set this connection to be on all the time, regardless of whether or not there is any traffic. Select No to have this connection act as a dial-up connection.
Session Options
Edit Filter setsThis field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.3.4 to edit the filter sets. See Section 29.3.6 on page 492 for more details.
Idle TimeoutEnter the number of seconds of idle time (when there is no traffic from the ZyWALL to the remote node) that can elapse before the ZyWALL automatically disconnects the 3G connection. .
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

This chapter describes how to configure the LAN using Menu 3 - LAN Setup.

30.1 Introduction to LAN Setup

This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.

30.2 Accessing the LAN Menus

From the main menu, enter 3 to open Menu 3 - LAN Setup.

Figure 291 Menu 3: LAN Setup

Menu 3 - LAN Setup

  1. LAN Port Filter Setup
  2. TCP/IP and DHCP Setup

Enter Menu Selection Number:

30.3 LAN Port Filter Setup

This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.

Figure 292 Menu 3.1: LAN Port Filter Setup

Menu 3.1 - LAN Port Filter Setup
Input Filter Sets: protocol filters device filters Output Filter Sets: protocol filters device filters Press ENTER to Confirm or ESC to Cancel:

30.4 TCP/IP and DHCP Ethernet Setup Menu

From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.

Figure 293 Menu 3: TCP/IP and DHCP Setup

Menu 3 - LAN Setup

  1. LAN Port Filter Setup

  2. TCP/IP and DHCP Setup

Enter Menu Selection Number:

From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2 - TCP/IP and DHCP Ethernet Setup, as shown next. Not all fields are available on all models.

ZYXEL ZYWALL 2 WG - TCP/IP and DHCP Ethernet Setup Menu - 1
Figure 294 Menu 3.2: TCP/IP and DHCP Ethernet Setup

Follow the instructions in the next table on how to configure the DHCP fields.

Table 203 Menu 3.2: DHCP Ethernet Setup Fields

FIELDDESCRIPTION
DHCPThis field enables/disables the DHCP server. If set to Server, your ZyWALL will act as a DHCP server. If set to None, the DHCP server will be disabled. If set to Relay, the ZyWALL acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients. When set to Server, the following items need to be set:
Client IP Pool:
Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.
Size of Client IP PoolThis field specifies the size, or count of the IP address pool.

Table 203 Menu 3.2: DHCP Ethernet Setup Fields

FIELDDESCRIPTION
First DNS ServerThe ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients.
Second DNS ServerSelect From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns.
Third DNS ServerSelect User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the IP Address field below. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you save your changes. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you save your changes.
Select DNS Relay to have the ZyWALL act as a DNS proxy. The ZyWALL's LAN IP address displays in the IP Address field below (read-only). The ZyWALL tells the DHCP clients on the LAN that the ZyWALL itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyWALL, the ZyWALL forwards the query to the ZyWALL's system DNS server (configured in menu 1) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you save your changes.
Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
DHCP Server AddressIf Relay is selected in the DHCP field above, then type the IP address of the actual, remote DHCP server here.

Use the instructions in the following table to configure TCP/IP parameters for the LAN port.

ZYXEL ZYWALL 2 WG - TCP/IP and DHCP Ethernet Setup Menu - 2

LAN and DMZ IP addresses must be on separate subnets.

Table 204 Menu 3.2: LAN TCP/IP Setup Fields

FIELDDESCRIPTION
TCP/IP Setup:
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation
IP Subnet MaskYour ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionPress [SPACE BAR] and then [ENTER] to select the RIP direction. Options are: Both, in Only, Out Only or None.
VersionPress [SPACE BAR] and then [ENTER] to select the RIP version. Options are: RIP-1, RIP-2B or RIP-2M.
MulticastIGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] and then [ENTER] to enable IP Multicasting or select None (default) to disable it.
Edit IP AliasThe ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Press [SPACE BAR] to select Yes and then press [ENTER] to display menu 3.2.1
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm...] to save your configuration, or press [ESC] at any time to cancel.

30.4.1 IP Alias Setup

IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network.

Use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next. Use this menu to configure the second and third networks.

Figure 295 Menu 3.2.1: IP Alias Setup 

Menu 3.2.1 - IP Alias Setup  
IP Alias 1= Yes  
IP Address= 192.168.2.1  
IP Subnet Mask= 255.255.255.0  
RIP Direction= None  
Version= RIP-1  
Incoming protocol filters=  
Outgoing protocol filters=  
IP Alias 2= No  
IP Address= N/A  
IP Subnet Mask= N/A  
RIP Direction= N/A  
Version= N/A  
Incoming protocol filters= N/A  
Outgoing protocol filters= N/A  
Enter here to CONFIRM or ESC to CANCEL:

Use the instructions in the following table to configure IP alias parameters.

Table 205 Menu 3.2.1: IP Alias Setup

FIELDDESCRIPTION
IP Alias 1, 2Choose Yes to configure the LAN network for the ZyWALL.
IP AddressEnter the IP address of your ZyWALL in dotted decimal notation.
IP Subnet MaskYour ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
RIP DirectionPress [SPACE BAR] and then [ENTER] to select the RIP direction. Options are Both, In Only, Out Only or None.
VersionPress [SPACE BAR] and then [ENTER] to select the RIP version. Options are RIP-1, RIP-2B or RIP-2M.
Incoming Protocol FiltersEnter the filter set(s) you wish to apply to the incoming traffic between this node and the ZyWALL.
Outgoing Protocol FiltersEnter the filter set(s) you wish to apply to the outgoing traffic between this node and the ZyWALL.
When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm...] to save your configuration, or press [ESC] at any time to cancel.

Internet Access

This chapter shows you how to configure your ZyWALL for Internet access.

31.1 Introduction to Internet Access Setup

Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use.

ZYXEL ZYWALL 2 WG - Introduction to Internet Access Setup - 1

This menu configures WAN 1 on a ZyWALL with multiple WAN interfaces. Configure the WAN 2 interface in Menu 11.2 - Remote Node Profile or in the WAN > WAN 2 screen via the web configurator.

31.2 Ethernet Encapsulation

If you choose Ethernet in menu 4 you will see the next menu.

ZYXEL ZYWALL 2 WG - Ethernet Encapsulation - 1
Figure 296 Menu 4: Internet Access Setup (Ethernet)

The following table describes the fields in this menu.

Table 206 Menu 4: Internet Access Setup (Ethernet)

FIELDDESCRIPTION
ISP's NameThis is the descriptive name of your ISP for identification purposes.
EncapsulationPress [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
Service TypePress [SPACE BAR] and then [ENTER] to select Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method), RR-Telstra or Telia Login. Choose a RoadRunner flavor if your ISP is Time Warner's RoadRunner; otherwise choose Standard.
Note: DSL users must choose the Standard option only. The My Login, My Password and Login Server fields are not applicable in this case.
My LoginEnter the login name given to you by your ISP.
My PasswordType your password again for confirmation.
Retype to ConfirmEnter your password again to make sure that you have entered is correctly.
Login ServerThe ZyWALL will find the RoadRunner Server IP if this field is left blank. If it does not, then you must enter the authentication server IP address.
Relogin Every (min)This field is available when you select Telia Login in the Service Type field. The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Type the number of minutes from 1 to 59 (30 recommended) for the ZyWALL to wait between logits.
IP Address AssignmentIf your ISP did not assign you a fixed IP address, press [SPACE BAR] and then [ENTER] to select Dynamic, otherwise select Static and enter the IP address and subnet mask in the following fields.
IP AddressEnter the (fixed) IP address assigned to you by your ISP (static IP address assignment is selected in the previous field).
IP Subnet MaskEnter the subnet mask associated with your static IP.
Gateway IP AddressEnter the gateway IP address associated with your static IP.
Network Address TranslationNetwork Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set! Please see Chapter 17 on page 329 for a more detailed discussion on the Network Address Translation feature.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

31.3 Configuring the PPTP Client

ZYXEL ZYWALL 2 WG - Configuring the PPTP Client - 1

The ZyWALL supports only one PPTP server connection at any given time.

To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.

After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option. This brings up the following screen.

ZYXEL ZYWALL 2 WG - Configuring the PPTP Client - 2
Figure 297 Internet Access Setup (PPTP)

The following table contains instructions about the new fields when you choose PPTP in the Encapsulation field in menu 4.

Table 207 New Fields in Menu 4 (PPTP) Screen

FIELDDESCRIPTION
EncapsulationPress [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation method influences your choices for the IP Address field.
Idle TimeoutThis value specifies the time, in seconds, that elapses before the ZyWALL automatically disconnects from the PPTP server.

31.4 Configuring the PPPoE Client

If you enable PPPoE in menu 4, you will see the next screen.

ZYXEL ZYWALL 2 WG - Configuring the PPPoE Client - 1
Figure 298 Internet Access Setup (PPPoE)

The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation field in menu 4.

Table 208 New Fields in Menu 4 (PPPoE) screen

FIELDDESCRIPTION
EncapsulationPress [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices in the IP Address field.
Idle TimeoutThis value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server.

If you need a PPPoE service name to identify and reach the PPPoE server, please go to menu 11 and enter the PPPoE service name provided to you in the Service Name field.

31.5 Basic Setup Complete

Well done! You have successfully connected, installed and set up your ZyWALL to operate on your network as well as access the Internet.

ZYXEL ZYWALL 2 WG - Basic Setup Complete - 1

When the firewall is activated, the default policy allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.

You may deactivate the firewall in menu 21.2 or via the ZyWALL embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so. See the chapters on firewall for more information on the firewall.

This chapter describes how to configure the ZyWALL's DMZ using Menu 5 - DMZ Setup.

32.1 Configuring DMZ Setup

From the main menu, enter 5 to open Menu 5 - DMZ Setup.

Figure 299 Menu 5: DMZ Setup

Menu 5 - DMZ Setup  
1. DMZ Port Filter Setup  
2. TCP/IP and DHCP Setup  
Enter Menu Selection Number:

32.2 DMZ Port Filter Setup

This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic.

Figure 300 Menu 5.1: DMZ Port Filter Setup

Menu 5.1 - DMZ Port Filter Setup
Input Filter Sets: protocol filters device filters = Output Filter Sets: protocol filters device filters = Press ENTER to Confirm or ESC to Cancel:

32.3 TCP/IP Setup

For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 113.

32.3.1 IP Address

From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155).

Figure 301 Menu 5: DMZ Setup 

Menu 5 - DMZ Setup   
1. DMZ Port Filter Setup   
2. TCP/IP and DHCP Setup Enter Menu Selection Number:

From menu 5, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 5.2 - TCP/IP and DHCP Ethernet Setup, as shown next.

Figure 302 Menu 5.2: TCP/IP and DHCP Ethernet Setup 

Menu 5.2 - TCP/IP and DHCP Ethernet Setup  
DHCP= None TCP/IP Setup:  
Client IP Pool:  
Starting Address= N/A IP Address= 10.10.2.1  
Size of Client IP Pool= N/A IP Subnet Mask= 255.255.255.0  
RIP Direction= None  
Version= N/A  
Multicast= IGMP-v2  
Edit IP Alias= No  
DHCP Server Address= N/A  
Press ENTER to Confirm or ESC to Cancel:

The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section 30.4 on page 498 for information on how to configure these fields.

ZYXEL ZYWALL 2 WG - IP Address - 1

DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 37 on page 533) in menus 15.1 and 15.2.

32.3.2 IP Alias Setup

Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next. Use this menu to configure the second and third networks.

Figure 303 Menu 5.2.1: IP Alias Setup 

Menu 5.2.1 - IP Alias Setup  
IP Alias 1= No  
IP Address= N/A  
IP Subnet Mask= N/A  
RIP Direction= N/A  
Version= N/A  
Incoming protocol filters= N/A  
Outgoing protocol filters= N/A  
IP Alias 2= No  
IP Address= N/A  
IP Subnet Mask= N/A  
RIP Direction= N/A  
Version= N/A  
Incoming protocol filters= N/A  
Outgoing protocol filters= N/A  
Enter here to CONFIRM or ESC to CANCEL:

Refer to Table 205 on page 501 for instructions on configuring IP alias parameters.

This chapter describes how to configure the ZyWALL's traffic redirect.

33.1 Configuring Route Setup

From the main menu, enter 6 to open Menu 6 - Route Setup.

Figure 304 Menu 6: Route Setup

Menu 6 - Route Setup

  1. Route Assessment
  2. Traffic Redirect
  3. Route Failover

Enter Menu Selection Number:

33.2 Route Assessment

This menu allows you to configure traffic redirect properties.

Figure 305 Menu 6.1: Route Assessment

Menu 6.1 - Route Assessment

Probing WAN 1 Check Point= Yes Use Default Gateway as Check Point= Yes Check Point= N/A  
Probing WAN 2 Check Point= Yes Use Default Gateway as Check Point= Yes Check Point= N/A  
Probing Traffic Redirection Check Point= No Use Default Gateway as Check Point= N/A Check Point= N/A

Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this menu.

Table 209 Menu 6.1: Route Assessment

FIELDDESCRIPTION
Probing WAN 1/2 Check PointPress [SPACE BAR] and then press [ENTER] to choose Yes to test your ZyWALL's WAN accessibility. If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) in the Check Point field, the ZyWALL will use the default gateway IP address.
Probing Traffic Redirection Check PointPress [SPACE BAR] and then press [ENTER] to choose Yes to test your ZyWALL's traffic redirect connection. If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) in the Check Point field, the ZyWALL will use the default gateway IP address.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel.

33.3 Traffic Redirect

To configure the parameters for traffic redirect, enter 2 in Menu 6 - Route Setup to open Menu 6.2 - Traffic Redirect as shown next.

Figure 306 Menu 6.2: Traffic Redirect

Menu 6.2 - Traffic Redirect Active=No Configuration: Backup Gateway IP Address = 0.0.0.0 Metric 14 Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this menu.

Table 210 Menu 6.2: Traffic Redirect

FIELDDESCRIPTION
ActivePress [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No.
Backup Gateway IP AddressEnter the IP address of your backup gateway in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates.
MetricThis field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.5 on page 135) The smaller the number, the higher priority the route has.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel.

33.4 Route Failover

This menu allows you to configure how the ZyWALL uses the route assessment ping check function.

Figure 307 Menu 6.3: Route Failover

Menu 6.3 - Route Failover  
Period=5  
Timeout=:3  
Fail Tolerance=3  
Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this menu.

Table 211 Menu 6.3: Route Failover

FIELDDESCRIPTION
PeriodType the number of seconds for the ZyWALL to wait between checks to see if it can connect to the WAN IP address (in the Check Point field of menu 6.1) or the default gateway. Allow more time if your destination IP address handles lots of traffic.
TimeoutType the number of seconds for your ZyWALL to wait for a ping response from the IP address in the Check Point field of menu 6.1 before it times out. The WAN connection is considered "down" after the ZyWALL times out the number of times specified in the Fail Tolerance field. Use a higher value in this field if your network is busy or congested.
Fail ToleranceType the number of times your ZyWALL may attempt and fail to connect to the Internet before traffic is forwarded to the backup gateway.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel.

Wireless Setup

Use menu 7 to configure the IP address for ZyWALL's WLAN interface, other TCP/IP and DHCP settings.

34.1 TCP/IP Setup

For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 113.

34.1.1 IP Address

From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC 1155).

Figure 308 Menu 7: WLAN Setup

Menu 7 - WLAN Setup

  1. TCP/IP and DHCP Setup

Enter Menu Selection Number:

From menu 7, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 7.2 - TCP/IP and DHCP Ethernet Setup, as shown next.

ZYXEL ZYWALL 2 WG - IP Address - 1
Figure 309 Menu 7.2: TCP/IP and DHCP Ethernet Setup

The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section 30.4 on page 498 for information on how to configure these fields.

ZYXEL ZYWALL 2 WG - IP Address - 2

DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the WLAN port (see Chapter 37 on page 533) in menus 15.1 and 15.2.

34.1.2 IP Alias Setup

You must use menu 7.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.

Pressing [ENTER] opens Menu 7.2.1 - IP Alias Setup, as shown next.

ZYXEL ZYWALL 2 WG - IP Alias Setup - 1
Figure 310 Menu 7.2.1: IP Alias Setup

Refer to Table 205 on page 501 for instructions on configuring IP alias parameters.

Remote Node Setup

This chapter shows you how to configure a remote node.

35.1 Introduction to Remote Node Setup

A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 - Remote Node Profile, Menu 11.1.2 - Remote Node Network Layer Options and Menu 11.1.4 - Remote Node Filter.

35.2 Remote Node Setup

From the main menu, select menu option 11 to open Menu 11 - Remote Node Setup (shown below).

Enter 1 to open Menu 11.1 - Remote Node Profile and configure the setup for your WAN port. Enter 2 to open Menu 11.2 - Remote Node Profile (3G WAN) and configure the setup for your 3G connection. Enter 3 to open Menu 11.3 Remote Node Profile (Backup ISP) and configure the setup for your Dial Backup port connection (see Chapter 29 on page 483).

Figure 311 Menu 11: Remote Node Setup

Menu 11 - Remote Node Setup 1. WAN_1 (ISP, SUA) 2. WAN_2 (ISP, SUA) 3. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit:

35.3 Remote Node Profile Setup

The following explains how to configure the remote node profile menu. Not all fields are available on all models.

35.3.1 Ethernet Encapsulation

There are three variations of menu 11.1 depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.1 screen you see is for Ethernet encapsulation shown next.

Figure 312 Menu 11.1: Remote Node Profile for Ethernet Encapsulation

Menu 11.1 - Remote Node Profile Rem Node Name= WAN 1 Route= IP Active= Yes Encapsulation= Ethernet Edit IP= No Service Type= Standard Session Options: Schedules= Outgoing: Edit Filter Sets= No My Login=N/A My Password=N/A Retype to Confirm=N/A Server=N/A Relogin Every () = N/A Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this menu.

Table 212 Menu 11.1: Remote Node Profile for Ethernet Encapsulation

FIELDDESCRIPTION
Rem Node NameEnter a descriptive name for the remote node. This field can be up to eight characters.
ActivePress [SPACE BAR] and then [ENTER] to select Yes (activate remote node) or No (deactivate remote node).
EncapsulationEthernet is the default encapsulation. Press [SPACE BAR] and then [ENTER] to change to PPPoE or PPTP encapsulation.
Service TypePress [SPACE BAR] and then [ENTER] to select from Standard, RR-Toshiba (RoadRunner Toshiba authentication method), RR-Manager (RoadRunner Manager authentication method), RR-Telstra or Telia Login. Choose one of the RoadRunner methods if your ISP is Time Warner's RoadRunner; otherwise choose Standard.
Outgoing
My LoginThis field is applicable for PPPoE encapsulation only. Enter the login name assigned by your ISP when the ZyWALL calls this remote node. Some ISPs append this field to the Service Name field above (e.g., jim@poellic) to access the PPPoE server.
My PasswordEnter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only.
Retype to ConfirmType your password again to make sure that you have entered it correctly.
ServerThis field is valid only when RoadRunner is selected in the Service Type field. The ZyWALL will find the RoadRunner Server IP automatically if this field is left blank. If it does not, then you must enter the authentication server IP address here.
Relogin Every (min)This field is available when you select Telia Login in the Service Type field. The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Type the number of minutes from 1 to 59 (30 recommended) for the ZyWALL to wait between logins.
RouteThis field refers to the protocol that will be routed by your ZyWALL – IP is the only option for the ZyWALL.
Edit IPThis field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.1.2 - Remote Node Network Layer Options.
Session Options
SchedulesYou can apply up to four schedule sets here. For more details please refer to Chapter 46 on page 619.
Edit Filter SetsThis field leads to another “hidden” menu. Use [SPACE BAR] to select Yes and press [ENTER] to open menu 11.1.4 to edit the filter sets. See Section 35.5 on page 527 for more details.
Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

35.3.2 PPPoE Encapsulation

The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you're using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen.

Figure 313 Menu 11.1: Remote Node Profile for PPPoE Encapsulation 

Menu 11.1 - Remote Node Profile
Rem Node Name= ChangeMe Route= IP
Active= Yes
Encapsulation= PPPoE Edit IP= No
Service Type= Standard Telco Option:
Service Name= Allocated Budget(min)= 0
Outgoing:
My Login= Period(hr)= 0
My Password= Nailed-Up Connection= No
Retype to Confirm= ******
Authen= CHAP/PAP Session Options:
Edit Filter Sets= No
Idle Timeout(sec)= 100
Press ENTER to Confirm or ESC to Cancel:

35.3.2.1 Outgoing Authentication Protocol

Generally speaking, you should employ the strongest authentication protocol possible, for obvious reasons. However, some vendor's implementation includes a specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified. If you encounter a case where the peer disconnects right after a successful authentication, please make sure that you specify the correct authentication protocol when connecting to such an implementation.

35.3.2.2 Nailed-Up Connection

A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The ZyWALL does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.

Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern.

The following table describes the fields not already described in Table 212 on page 522.

35.3.2.3 Metric

See Section 8.5 on page 135 for details on the Metric field.

Table 213 Fields in Menu 11.1 (PPPoE Encapsulation Specific)

FIELDDESCRIPTION
Service NameIf you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation.
AuthenThis field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Telco Option
Allocated BudgetThe field sets a ceiling for outgoing call time for this remote node. The default for this field is 0 meaning no budget control.
Period(hr)This field is the time period that the budget should be reset. For example, if we are allowed to call this remote node for a maximum of 10 minutes every hour, then the Allocated Budget is (10 minutes) and the Period(hr) is 1 (hour).
SchedulesYou can apply up to four schedule sets here. For more details please refer to Chapter 46 on page 619.
Nailed-Up ConnectionThis field specifies if you want to make the connection to this remote node a nailed-up connection. More details are given earlier in this section.
Session Options
Idle TimeoutType the length of idle time (when there is no traffic from the ZyWALL to the remote node) in seconds that can elapse before the ZyWALL automatically disconnects the PPPoE connection. This option only applies when the ZyWALL initiates the call.

35.3.3 PPTP Encapsulation

If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen.

ZYXEL ZYWALL 2 WG - PPTP Encapsulation - 1
Figure 314 Menu 11.1: Remote Node Profile for PPTP Encapsulation

The next table shows how to configure fields in menu 11.1 not previously discussed.

Table 214 Menu 11.1: Remote Node Profile for PPTP Encapsulation

FIELDDESCRIPTION
EncapsulationPress [SPACE BAR] and then [ENTER] to select PPTP. You must also go to menu 11.3 to check the IP Address setting once you have selected the encapsulation method.
My IP AddrEnter the IP address of the WAN Ethernet port.
My IP MaskEnter the subnet mask of the WAN Ethernet port.
Server IP AddrEnter the IP address of the ANT modem.
Connection ID/ NameEnter the connection ID or connection name in the ANT. It must follow the “c:id” and “n:name” format. This field is optional and depends on the requirements of your DSL modem.
SchedulesYou can apply up to four schedule sets here. For more details refer to Chapter 46 on page 619.
Nailed-Up ConnectionsPress [SPACE BAR] and then [ENTER] to select Yes if you want to make the connection to this remote node a nailed-up connection.

35.4 Edit IP

Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.1.2 - Remote Node Network Layer Options. Not all fields are available on all models.

ZYXEL ZYWALL 2 WG - Edit IP - 1
Figure 315 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation

This menu displays the My WAN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation. The following table describes the fields in this menu.

Table 215 Remote Node Network Layer Options Menu Fields

FIELDDESCRIPTION
IP Address AssignmentIf your ISP did not assign you an explicit IP address, press [SPACE BAR] and then [ENTER] to select Dynamic; otherwise select Static and enter the IP address & subnet mask in the following fields.
(Rem) IP AddressIf you have a static IP Assignment, enter the IP address assigned to you by your ISP.
(Rem) IP Subnet MaskIf you have a static IP Assignment, enter the subnet mask assigned to you.
Gateway IP AddrThis field is applicable to Ethernet encapsulation only. Enter the gateway IP address assigned to you if you are using a static IP address.
My WAN AddrThis field is applicable to PPPoE and PPTP encapsulations only. Some implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number. If this is the case, enter the IP address assigned to the WAN port of your ZyWALL.Note that this is the address assigned to your local ZyWALL, not the remote router.
Network Address TranslationNetwork Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Choose None to disable NAT.Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server.Choose Full Feature if you have multiple public IP addresses. Full Feature mapping types include: One-to-One, Many-to-One (SUA/PAT), Many-to-Many Overload, Many- One-to-One and Server. When you select Full Feature you must configure at least one address mapping set.See Chapter 17 on page 329 for a full discussion on this feature.
NAT Lookup SetIf you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the Backup port. Refer to Section 37.2 on page 535 for more information.
MetricEnter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.5 on page 135). The smaller the number, the higher priority the route has.
PrivateThis field is valid only for PPTP/PPPoe encapsulation. This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
RIP DirectionPress [SPACE BAR] and then [ENTER] to select the RIP direction from Both/ None/In Only/Out Only. See Chapter 6 on page 113 for more information on RIP. The default for RIP on the WAN side is None. It is recommended that you do not change this setting.
VersionPress [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1/RIP-2B/ RIP-2M or None.
MulticastIGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select None to disable it. See Chapter 6 on page 113 for more information on this feature.
Once you have completed filling in Menu 11.3 Remote Node Network Layer Options, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration and return to menu 11, or press [ESC] at any time to cancel.

35.5 Remote Node Filter

Move the cursor to the field Edit Filter Sets in menu 11.1, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.1.4 - Remote Node Filter.

Use menu 11.1.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. For more information on defining the filters, please refer to Chapter 39 on page 555. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets.

Figure 316 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)

Menu 11.1.4 - Remote Node Filter
Input Filter Sets: protocol filters device filters Output Filter Sets: protocol filters device filters Enter here to CONFIRM or ESC to CANCEL:

Figure 317 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation)

Menu 11.1.4 - Remote Node Filter
Input Filter Sets: protocol filters device filters Output Filter Sets: protocol filters device filters Call Filter Sets: protocol filters device filters Enter here to CONFIRM or ESC to CANCEL:

IP Static Route Setup

This chapter shows you how to configure static routes with your ZyWALL.

36.1 IP Static Route Setup

Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.

ZYXEL ZYWALL 2 WG - IP Static Route Setup - 1

The first two static route entries are for default WAN1 and WAN2 routes on a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route.

The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address.

ZYXEL ZYWALL 2 WG - IP Static Route Setup - 2

The “-” before a route name indicates the static route is inactive.

ZYXEL ZYWALL 2 WG - IP Static Route Setup - 3
Figure 318 Menu 12: IP Static Route Setup

Now, enter the index number of the static route that you want to configure.

ZYXEL ZYWALL 2 WG - IP Static Route Setup - 4
Figure 319 Menu 12.1: Edit IP Static Route

`The following table describes the IP Static Route Menu fields.

Table 216 Menu 12.1: Edit IP Static Route

FIELDDESCRIPTION
Route #This is the index number of the static route that you chose in menu 12.
Route NameEnter a descriptive name for this route. This is for identification purposes only.
ActiveThis field allows you to activate/deactivate this static route.
Destination IP AddressThis parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.

Table 216 Menu 12.1: Edit IP Static Route

FIELDDESCRIPTION
IP Subnet MaskEnter the IP subnet mask for this destination.
Gateway IP AddressEnter the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyWALL; over the WAN, the gateway must be the IP address of one of the remote nodes.
MetricEnter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 8.5 on page 135). The smaller the number, the higher priority the route has.
PrivateThis parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Once you have completed filling in this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] to cancel.

Network Address Translation (NAT)

This chapter discusses how to configure NAT on the ZyWALL.

37.1 Using NAT

ZYXEL ZYWALL 2 WG - Using NAT - 1

You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL.

37.1.1 SUA (Single User Account) Versus NAT

SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 37.2.1 on page 536 for a detailed description of the NAT set for SUA. The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types.

ZYXEL ZYWALL 2 WG - SUA (Single User Account) Versus NAT - 1

Choose SUA Only if you have just one public WAN IP address for your ZyWALL.
Choose Full Feature if you have multiple public WAN IP addresses for your ZyWALL.

37.1.2 Applying NAT

You apply NAT via menu 4 or 11.1.2 as displayed next. The next figure shows you how to apply NAT for Internet access in menu 4. Enter 4 from the main menu to go to Menu 4 - Internet Access Setup.

Figure 320 Menu 4: Applying NAT for Internet Access 

Menu 4 - Internet Access Setup  
ISP's Name= ChangeMe  
Encapsulation= Ethernet  
Service Type= Standard  
My Login= N/A  
My Password= N/A  
Retype to Confirm= N/A  
Login Server= N/A  
Relogin Every (min)= N/A  
IP Address Assignment= Dynamic  
IP Address= N/A  
IP Subnet Mask= N/A  
Gateway IP Address= N/A  
Network Address Translation= SUA Only  
Press ENTER to Confirm or ESC to Cancel:

The following figure shows how you apply NAT to the remote node in menu 11.1.

1 Enter 11 from the main menu.
2 Enter 1 to open Menu 11.1 - Remote Node Profile.
3 Move the cursor to the Edit IP field, press [SPACE BAR] to select Yes and then press [ENTER] to bring up Menu 11.1.2 - Remote Node Network Layer Options.

Figure 321 Menu 11.1.2: Applying NAT to the Remote Node
Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment Dynamic IP Address = N/A IP Subnet Mask = N/A Gateway IP Addr = N/A Network Address Translation Full Feature NAT Lookup Set = 1 Metric = 1 Private = N/A RIP Direction None Version = N/A Multicast = None Enter here to CONFIRM or ESC to CANCEL:

The following table describes the fields in this menu.

Table 217 Applying NAT in Menus 4 & 11.1.2

FIELDDESCRIPTIONOPTIONS
Network Address TranslationWhen you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see Section 37.2.1 on page 536 for further discussion). You can configure any of the mapping types described in Chapter 17 on page 329. Choose Full Feature if you have multiple public WAN IP addresses for your ZyWALL. When you select Full Feature you must configure at least one address mapping set.Full Feature
NAT is disabled when you select this option.None
When you select this option the SMT will use Address Mapping Set 255 (menu 15.1 - see Section 37.2.1 on page 536). Choose SUA Only if you have just one public WAN IP address for your ZyWALL.SUA Only

37.2 NAT Setup

Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN, DMZ and WLAN. Set 255 is used for SUA. When you select Full Feature in menu 4, menu 11.1.2 or menu 11.2.2, the SMT will use Set 1 for the first WAN port and Set 2 for the second WAN port. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only).

The server set is a list of LAN, DMZ and WLAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set. Please see the section on port forwarding in Chapter 17 on page 329 for further information on these menus. To configure NAT, enter 15 from the main menu to bring up the following screen.

ZYXEL ZYWALL 2 WG - NAT Setup - 1
Figure 322 Menu 15: NAT Setup

On a ZyWALL with two WAN interfaces, you can configure port forwarding and trigger port rules for the first WAN interface and separate sets of rules for the second WAN interface.

Menu 15 - NAT Setup

  1. Address Mapping Sets
  2. Port Forwarding Setup
  3. Trigger Port Setup

Enter Menu Selection Number:

ZYXEL ZYWALL 2 WG - NAT Setup - 2

Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets.

37.2.1 Address Mapping Sets

Enter 1 to bring up Menu 15.1 - Address Mapping Sets.

Figure 323 Menu 15.1: Address Mapping Sets 

Menu 15.1 - Address Mapping Sets
1. NAT_SET
2. example
255. SUA (read only)
Enter Menu Selection Number:

Enter 255 to display the next screen (see also Section 37.1.1 on page 533). The fields in this menu cannot be changed.

Figure 324 Menu 15.1.255: SUA Address Mapping Rules 

Menu 15.1.255 - Address Mapping Rules  
Set Name= SUA  
Idx Local Start IP Local End IP Global Start IP Global End IP Type  
--- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1. 0.0.0.0 255.255.255.255 0.0.0.0 M-1
2. 0.0.0.0 0.0.0.0 Server
3.
4.
5.
6.
7.
8.
9.
10.
Press ENTER to Confirm or ESC to Cancel:

The following table explains the fields in this menu.

ZYXEL ZYWALL 2 WG - Address Mapping Sets - 1

Menu 15.1.255 is read-only.

Table 218 SUA Address Mapping Rules

FIELDDESCRIPTION
Set NameThis is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
IdxThis is the index or rule number.
Local Start IPLocal Start IP is the starting local IP address (ILA).
Local End IPLocal End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255.
Global Start IPThis is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP.
Global End IPThis is the ending global IP address (IGA).
TypeThese are the mapping types discussed above. Server allows us to specify multiple servers of different types behind NAT to this machine. See later for some examples.
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] to cancel.

37.2.1.2 User-Defined Address Mapping Sets

Now look at option 1 in menu 15.1. Enter 1 to bring up this menu. Look at the differences from the previous menu. Note the extra Action and Select Rule fields mean you can configure rules in this screen. Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set.

ZYXEL ZYWALL 2 WG - User-Defined Address Mapping Sets - 1

The entire set will be deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen.

ZYXEL ZYWALL 2 WG - User-Defined Address Mapping Sets - 2
Figure 325 Menu 15.1.1: First Set

ZYXEL ZYWALL 2 WG - User-Defined Address Mapping Sets - 3

The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here.

37.2.1.3 Ordering Your Rules

Ordering your rules is important because the ZyWALL applies the rules in the order that you specify. When a rule matches the current packet, the ZyWALL takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9.

Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6.

Table 219 Fields in Menu 15.1.1

FIELDDESCRIPTION
Set NameEnter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted.
ActionThe default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. None disables the Select Rule item.
Select RuleWhen you choose Edit, Insert Before or Delete in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question.

ZYXEL ZYWALL 2 WG - Ordering Your Rules - 1

You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken.

Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.

ZYXEL ZYWALL 2 WG - Ordering Your Rules - 2

An IP End address must be numerically greater than its corresponding IP Start address.

Figure 326 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set 

Menu 15.1.1.1 Address Mapping Rule  
Type= One-to-One  
Local IP:  
Start=  
End = N/A  
Global IP:  
Start=  
End = N/A  
Server Mapping Set= N/A  
Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this menu.

Table 220 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set

FIELDDESCRIPTION
TypePress [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in Chapter 17 on page 329. Server allows you to specify multiple servers of different types behind NAT to this computer. See Section 37.4.3 on page 545 for an example.
Local IPOnly local IP fields are N/A for server; Global IP fields MUST be set for Server.
StartEnter the starting local IP address (ILA).
EndEnter the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One and Server types.
Global IP
StartEnter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Many-to-One or Server.
EndEnter the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server types.
Server Mapping SetThis field is available only when you select Server in the Type field.
Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] to cancel.

37.3 Configuring a Server behind NAT

ZYXEL ZYWALL 2 WG - Configuring a Server behind NAT - 1

If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.

Follow these steps to configure a server behind NAT:

1 Enter 15 in the main menu to go to Menu 15 - NAT Setup.
2 Enter 2 to open menu 15.2.

Figure 327 Menu 15.2: NAT Server Sets

Menu 15.2 - NAT Server Sets

  1. Server Set 1
  2. Server Set 2

Enter Set Number to Edit:

3 Enter 1 or 2 to go to Menu 15.2.x - NAT Server Setup and configure the address mapping rules for the WAN 1 or WAN 2 interface on a ZyWALL with multiple WAN interfaces.

Figure 328 Menu 15.2.x: NAT Server Sets
Menu 15.2.1 - NAT Server Setup Default Server:0.0.0.0 Rule Act.Start Port End Port IP Address 001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.0 Select Command= None Select Rule N/A Press ENTER to Confirm or ESC to Cancel:

4 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x.x - NAT Server Configuration (see the next figure).

Figure 329 15.2.x.x: NAT Server Configuration 

15.2.1.2 - NAT Server Configuration  
Wan= 1 Index= 2  
Name= 1  
Active= Yes  
Start port= 21 End port= 25  
IP Address= 192.168.1.33  
Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this screen.

Table 221 15.2.x.x: NAT Server Configuration

FIELDDESCRIPTION
WANOn a ZyWALL with two WAN ports, you can configure port forwarding and trigger port rules for the first WAN port and separate sets of rules for the second WAN port. This is the WAN port (server set) you select in menu 15.2.
IndexThis is the index number of an individual port forwarding server entry.
NameEnter a name to identify this port-forwarding rule.
ActivePress [SPACE BAR] and then [ENTER] to select Yes to enable the NAT server entry.
Start PortEnter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field.
End Port
IP AddressEnter the inside IP address of the server.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

5 Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field.
6 Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33.
7 Press [ENTER] at the "Press ENTER to confirm ..." prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel.

ZYXEL ZYWALL 2 WG - Configuring a Server behind NAT - 2
Figure 330 Menu 15.2.1: NAT Server Setup

You assign the private network IP addresses. The NAT network appears as a single host on the Internet. A is the FTP/Telnet/SMTP server.

ZYXEL ZYWALL 2 WG - Configuring a Server behind NAT - 3
Figure 331 Server Behind NAT Example

37.4 General NAT Examples

The following are some examples of NAT configuration.

37.4.1 Internet Access Only

In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.

ZYXEL ZYWALL 2 WG - Internet Access Only - 1
Figure 332 NAT Example 1

ZYXEL ZYWALL 2 WG - Internet Access Only - 2
Figure 333 Menu 4: Internet Access & NAT Example

From menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in Section 37.4 on page 543. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case.

37.4.2 Example 2: Internet Access with a Default Server

ZYXEL ZYWALL 2 WG - Example 2: Internet Access with a Default Server - 1
Figure 334 NAT Example 2

In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure.

Figure 335 Menu 15.2.1: Specifying an Inside Server

Menu 15.2.1 - NAT Server Setup

Default Server: 192.168.1.10 

Rule Act. Start Port End Port IP Address  
001 No 0 0 0.0.0.0  
002 Yes 21 25 192.168.1.33  
003 No 0 0 0.0.0.0  
004 No 0 0 0.0.0.0  
005 No 0 0 0.0.0.0  
006 No 0 0 0.0.0.0  
007 No 0 0 0.0.0.0  
008 No 0 0 0.0.0.0  
009 No 0 0 0.0.0.0  
010 No 0 0 0.0.0.0 

Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:

37.4.3 Example 3: Multiple Public IP Addresses With Inside Servers

In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA. Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA. Map the third IGA to an inside web server and mail server. Four rules need to be configured, two bidirectional and two uni-directional as follows.

1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1:1 mapping, giving both local and global IP addresses).
2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses).
3 Map the other outgoing LAN traffic to IGA3 (Many:1 mapping).
4 You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN.

The example situation looks somewhat like this:

ZYXEL ZYWALL 2 WG - Example 3: Multiple Public IP Addresses With Inside Servers - 1
Figure 336 NAT Example 3

1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 337 on page 546.
2 Then enter 15 from the main menu.
3 Enter 1 to configure the Address Mapping Sets.
4 Enter 1 to begin configuring this new set. Enter a Set Name, choose the Edit Action and then enter 1 for the Select Rule field. Press [ENTER] to confirm.
5 Select Type as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 338 on page 547).
6 Repeat the previous step for rules 2 to 4 as outlined above.
7 When finished, menu 15.1.1 should look like as shown in Figure 339 on page 547.

ZYXEL ZYWALL 2 WG - Example 3: Multiple Public IP Addresses With Inside Servers - 2
Figure 337 Example 3: Menu 11.1.2

The following figure shows how to configure the first rule.

Figure 338 Example 3: Menu 15.1.1.1 

Menu 15.1.1.1 Address Mapping Rule  
Type= One-to-One  
Local IP:  
Start= 192.168.1.10  
End = N/A  
Global IP:  
Start= 10.132.50.1  
End = N/A  
Server Mapping Set= N/A  
Press ENTER to Confirm or ESC to Cancel:

Figure 339 Example 3: Final Menu 15.1.1 

Menu 15.1.1 - Address Mapping Rules  
Set Name=Example3  
Idx Local Start IP Local End IP Global Start IP Global End IP Type  
1. 192.168.1.10 10.132.50.1 1-1  
2. 192.168.1.11 10.132.50.2 1-1  
3. 0.0.0.0 255.255.255.255 10.132.50.3 M-1  
4. 10.132.50.3 Server  
5. 10.132.50.3  
6. 10.132.50.3  
7. 10.132.50.3  
8. 10.132.50.3  
9. 10.132.50.3  
10. Action=Edit Select Rule=Press ENTER to Confirm or ESC to Cancel:

Now configure the IGA3 to map to our web server and mail server on the LAN.

1 Enter 15 from the main menu.
2 Enter 2 to go to menu 15.2.
3 (Enter 1 or 2 from menu 15.2 on a ZyWALL with multiple WAN ports) configure the menu as shown in Figure 340 on page 548.

ZYXEL ZYWALL 2 WG - Example 3: Multiple Public IP Addresses With Inside Servers - 3
Figure 340 Example 3: Menu 15.2.1

37.4.4 Example 4: NAT Unfriendly Application Programs

Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types. The following figure illustrates this.

ZYXEL ZYWALL 2 WG - Example 4: NAT Unfriendly Application Programs - 1
Figure 341 NAT Example 4

ZYXEL ZYWALL 2 WG - Example 4: NAT Unfriendly Application Programs - 2

Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won't work through NAT even when using One-to-One and Many-One-to-One mapping types.

Follow the steps outlined in example 3 above to configure these two menus as follows.

Figure 342 Example 4: Menu 15.1.1.1: Address Mapping Rule 

Menu 15.1.1.1 Address Mapping Rule  
Type= Many-One-to-One  
Local IP:  
Start= 192.168.1.10  
End = 192.168.1.12  
Global IP:  
Start= 10.132.50.1  
End = 10.132.50.3  
Press ENTER to Confirm or ESC to Cancel:

After you've configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.

Figure 343 Example 4: Menu 15.1.1: Address Mapping Rules 

Menu 15.1.1 - Address Mapping Rules  
Set Name= Example4  
Idx Local Start IP Local End IP Global Start IP Global End IP Type  
--- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1  
2. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
3. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
4. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
5. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
6. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
7. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
8. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
9. 192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3  
10.. Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel:

37.5 Trigger Port Forwarding

Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address.

Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyWALL records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the ZyWALL's WAN port receives a response with a specific port number and protocol ("incoming" port), the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request. After that computer's connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.

37.5.1 Two Points To Remember About Trigger Ports

1 Trigger events only happen on data that is going coming from inside the ZyWALL and going to the outside.
2 If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN can't trigger it.

ZYXEL ZYWALL 2 WG - Two Points To Remember About Trigger Ports - 1

Only one LAN computer can use a trigger port (range) at a time.

Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN interfaces, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN interface.

ZYXEL ZYWALL 2 WG - Two Points To Remember About Trigger Ports - 2
Figure 344 Menu 15.3.1: Trigger Port Setup

The following table describes the fields in this menu.

Table 222 Menu 15.3.1: Trigger Port Setup

FIELDDESCRIPTION
RuleThis is the rule index number.
NameEnter a unique name for identification purposes. You may enter up to 15 characters in this field. All characters are permitted - including spaces.
IncomingIncoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Start PortEnter a port number or the starting port number in a range of port numbers.
End PortEnter a port number or the ending port number in a range of port numbers.
TriggerThe trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Start PortEnter a port number or the starting port number in a range of port numbers.
End PortEnter a port number or the ending port number in a range of port numbers.
Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

Introducing the ZyWALL Firewall

This chapter shows you how to get started with the ZyWALL firewall.

38.1 Using ZyWALL SMT Menus

From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.

Figure 345 Menu 21: Filter and Firewall Setup

Menu 21 - Filter and Firewall Setup

  1. Filter Setup
  2. Firewall Setup

Enter Menu Selection Number:

38.1.1 Activating the Firewall

Enter option 2 in this menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the web configurator to configure firewall rules.

Menu 21.2 - Firewall Setup

The firewall protects against Denial of Service (DoS) attacks when it is active.

Your network is vulnerable to attacks when the firewall is turned off.

Refer to the User's Guide for details about the firewall default policies.

You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so.

Active: Yes

You can use the Web Configurator to configure the firewall.

Press ENTER to Confirm or ESC to Cancel:

ZYXEL ZYWALL 2 WG - Activating the Firewall - 1
Figure 346 Menu 21.2: Firewall Setup

Configure the firewall rules using the web configurator or CLI commands.

Filter Configuration

This chapter shows you how to create and apply filters.

39.1 Introduction to Filters

Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.

Data filtering screens the data to determine if the packet should be allowed to pass. Data filters are divided into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering can be applied on either the WAN side or the LAN side. Call filtering is used to determine if a packet should be allowed to trigger a call. Remote node call filtering is only applicable when using PPPoE encapsulation. Outgoing packets must undergo data filtering before they encounter call filtering as shown in the following figure.

ZYXEL ZYWALL 2 WG - Introduction to Filters - 1
Figure 347 Outgoing Packet Filtering Process

For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets.

39.1.1 The Filter Structure of the ZyWALL

A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.

You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.

Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnet sessions. A summary of their filter rules is shown in the figures that follow.

The following figure illustrates the logic flow when executing a filter rule. See also Figure 352 on page 562 for the logic flow when executing an IP filter.

ZYXEL ZYWALL 2 WG - The Filter Structure of the ZyWALL - 1
Figure 348 Filter Rule Process

You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.

39.2 Configuring a Filter Set

The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below.

1 Enter 21 in the main menu to open menu 21.

Figure 349 Menu 21: Filter and Firewall Setup

Menu 21 - Filter and Firewall Setup

  1. Filter Setup
  2. Firewall Setup

Enter Menu Selection Number:

2 Enter 1 to bring up the following menu.

Figure 350 Menu 21.1: Filter Set Configuration

Menu 21.1 - Filter Set Configuration
Filter
Set # Comments Filter
Set # Comments
1 7
2 8
3 9
4 10
5 11
6 12
Enter Filter Set Number to Configure= 0
Edit Comments= N/A
Press ENTER to Confirm or ESC to Cancel:

3 Select the filter set you wish to configure (1-12) and press [ENTER].
4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER].
5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.x - Filter Rules Summary.

This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus.

Table 223 Abbreviations Used in the Filter Rules Summary Menu

FIELDDESCRIPTION
AActive: “Y” means the rule is active. “N” means the rule is inactive.
TypeThe type of filter rule: “GEN” for Generic, “IP” for TCP/IP.
Filter RulesThese parameters are displayed here.
MMore. “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete. “N” means there are no more rules to check. You can specify an action to be taken i.e., forward the packet, drop the packet or check the next rule. For the latter, the next rule is independent of the rule just checked.
mAction Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule.
nAction Not Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule.

The protocol dependent filter rules abbreviation are listed as follows:

Table 224 Rule Abbreviations Used

ABBREVIATIONDESCRIPTION
IP
PrProtocol
SASource Address
SPSource Port number
DADestination Address
DPDestination Port number
GEN
OffOffset
LenLength

Refer to the next section for information on configuring the filter rules.

39.2.1 Configuring a Filter Rule

To configure a filter rule, type its number in Menu 21.1.x - Filter Rules Summary and press [ENTER] to open menu 21.1.x.x for the rule.

To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the ZyWALL will warn you and will not allow you to save.

39.2.2 Configuring a TCP/IP Filter Rule

This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.

To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.x - TCP/IP Filter Rule, as shown next.

Figure 351 Menu 21.1.1.1: TCP/IP Filter Rule 

Menu 21.1.1.1 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0 IP Source Route= No
Destination: IP Addr=
IP Mask=
Port #
Port # Comp=
Source: IP Addr=
IP Mask=
Port #
Port # Comp=
TCP Estab= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:

The following table describes how to configure your TCP/IP filter rule.

Table 225 Menu 21.1.1.1: TCP/IP Filter Rule

FIELDDESCRIPTION
ActivePress [SPACE BAR] and then [ENTER] to select Yes to activate the filter rule or No to deactivate it.
IP ProtocolProtocol refers to the upper layer protocol, e.g., TCP is 6, UDP is 17 and ICMP is 1. Type a value between 0 and 255. A value of 0 matches ANY protocol.
IP Source RoutePress [SPACE BAR] and then [ENTER] to select Yes to apply the rule to packets with an IP source route option. Otherwise the packets must not have a source route option. The majority of IP packets do not have source route.
Destination
IP AddrEnter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0.
IP MaskEnter the IP mask to apply to the Destination: IP Addr.
Port #Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0.

Table 225 Menu 21.1.1.1: TCP/IP Filter Rule

FIELDDESCRIPTION
Port # CompPress [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port#. Options are None, Equal, Not Equal, Less and Greater.
Source
IP AddrEnter the source IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0.
IP MaskEnter the IP mask to apply to the Source: IP Addr.
Port #Enter the source port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0.
Port # CompPress [SPACE BAR] and then [ENTER] to select the comparison to apply to the source port in the packet against the value given in Source: Port#. Options are None, Equal, Not Equal, Less and Greater.
TCP EstabThis field is applicable only when the IP Protocol field is 6, TCP. Press [SPACE BAR] and then [ENTER] to select Yes, to have the rule match packets that want to establish a TCP connection (SYN=1 and ACK=0); if No, it is ignored.
MorePress [SPACE BAR] and then [ENTER] to select Yes or No. If Yes, a matching packet is passed to the next filter rule before an action is taken; if No, the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be N/A.
LogPress [SPACE BAR] and then [ENTER] to select a logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged. Both - All packets will be logged.
Action MatchedPress [SPACE BAR] and then [ENTER] to select the action for a matching packet. Options are Check Next Rule, Forward and Drop.
Action Not MatchedPress [SPACE BAR] and then [ENTER] to select the action for a packet not matching the rule. Options are Check Next Rule, Forward and Drop.
When you have Menu 21.1.1.1 - TCP/IP Filter Rule configured, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary.

The following figure illustrates the logic flow of an IP filter.

ZYXEL ZYWALL 2 WG - Configuring a TCP/IP Filter Rule - 1
Figure 352 Executing an IP Filter

39.2.3 Configuring a Generic Filter Rule

This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.

For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyWALL applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match. The Mask and Value are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a byte, so if the length is 4, the value in either field will take 8 digits, for example, FFFFFFFF.

To configure a generic rule, select Generic Filter Rule in the Filter Type field in menu 21.1.x.x and press [ENTER] to open Generic Filter Rule, as shown below.

Figure 353 Menu 21.1.1.1: Generic Filter Rule 

Menu 21.1.1.1 - Generic Filter Rule  
Filter #: 1,1  
Filter Type= Generic Filter Rule  
Active= No  
Offset= 0  
Length= 0  
Mask= N/A  
Value= N/A  
More= No Log= None  
Action Matched= Check Next Rule  
Action Not Matched= Check Next Rule  
Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in the Generic Filter Rule menu.

Table 226 Generic Filter Rule Menu Fields

FIELDDESCRIPTION
Filter #This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set.
Filter TypeUse [SPACE BAR] and then [ENTER] to select a rule type. Parameters displayed below each type will be different. TCP/IP filter rules are used to filter IP packets while generic filter rules allow filtering of non-IP packets. Options are Generic Filter Rule and TCP/IP Filter Rule.
ActiveSelect Yes to turn on the filter rule or No to turn it off.
OffsetEnter the starting byte of the data portion in the packet that you wish to compare. The range for this field is from 0 to 255.
LengthEnter the byte count of the data portion in the packet that you wish to compare. The range for this field is 0 to 8.
MaskEnter the mask (in Hexadecimal notation) to apply to the data portion before comparison.
ValueEnter the value (in Hexadecimal notation) to compare with the data portion.
MoreIf Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No.

Table 226 Generic Filter Rule Menu Fields

FIELDDESCRIPTION
LogSelect the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged. Both – All packets will be logged.
Action MatchedSelect the action for a packet matching the rule. Options are Check Next Rule, Forward and Drop.
Action Not MatchedSelect the action for a packet not matching the rule. Options are Check Next Rule, Forward and Drop.
Once you have completed filling in Menu 21.1.1.1 - Generic Filter Rule, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary.

39.3 Example Filter

Let's look at an example to block outside users from accessing the ZyWALL via telnet. Please see our included disk for more example filters.

ZYXEL ZYWALL 2 WG - Example Filter - 1
Figure 354 Telnet Filter Example

1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
2 Enter 1 to open Menu 21.1 - Filter Set Configuration.
3 Enter the index of the filter set you wish to configure (say 3) and press [ENTER].
4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER].
5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary.
6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure.

Figure 355 Example Filter: Menu 21.1.3.1 

Menu 21.1.3.1 - TCP/IP Filter Rule  
Filter #: 3,1  
Filter Type= TCP/IP Filter Rule  
Active= Yes  
IP Protocol= 6 IP Source Route= No  
Destination: IP Addr= 0.0.0.0  
IP Mask= 0.0.0.0  
Port#= 23  
Port# Comp= Equal  
Source: IP Addr= 0.0.0.0  
IP Mask= 0.0.0.0  
Port#= 0  
Port# Comp= None  
TCP Estab= No  
More= No Log= None  
Action Matched= Drop  
Action Not Matched= Forward  
Press ENTER to Confirm or ESC to Cancel:  
Press Space Bar to Toggle.

The port number for the telnet service (TCP protocol) is 23. See RFC 1060 for port numbers of well-known services.

When you press [ENTER] to confirm, you will see the following screen. Note that there is only one filter rule in this set.

Figure 356 Example Filter Rules Summary: Menu 21.1.3 

Menu 21.1.3 - Filter Rules Summary
<h1 id="a-type-filter-rules-m-mn">A Type Filter Rules M mn</h1>
- - - - - - - -
    1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F
    2 N
    3 N
    4 N
    5 N
    6 N
Enter Filter Rule Number (1-6) to Configure: 1

This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6 ) for destination telnet ports ( DP = 23 ).

M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren't in this example).

After you've created the filter set, you must apply it.

1 Enter 11 from the main menu to go to menu 11.
2 Enter 1 or 2 to open Menu 11.x - Remote Node Profile.
3 Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER].
4 This brings you to menu 11.1.4. Apply a filter set (our example filter set 3) as shown in Figure 360 on page 569.
5 Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.1.4.

39.4 Filter Types and NAT

There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the ZyWALL applies the protocol filters to the "native" IP address and port number before NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the ZyWALL is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port. The following diagram illustrates this.

ZYXEL ZYWALL 2 WG - Filter Types and NAT - 1
Figure 357 Protocol and Device Filter Sets

39.5 Firewall Versus Filters

Below are some comparisons between the ZyWALL's filtering and firewall functions.

39.5.1 Packet Filtering:

  • The router filters packets as they pass through the router's interface according to the filter rules you designed.
  • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
  • Packet filtering only checks the header portion of an IP packet.

39.5.1.1 When To Use Filtering

1 To block/allow LAN packets by their MAC addresses.
2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A. Filters cannot distinguish traffic originating from an inside host or an outside host by IP address.
4 To block/allow IP trace route.

39.5.2 Firewall

  • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer.
  • The firewall performs stateful inspection. It takes into account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.
  • The firewall uses session filtering, i.e.,smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session.
  • The firewall provides e-mail service to notify you of routine reports and when alerts occur.

39.5.2.1 When To Use The Firewall

1 To prevent DoS attacks and prevent hackers cracking your network.
2 A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required.
3 To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address.
4 The firewall performs better than filtering if you need to check many rules.
5 Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur.
6 The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.

39.6 Applying a Filter

This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.

ZYXEL ZYWALL 2 WG - Applying a Filter - 1

If you do not activate the firewall, it is advisable to apply filters.

39.6.1 Applying LAN Filters

LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the ZyWALL and output filter sets filter outgoing traffic from the ZyWALL. For PPPoE or PPTP encapsulation, you have the additional option of specifying remote node call filter sets.

Figure 358 Filtering LAN Traffic
Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters device filters = Output Filter Sets: protocol filters device filters = Press ENTER to Confirm or ESC to Cancel:

39.6.2 Applying DMZ Filters

DMZ traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 5.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the ZyWALL and output filter sets filter outgoing traffic from the ZyWALL. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.

Figure 359 Filtering DMZ Traffic 

Menu 5.1 - DMZ Port Filter Setup  
Input Filter Sets:  
    protocol filters=  
        device filters=  
Output Filter Sets:  
    protocol filters=  
        device filters=  
Press ENTER to Confirm or ESC to Cancel:

39.6.3 Applying Remote Node Filters

Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.

Figure 360 Filtering Remote Node Traffic 

Menu 11.1.4 - Remote Node Filter Setup  
Input Filter Sets:  
    protocol filters=  
        device filters=  
Output Filter Sets:  
    protocol filters=  
        device filters=  
Press ENTER to Confirm or ESC to Cancel:

SNMP Configuration

This chapter explains SNMP configuration menu 22.

40.1 SNMP Configuration

To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The "community" for Get, Set and Trap fields is SNMP terminology for password.

Figure 361 Menu 22: SNMP Configuration
Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host=0.0.0.0 Trap: Community= public Destination = 0.0.0.0 Press ENTER to Confirm or ESC to Cancel:

The following table describes the SNMP configuration parameters.

Table 227 SNMP Configuration Menu Fields

FIELDDESCRIPTION
Get CommunityType the Get community, which is the password for the incoming Get- and GetNext requests from the management station.
Set CommunityType the Set community, which is the password for incoming Set requests from the management station.
Trusted HostIf you enter a trusted host, your ZyWALL will only respond to SNMP messages from this address. A blank (default) field means your ZyWALL will respond to all SNMP messages it receives, regardless of source.
Trap
CommunityType the Trap community, which is the password sent with each trap to the SNMP manager.
DestinationType the IP address of the station to send your SNMP traps to.
When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.

40.2 SNMP Traps

The ZyWALL will send traps to the SNMP manager when any one of the following events occurs:

Table 228 SNMP Traps

TRAP #TRAP NAMEDESCRIPTION
0coldStart (defined in RFC-1215)A trap is sent after booting (power on).
1warmStart (defined in RFC-1215)A trap is sent after booting (software reboot).
4authenticationFailure (defined in RFC-1215)A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password).
6whyReboot (defined in ZYXEL-MIB)A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
6aFor intentional reboot:A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.).
6bFor fatal error:A trap is sent with the message of the fatal code if the system reboots because of fatal errors.

System Information & Diagnosis

This chapter covers SMT menus 24.1 to 24.4.

41.1 Introduction to System Status

This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities.

Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.

ZYXEL ZYWALL 2 WG - Introduction to System Status - 1
Figure 362 Menu 24: System Maintenance

41.2 System Status

The first selection, System Status, gives you information on the version of your system firmware and the status and statistics of the ports, as shown in the next figure. System Status is a tool that can be used to monitor your ZyWALL. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received.

To get to the System Status:

1 Enter number 24 to go to Menu 24 - System Maintenance.
2 In this menu, enter 1 to open Menu 24.1 - System Maintenance - Status.

3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN1 or WAN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen.

Figure 363 Menu 24.1: System Maintenance: Status

Menu 24.1 - System Maintenance - Status03:13:41 Wed. Dec. 06, 2006
PortStatusTxPktsRxPktsColsTx B/sRx B/sUp Time
WAN1100M/Full586317802001281:31:14
WAN2Down000000:00:00
LAN100M/Full7443926103701281:31:57
WCRDDown100000:00:00
DMZ100M/Full000001:31:57
WLAN100M/Full000001:31:57
PortEthernet AddressIP AddressIP MaskDHCP
WAN100:13:49:00:00:02172.23.37.10255.255.255.0Client
WAN200:00:00:00:00:000.0.0.00.0.0.0None
LAN00:13:49:00:00:01192.168.1.1255.255.255.0Server
WLAN00:13:49:00:00:040.0.0.00.0.0.0None
DMZ00:13:49:00:00:030.0.0.00.0.0.0None
System up Time: 1:32:02 CARD bridged to: LAN Press Command: COMMANDS: 1, 2-Drop WAN1,2 9-Reset Counters ESC-Exit

The following table describes the fields present in Menu 24.1 - System Maintenance - Status. These fields are READ-ONLY and meant for diagnostic purposes. The upper right corner of the screen shows the time and date according to the format you set in menu 24.10.

Table 229 System Maintenance: Status Menu Fields

FIELDDESCRIPTION
PortThis field identifies an interface (WAN1, WAN2, LAN, WCRD (wireless LAN card), DMZ or WLAN) on the ZyWALL.
StatusFor the LAN, DMZ, and WLAN Interfaces, this displays the port speed and duplex setting. For the WAN interfaces, it displays the port speed and duplex setting if you're using Ethernet encapsulation or the remote node name (configured through the SMT) for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you're using PPPoE encapsulation. For the wireless card, it displays the transmission rate when WLAN is enabled or Down when WLAN is disabled.
TxPktsThis is the number of transmitted packets on this port.
RxPktsThis is the number of received packets on this port.
ColsThis is the number of collisions on this port.
Tx B/sThis field shows the transmission speed in Bytes per second on this port.
Rx B/sThis field shows the reception speed in Bytes per second on this port.
Up TimeThis is the total amount of time the line has been up.
Ethernet AddressThis is the MAC address of the port listed on the left.
IP AddressThis is the IP address of the port listed on the left.
IP MaskThis is the IP mask of the port listed on the left.
DHCPThis is the DHCP setting of the port listed on the left.
System up TimeThis is the total time the ZyWALL has been on.
CARD bridged toThis field shows whether the wireless card is set to be part of the LAN, DMZ or WLAN.
You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24.

41.3 System Information and Console Port Speed

This section describes your system and allows you to choose different console port speeds. To get to the System Information and Console Port Speed:

1 Enter 24 to go to Menu 24 - System Maintenance.
2 Enter 2 to open Menu 24.2 - System Information and Console Port Speed.
3 From this menu you have two choices as shown in the next figure:

Figure 364 Menu 24.2: System Information and Console Port Speed

Menu 24.2 - System Information and Console Port Speed

  1. System Information

  2. Console Port Speed

Please enter selection:

41.3.1 System Information

System Information gives you information about your system as shown below. More specifically, it gives you information on your routing protocol, Ethernet address, IP address, etc.

ZYXEL ZYWALL 2 WG - System Information - 1
Figure 365 Menu 24.2.1: System Maintenance: Information

The following table describes the fields in this screen.

Table 230 Fields in System Maintenance: Information

FIELDDESCRIPTION
NameThis is the ZyWALL's system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com
RoutingRefers to the routing protocol used.
ZyNOS F/W VersionRefers to the version of ZyXEL's Network Operating System software.
Country CodeRefers to the country code of the firmware.
LAN
Ethernet AddressRefers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
IP AddressThis is the IP address of the ZyWALL in dotted decimal notation.
IP MaskThis shows the IP mask of the ZyWALL.
DHCPThis field shows the DHCP setting of the ZyWALL.
When finished viewing, press [ESC] or [ENTER] to exit.

41.3.2 Console Port Speed

You can change the speed of the console port through Menu 24.2.2 - Console Port Speed. Your ZyWALL supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown next.

Figure 366 Menu 24.2.2: System Maintenance: Change Console Port Speed

Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle.

41.4 Log and Trace

There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.

41.4.1 Viewing Error Log

The first place you should look for clues when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log:

1 Select option 24 from the main menu to open Menu 24 - System Maintenance.
2 From menu 24, select option 3 to open Menu 24.3 - System Maintenance - Log and Trace.
3 Select the first option from Menu 24.3 - System Maintenance - Log and Trace to display the error log in the system.

After the ZyWALL finishes displaying, you will have the option to clear the error log.

Figure 367 Menu 24.3: System Maintenance: Log and Trace

Menu 24.3 - System Maintenance - Log and Trace 

1. View Error Log  
2. UNIX Syslog 

4. Call-Triggering Packet 

Please enter selection

Examples of typical error and information messages are presented in the following figure.

Figure 368 Examples of Error and Information Messages

52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fail, code=15  
53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok  
54 Thu Jul 1 05:54:56 2004 PP05 -WARN SNMP TRAP 3: interface 3: link up  
55 Thu Jul 1 05:54:56 2004 PP0d INFO LAN promiscuous mode <0>  
57 Thu Jul 1 05:54:56 2004 PP0d INFO LAN promiscuous mode <1>  
58 Thu Jul 1 05:54:56 2004 PINI INFO Last errorlog repeat 1 Times  
59 Thu Jul 1 05:54:56 2004 PINI INFO main: init completed  
60 Thu Jul 1 05:55:26 2004 PSSV -WARN SNMP TRAP 0: cold start  
61 Thu Jul 1 05:56:56 2004 PINI INFO SMT Session Begin  
62 Thu Jul 1 07:50:58 2004 PINI INFO SMT Session End  
63 Thu Jul 1 07:53:28 2004 PINI INFO SMT Session Begin  
Clear Error Log (y/n):

41.4.2 Syslog Logging

The ZyWALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as shown next.

Figure 369 Menu 24.3.2: System Maintenance: Syslog Logging

Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= No Syslog Server IP Address = 0.0.0.0 Log Facility = Local 1 Press ENTER to Confirm or ESC to Cancel:

You need to configure the syslog parameters described in the following table to activate syslog then choose what you want to log.

Table 231 System Maintenance Menu Syslog Parameters

FIELDDESCRIPTION
Syslog:
ActivePress [SPACE BAR] and then [ENTER] to turn syslog on or off.
Syslog Server IP AddressEnter the server name or IP address of the syslog server that will log the selected categories of logs.
Log FacilityPress [SPACE BAR] and then [ENTER] to select a location. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details.
When finished configuring this screen, press [ENTER] to confirm or [ESC] to cancel.

Your ZyWALL sends five types of syslog messages. Some examples (not all ZyWALL specific) of these syslog messages with their message formats are shown next:

1 CDR

CDR Message Format 

SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );  
String = board xx line xx channel xx, call xx, str  
board = the hardware board ID  
line = the WAN ID in a board  
Channel = channel ID within the WAN  
call = the call reference number which starts from 1 and increments by 1 for each new call  
str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.)  
L02 Tunnel Connected(L2TP)  
C02 OutCall Connected xxxx (means connected speed) xxxx (means Remote Call Number)  
L02 Call Terminated  
C02 Call Terminated  
Jul 19 11:19:27 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2  
ch=0 40002  
Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected  
64000 40002  
Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated

2 Packet triggered

Packet triggered Message Format 

SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String);  
String = Packet trigger: Protocol=xx Data=xxxxxxxxx...x  
Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG)  
Data: We will send forty-eight Hex characters to the server  
Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,  
Data=4500003c100100001f010004c0a86614ca849a7b08004a5c02000100616263646566676869  
6a6b6c6d6e6f7071727374  
Jul 19 11:28:56 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,  
Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008c  
d40000020405b4  
Jul 19 11:29:06 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1,  
Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d143013500400007  
7600000

3 Filter log

Filter log Message Format  
SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String);  
String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spi=xxxx dpo=xxxx] S04>R01mD  
IP[...] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D).  
Src: Source Address  
Dst: Destination Address  
prot: Protocol ("TCP","UDP","ICMP")  
spo: Source port  
dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[FFFFFFfnordff0080]  
}S05>R01mF  
Mar 03 10:41:29 202.132.155.97 ZyXEL:  
GEN[00a0c5f502fnord010080] }S05>R01mF  
Mar 03 10:41:34 202.132.155.97 ZyXEL:  
IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF  
Mar 03 11:59:20 202.132.155.97 ZyXEL:  
GEN[00a0c5f502fnord010080] }S05>R01mF  
Mar 03 12:00:52 202.132.155.97 ZyXEL:  
GEN[FFFFFF0080] }S05>R01mF  
Mar 03 12:00:57 202.132.155.97 ZyXEL:  
GEN[00a0c5f502010080] }S05>R01mF  
Mar 03 12:01:06 202.132.155.97 ZyXEL:  
IP[Src=192.168.2.33 Dst=202.132.155.93 TCP spi=01170 dpo=00021]}S04>R01mF

4 PPP log

PPP Log Message Format  
SdcmdSyslogSend( SYSLOG_PPPLOG, SYSLOG_NOTICE, String );  
String = ppp:Proto Starting / ppp:Proto Opening / ppp:Proto Closing / ppp:Proto Shutdown  
Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP  
Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing  
Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing  
Jul 19 11:42:54 192.168.102.2 ZyXEL: ppp:CCP Closing

5 Firewall log

Firewall Log Message Format
SdcmdSyslogSend(SYSLOG FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx :spo=xxxx Dst=xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol ("TCP","UDP","ICMP","IGMP","GRE","ESP") rule: <a,b> where a means "set" number; b means "rule" number. Action: nothing(N) block (B) forward (F) 08-01-200011:48:41Local1Notice192.168.10.10RAS: FW 172.21.1.80 :137 ->172.21.1.80 :137 |UDP|default permit:<2,0>|B 08-01-200011:48:41Local1Notice192.168.10.10RAS: FW 192.168.77.88 :520 ->192.168.77.88 :520 |UDP|default permit:<2,0>|B 08-01-200011:48:39Local1Notice192.168.10.10RAS: FW 172.21.1.50 ->172.21.1.50 |IGMP<2>|default permit:<2,0>|B 08-01-200011:48:39Local1Notice192.168.10.10RAS: FW 172.21.1.25 ->172.21.1.25 |IGMP<2>|default permit:<2,0>|B

41.4.3 Call-Triggering Packet

Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.

ZYXEL ZYWALL 2 WG - Call-Triggering Packet - 1
Figure 370 Call-Triggering Packet Example

41.5 Diagnostic

The diagnostic facility allows you to test the different aspects of your ZyWALL to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown next. Not all fields are available on all models.

Follow the procedure below to get to Menu 24.4 - System Maintenance - Diagnostic.

1 From the main menu, select option 24 to open Menu 24 - System Maintenance.
2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.

ZYXEL ZYWALL 2 WG - Diagnostic - 1
Figure 371 Menu 24.4: System Maintenance: Diagnostic

41.5.1 WAN DHCP

DHCP functionality can be enabled on the LAN or WAN as shown in Figure 372 on page 583. LAN DHCP has already been discussed. The ZyWALL can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.x.2 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or None, (when you have a static IP). The WAN Release and Renewal fields in menu 24.4 conveniently allow you to release and/or renew the assigned WAN IP address, subnet mask and default gateway in a fashion similar to winipcfg.

ZYXEL ZYWALL 2 WG - WAN DHCP - 1
Figure 372 WAN & LAN DHCP

The following table describes the diagnostic tests available in menu 24.4 for your ZyWALL and associated connections.

Table 232 System Maintenance Menu Diagnostic

FIELDDESCRIPTION
Ping HostEnter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below.
WAN DHCP ReleaseEnter 2 to release your WAN DHCP settings.
WAN DHCP RenewalEnter 3 to renew your WAN DHCP settings.
PPPoE/PPTP/3G Setup TestEnter 4 to test the Internet setup. You can also test the Internet setup in Menu 4 - Internet Access. Please refer to Chapter 31 on page 503 for more details. This feature is only available for a 3G connection or dial-up connections using PPPoE or PPTP encapsulation.
Reboot SystemEnter 11 to reboot the ZyWALL.
WANIf you entered 2, 3 or 4 in the Enter Menu Selection Number field, enter the number of the WAN interface in this field.
Host IP AddressIf you entered 1in the Enter Menu Selection Number field, then enter the IP address of the computer you want to ping in this field.
Enter the number of the selection you would like to perform or press [ESC] to cancel.

Firmware and Configuration File Maintenance

This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file.

42.1 Introduction

Use the instructions in this chapter to change the ZyWALL's configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer. That way if you later misconfigure the ZyWALL, you can upload the backed up configuration file to return to your previous settings. You can alternately upload the factory default configuration file if you want to return the ZyWALL to the original default settings. The firmware determines the ZyWALL's available features and functionality. You can download new firmware releases from your nearest ZyXEL FTP site to use to upgrade your ZyWALL's performance.

42.2 Filename Conventions

The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a "rom" filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.

ZyNOS (ZyXEL Network Operating System sometimes referred to as the "ras" file) is the system firmware and has a "bin" filename extension. With many FTP and TFTP clients, the filenames are similar to those seen next.

ftp> put firmware.bin ras

This is a sample FTP session showing the transfer of the computer file " firmware.bin" to the ZyWALL.

ftp> get rom-0 config.cfg

This is a sample FTP session saving the current configuration to the computer file "config.cfg".

If your (T)FTP client does not allow you to have a destination filename different than the source, you will need to rename them as the ZyWALL only recognizes "rom-0" and "ras". Be sure you keep unaltered copies of both files for later use.

The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version. The AT command is the command you enter after you press "y" when prompted in the SMT menu to go into debug mode.

Table 233 Filename Conventions

FILE TYPEINTERNAL NAMEEXTERNAL NAMEDESCRIPTION
Configuration FileRom-0This is the configuration filename on the ZyWALL. Uploading the rom-0 file replaces the entire ROM file system, including your ZyWALL configurations, system-related data (including the default password), the error log and the trace log.*.rom
FirmwareRasThis is the generic name for the ZyNOS firmware on the ZyWALL.*.bin

42.3 Backup Configuration

ZYXEL ZYWALL 2 WG - Backup Configuration - 1

The ZyWALL displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24.7.1 and 24.7.2 depending on whether you use the console port or Telnet.

Option 5 from Menu 24 - System Maintenance allows you to backup the current ZyWALL configuration to your computer. Backup is highly recommended once your ZyWALL is functioning properly. FTP is the preferred method for backing up your current configuration to your computer since it is faster. You can also perform backup and restore using menu 24 through the console port. Any serial communications program should work fine; however, you must use Xmodem protocol to perform the download/upload and you don't have to rename the files.

Please note that terms "download" and "upload" are relative to the computer. Download means to transfer from the ZyWALL to the computer, while upload means from your computer to the ZyWALL.

42.3.1 Backup Configuration

Follow the instructions as shown in the next screen.

Figure 373 Telnet into Menu 24.5

Menu 24.5 - Backup Configuration 

To transfer the configuration file to your workstation, follow the procedure below:
  1. Launch the FTP client on your workstation.
  2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
  3. Locate the 'rom-0' file.
  4. Type 'get rom-0' to back up the current router configuration to your workstation.

For details on FTP commands, please consult the documentation of your FTP client program. For details on backup using TFTP (note that you must remain in this menu to back up using TFTP), please see your router manual.

Press ENTER to Exit:

42.3.2 Using the FTP Command from the Command Line

1 Launch the FTP client on your computer.
2 Enter "open", followed by a space and the IP address of your ZyWALL.
3 Press [ENTER] when prompted for a username.
4 Enter your password as requested (the default is "1234").
5 Enter "bin" to set transfer mode to binary.
6 Use "get" to transfer files from the ZyWALL to the computer, for example, "get rom-0 config.rom" transfers the configuration file on the ZyWALL to your computer and renames it "config.rom". See earlier in this chapter for more information on filename conventions.
7 Enter "quit" to exit the ftp prompt.

42.3.3 Example of FTP Commands from the Command Line

Figure 374 FTP Session Example

331 Enter PASS command

Password:

230 Logged in

ftp> bin

200 Type I OK

ftp> get rom-0 zyxel.rom

200 Port command okay

150 Opening data connection for STOR ras

226 File received OK

ftp: 16384 bytes sent in 1.10Seconds

297.89Kbytes/sec.

ftp> quit

42.3.4 GUI-based FTP Clients

The following table describes some of the commands that you may see in GUI-based FTP clients.

Table 234 General Commands for GUI-based FTP Clients

COMMANDDESCRIPTION
Host AddressEnter the address of the host server.
Login TypeAnonymous.This is when a user I.D. and password is automatically supplied to the server for anonymous access. Anonymous logins will work only if your ISP or service administrator has enabled this option.Normal.The server requires a unique User ID and Password to login.
Transfer TypeTransfer files in either ASCII (plain text format) or in binary mode.Configuration and firmware files should be transferred in binary mode
Initial Remote DirectorySpecify the default remote directory (path).
Initial Local DirectorySpecify the default local directory (path).

42.3.5 File Maintenance Over WAN

TFTP, FTP and Telnet over the WAN will not work when:

1 The firewall is active (turn the firewall off in menu 21.2 or create a firewall rule to allow access from the WAN).
2 You have disabled Telnet service in menu 24.11.
3 You have applied a filter in menu 3.1 (LAN) or in menu 11.5 (WAN) to block Telnet service.
4 The IP you entered in the Secure Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately.
5 You have an SMT console session running.

42.3.6 Backup Configuration Using TFTP

The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.

To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next.

1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address.
2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance.
3 Enter command "sys stdio 0" to disable the SMT timeout, so the TFTP transfer will not be interrupted. Enter command "sys stdio 5" to restore the five-minute SMT timeout (default) when the file transfer is complete.

4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer.
5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer. The file name for the configuration file is "rom-0" (rom-zero, not capital o).

Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use "get" to transfer from the ZyWALL to the computer and "binary" to set binary transfer mode.

42.3.7 TFTP Command Example

The following is an example TFTP command:

tftp [-i] host get rom-0 config.rom

Where "i" specifies binary image transfer mode (use this mode when transferring binary files), "host" is the ZyWALL IP address, "get" transfers the file source on the ZyWALL (rom-0, name of the configuration file on the ZyWALL) to the file destination on the computer and renames it config.rom.

42.3.8 GUI-based TFTP Clients

The following table describes some of the fields that you may see in GUI-based TFTP clients.

Table 235 General Commands for GUI-based TFTP Clients

COMMANDDESCRIPTION
HostEnter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL's default IP address when shipped.
Send/FetchUse “Send” to upload the file to the ZyWALL and “Fetch” to back up the file on your computer.
Local FileEnter the path and name of the firmware file (.bin extension) or configuration file (.rom extension) on your computer.
Remote FileThis is the filename on the ZyWALL. The filename for the firmware is “ras” and for the configuration file, is “rom-0”.
BinaryTransfer the file in binary mode.
AbortStop transfer of the file.

Refer to Section 42.3.5 on page 588 to read about configurations that disallow TFTP and FTP over WAN.

42.3.9 Backup Via Console Port

Back up configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar.

1 Display menu 24.5 and enter "y" at the following screen.

Figure 375 System Maintenance: Backup Configuration

Ready to backup Configuration via Xmodem. Do you want to continue (y/n):

2 The following screen indicates that the Xmodem download has started.

Figure 376 System Maintenance: Starting Xmodem Download Screen

You can enter ctrl-x to terminate operation any time. Starting XMODEM download...

3 Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen.

Figure 377 Backup Configuration Example

ZYXEL ZYWALL 2 WG - Backup Via Console Port - 1
Figure 378 Successful Backup Confirmation Screen

Type a location for storing the configuration file or click Browse to look for one.

Choose the Xmodem protocol.

Then click Receive.

4 After a successful backup you will see the following screen. Press any key to return to the SMT menu.

\*\* Backup Configuration completed. OK. #### Hit any key to continue.#####

42.4 Restore Configuration

This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.

FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete.

ZYXEL ZYWALL 2 WG - Restore Configuration - 1

WARNING!

Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. When the Restore Configuration process is complete, the ZyWALL will automatically restart.

For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.

Figure 379 Telnet into Menu 24.6

Menu 24.6 -- System Maintenance - Restore Configuration

To transfer the firmware and configuration file to your workstation, follow the procedure below:

  1. Launch the FTP client on your workstation.
  2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
  3. Type "put backupfilename rom-0" where backupfilename is the name of your backup configuration file on your workstation and rom-0 is the remote file name on the router. This restores the configuration to your router.
  4. The system reboots automatically after a successful file transferFor details on FTP commands, please consult the documentation of your FTPclient program.

For details on backup using TFTP (note that you must remain in this menu to back up using TFTP), please see your router manual.

Press ENTER to Exit:

1 Launch the FTP client on your computer.
2 Enter "open", followed by a space and the IP address of your ZyWALL.
3 Press [ENTER] when prompted for a username.
4 Enter your password as requested (the default is "1234").
5 Enter "bin" to set transfer mode to binary.
6 Find the "rom" file (on your computer) that you want to restore to your ZyWALL.
7 Use "put" to transfer files from the ZyWALL to the computer, for example, "put config.rom rom-0" transfers the configuration file "config.rom" on your computer to the ZyWALL. See earlier in this chapter for more information on filename conventions.

8 Enter "quit" to exit the ftp prompt. The ZyWALL will automatically restart after a successful restore process.

42.4.2 Restore Using FTP Session Example

Figure 380 Restore Using FTP Session Example 

ftp> put config.rom rom-0  
200 Port command okay  
150 Opening data connection for STOR rom-0  
226 File received OK  
221 Goodbye for writing flash  
ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.  
ftp>quit

Refer to Section 42.3.5 on page 588 to read about configurations that disallow TFTP and FTP over WAN.

Restore configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar.

1 Display menu 24.6 and enter "y" at the following screen.

Figure 381 System Maintenance:Restore Configuration 

Ready to restore Configuration via Xmodem. Do you want to continue (y/n):

2 The following screen indicates that the Xmodem download has started.

Figure 382 System Maintenance: Starting Xmodem Download Screen 

Starting XMODEM download (CRC mode) ...CCCCCCCCCC

3 Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen.

Figure 383 Restore Configuration Example

ZYXEL ZYWALL 2 WG - Restore Using FTP Session Example - 1
Figure 384 Successful Restoration Confirmation Screen

4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.

Save to ROM Hit any key to start system reboot.

42.5 Uploading Firmware and Configuration Files

This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in Section 42.4 on page 590 or by following the instructions in Menu 24.7.2 - System Maintenance - Upload System Configuration File (for console port).

ZYXEL ZYWALL 2 WG - Uploading Firmware and Configuration Files - 1

WARNING!
Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL.

42.5.1 Firmware File Upload

FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client.

When you telnet into the ZyWALL, you will see the following screens for uploading firmware and the configuration file using FTP.

Figure 385 Telnet Into Menu 24.7.1:Upload System Firmware

Menu 24.7.1 - System Maintenance - Upload System Firmware

To upload the system firmware, follow the procedure below:

  1. Launch the FTP client on your workstation.
  2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
  3. Type "put firmwarefilename ras" where "firmwarefilename" is the name of your firmware upgrade file on your workstation and "ras" is the remote file name on the system.
  4. The system reboots automatically after a successful firmware upload.

For details on FTP commands, please consult the documentation of your FTP client program. For details on uploading system firmware using TFTP (note that you must remain on this menu to upload system firmware using TFTP), please see your manual.

Press ENTER to Exit:

42.5.2 Configuration File Upload

You see the following screen when you telnet into menu 24.7.2.

Figure 386 Telnet Into Menu 24.7.2: System Maintenance

Menu 24.7.2 - System Maintenance - Upload System Configuration File

To upload the system configuration file, follow the procedure below:

  1. Launch the FTP client on your workstation.
  2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
  3. Type "put configurationfilename rom-0" where "configurationfilename" is the name of your system configuration file on your workstation, which will be transferred to the "rom-0" file on the system.
  4. The system reboots automatically after the upload system configuration file process is complete.

For details on FTP commands, please consult the documentation of your FTP client program. For details on uploading configuration file using TFTP (note that you must remain on this menu to upload configuration file using TFTP), please see your manual.

Press ENTER to Exit:

To upload the firmware and the configuration file, follow these examples

42.5.3 FTP File Upload Command from the DOS Prompt Example

1 Launch the FTP client on your computer.
2 Enter "open", followed by a space and the IP address of your ZyWALL.
3 Press [ENTER] when prompted for a username.
4 Enter your password as requested (the default is "1234").
5 Enter "bin" to set transfer mode to binary.
6 Use "put" to transfer files from the computer to the ZyWALL, for example, "put firmware.bin ras" transfers the firmware on your computer (firmware.bin) to the ZyWALL and renames it "ras". Similarly, "put config.rom rom-0" transfers the configuration file on your computer (config.rom) to the ZyWALL and renames it "rom-0". Likewise "get rom-0 config.rom" transfers the configuration file on the ZyWALL to your computer and renames it "config.rom." See earlier in this chapter for more information on filename conventions.
7 Enter "quit" to exit the ftp prompt.

42.5.4 FTP Session Example of Firmware File Upload

Figure 387 FTP Session Example of Firmware File Upload 

331 Enter PASS command  
Password:  
230 Logged in  
ftp> bin  
200 Type I OK  
ftp> put firmware.bin ras  
200 Port command okay  
150 Opening data connection for STOR ras  
226 File received OK  
ftp: 1103936 bytes sent in 1.10Seconds  
297.89Kbytes/sec.  
ftp> quit

More commands (found in GUI-based FTP clients) are listed earlier in this chapter.

Refer to Section 42.3.5 on page 588 to read about configurations that disallow TFTP and FTP over WAN.

42.5.5 TFTP File Upload

The ZyWALL also supports the uploading of firmware files using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.

To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next.

1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address.

2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 - System Maintenance.
3 Enter the command "sys stdio 0" to disable the console timeout, so the TFTP transfer will not be interrupted. Enter "command sys stdio 5" to restore the five-minute console timeout (default) when the file transfer is complete.
4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer.
5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer. The file name for the firmware is "ras".

Note that the telnet connection must be active and the ZyWALL in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use "get" to transfer from the ZyWALL to the computer, "put" the other way around, and "binary" to set binary transfer mode.

42.5.6 TFTP Upload Command Example

The following is an example TFTP command:

tftp [-i] host put firmware.bin ras

Where "i" specifies binary image transfer mode (use this mode when transferring binary files), "host" is the ZyWALL's IP address, "put" transfers the file source on the computer (firmware.bin - name of the firmware on the computer) to the file destination on the remote host (ras - name of the firmware on the ZyWALL).

Commands that you may see in GUI-based TFTP clients are listed earlier in this chapter.

42.5.7 Uploading Via Console Port

FTP or TFTP are the preferred methods for uploading firmware to your ZyWALL. However, in the event of your network being down, uploading files is only possible with a direct connection to your ZyWALL via the console port. Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster. Any serial communications program should work fine; however, you must use the Xmodem protocol to perform the download/upload.

42.5.8 Uploading Firmware File Via Console Port

1 Select 1 from Menu 24.7 - System Maintenance - Upload Firmware to display Menu 24.7.1 - System Maintenance - Upload System Firmware, and then follow the instructions as shown in the following screen.

ZYXEL ZYWALL 2 WG - Uploading Firmware File Via Console Port - 1
Figure 388 Menu 24.7.1 As Seen Using the Console Port

2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer. Follow the procedure as shown previously for the HyperTerminal program. The procedure for other serial communications programs should be similar.

42.5.9 Example Xmodem Firmware Upload Using HyperTerminal

Click Transfer, then Send File to display the following screen.

ZYXEL ZYWALL 2 WG - Example Xmodem Firmware Upload Using HyperTerminal - 1
Figure 389 Example Xmodem Upload

After the firmware upload process has completed, the ZyWALL will automatically restart.

42.5.10装载器配置及安装配置

1 Select 2 from Menu 24.7 - System Maintenance - Upload Firmware to display Menu 24.7.2 - System Maintenance - Upload System Configuration File. Follow the instructions as shown in the next screen.

ZYXEL ZYWALL 2 WG - 42.5.10装载器配置及安装配置 - 1
Figure 390 Menu 24.7.2 As Seen Using the Console Port

2 After the "Starting Xmodem upload" message appears, activate the Xmodem protocol on your computer. Follow the procedure as shown previously for the HyperTerminal program. The procedure for other serial communications programs should be similar.
3 Enter "atgo" to restart the ZyWALL.

42.5.11 Example Xmodem Configuration Upload Using HyperTerminal

Click Transfer, then Send File to display the following screen.

ZYXEL ZYWALL 2 WG - Example Xmodem Configuration Upload Using HyperTerminal - 1
Figure 391 Example Xmodem Upload

After the configuration upload process has completed, restart the ZyWALL by entering "atgo".

System Maintenance Menus 8 to 10

This chapter leads you through SMT menus 24.8 to 24.10.

43.1 Command Interpreter Mode

The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance.

ZYXEL ZYWALL 2 WG - Command Interpreter Mode - 1
Figure 392 Command Mode in Menu 24

Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.

Menu 24 - System Maintenance

  1. System Status
  2. System Information and Console Port Speed
  3. Log and Trace
  4. Diagnostic
  5. Backup Configuration
  6. Restore Configuration

  7. Upload Firmware

  8. Command Interpreter Mode

  9. Call Control

  10. Time and Date Setting
  11. Remote Management Setup

Enter Menu Selection Number:

43.1.1 Command Syntax

The command keywords are in courier new font.

Enter the command keywords exactly as shown, do not abbreviate.

The required fields in a command are enclosed in angle brackets <> .

The optional fields in a command are enclosed in square brackets [ ] .

The | symbol means "or".

For example,

sys filter netbios config

means that you must specify the type of netbios filter and whether to turn it on or off.

43.1.2 Command Usage

A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished.

Figure 393 Valid Commands

Copyright (c) 1994 - 2006 ZyXEL Communications Corp.  
ras> ?  
Valid commands are:  
sys ls exit device  
ether poe pptp aux  
config wlan ip ipsec  
ppp bridge bm certificates  
cnm 8021x radius radserv  
ras>

The following table describes some commands in this screen.

Table 236 Valid Commands

COMMANDDESCRIPTION
sysThe system commands display device information and configure device settings.
IsThe load sharing commands allow you to configure load balancing.
exitThis command returns you to the SMT main menu.
deviceThe device commands deal with the dial backup connection.
etherThese commands display Ethernet information and configure Ethernet settings.
poeThese commands deal with PPPoE connections.
pptpThese commands deal with PPTP connections.
auxThese commands display dial backup information and control dial backup connections.
configThese commands configure firewall and anti-spam settings.
ipThese commands display IP information and configure IP settings.
ipsecThese commands display IPSec information and configure IPSec settings.
bridgeThese commands display bridge information.

Table 236 Valid Commands

COMMANDDESCRIPTION
bmThese commands configure bandwidth management settings and display bandwidth management information.
idpThese commands configure intrusion detection and prevention settings.
avThese commands configure anti-virus settings.
asThese commands configure anti-spam settings.
certificatesThese commands display certificate information and configure certificate settings.
8021xThese commands configure 802.1x settings and display 802.1x information.
radiusThese commands display RADIUS information and configure RADIUS settings.

43.2 Call Control Support

The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1.

The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.

Call history chronicles preceding incoming and outgoing calls.

To access the call control menu, select option 9 in menu 24 to go to Menu 24.9 - System Maintenance - Call Control, as shown in the next table.

Figure 394 Call Control

Menu 24.9 - System Maintenance - Call Control

  1. Budget Management

2.Call History

Enter Menu Selection Number:

43.2.1 Budget Management

Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Not all fields are available on all models.

ZYXEL ZYWALL 2 WG - Budget Management - 1
Figure 395 Budget Management

The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node. Enter 0 to update the screen. The budget and the reset period can be configured in menu 11.1 for the remote node.

Table 237 Budget Management

FIELDDESCRIPTIONEXAMPLE
Remote NodeEnter the index number of the remote node you want to reset (just one in this case)1
Connection Time/Total BudgetThis is the total connection time that has gone by (within the allocated budget that you set in menu 11.1).5/10 means that 5 minutes out of a total allocation of 10 minutes have lapsed.
Elapsed Time/Total PeriodThe period is the time cycle in hours that the allocation budget is reset (see menu 11.1.) The elapsed time is the time used up within this period.0.5/1 means that 30 minutes out of the 1-hour time period has lapsed.
Enter “0” to update the screen or press [ESC] to return to the previous screen.

43.2.2 Call History

This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.

ZYXEL ZYWALL 2 WG - Call History - 1
Figure 396 Call History

The following table describes the fields in this screen.

Table 238 Call History

FIELDDESCRIPTION
Phone NumberThe PPPoE service names are shown here.
DirThis shows whether the call was incoming or outgoing.
RateThis is the transfer rate of the call.
#callThis is the number of calls made to or received from that telephone number.
MaxThis is the length of time of the longest telephone call.
MinThis is the length of time of the shortest telephone call.
TotalThis is the total length of time of all the telephone calls to/from that telephone number.
You may enter an entry number to delete it or “0” to exit.

43.3 Time and Date Setting

The ZyWALL's Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyWALL. Menu 24.10 allows you to update the time and date settings of your ZyWALL. The real time is then displayed in the ZyWALL error logs and firewall logs.

Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next.

ZYXEL ZYWALL 2 WG - Time and Date Setting - 1
Figure 397 Menu 24: System Maintenance

Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen.

ZYXEL ZYWALL 2 WG - Time and Date Setting - 2
Figure 398 Menu 24.10 System Maintenance: Time and Date Setting

The following table describes the fields in this screen.

Table 239 Menu 24.10 System Maintenance: Time and Date Setting

FIELDDESCRIPTION
Time ProtocolEnter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format.Daytime (RFC 867) format is day/month/year/time zone of the server.Time (RFC-868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0.The default, NTP (RFC-1305), is similar to Time (RFC-868).Select Manual to enter the new time and new date manually.
Time Server AddressEnter the IP address or domain name of your timeserver. Check with your ISP/ network administrator if you are unsure of this information.
Current TimeThis field displays an updated time only when you reenter this menu.
New TimeEnter the new time in hour, minute and second format. This field is available when you select Manual in the Time Protocol field.
Current DateThis field displays an updated date only when you reenter this menu.
New DateEnter the new date in year, month and day format. This field is available when you select Manual in the Time Protocol field.
Time ZonePress [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT).
Daylight SavingDaylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daylight time in the evenings. If you use daylight savings time, then choose Yes.
Start Date (mm-nth-week-hr)Configure the day and time when Daylight Saving Time starts if you selected Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Apr., 1st, Sun. and type 02 in the hr field.Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Mar., Last, Sun. The time you type in the hr field depends on your time zone. In Germany for instance, you would type 02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
End Date (mm-nth-week-hr)Configure the day and time when Daylight Saving Time ends if you selected Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Oct., Last, Sun. and type 02 in the hr field.Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Oct., Last, Sun. The time you type in the hr field depends on your time zone. In Germany for instance, you would type 02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
Once you have filled in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel” to save your configuration, or press [ESC] to cancel.

Remote Management

This chapter covers remote management found in SMT menu 24.11.

44.1 Remote Management

Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers.

ZYXEL ZYWALL 2 WG - Remote Management - 1

When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 11 on page 201 for details on configuring firewall rules.

You can also disable a service on the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces.

To disable remote management of a service, select Disable in the corresponding Access field.

Enter 11 from menu 24 to bring up Menu 24.11 - Remote Management Control.

ZYXEL ZYWALL 2 WG - Remote Management - 2
Figure 399 Menu 24.11 - Remote Management Control

The following table describes the fields in this screen.

Table 240 Menu 24.11 - Remote Management Control

FIELDDESCRIPTION
Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS ServiceEach of these read-only labels denotes a service that you may use to remotely manage the ZyWALL.
PortThis field shows the port number for the service or protocol. You may change the port number if needed, but you must use the same port number to access the ZyWALL.
AccessSelect the access interface (if any) by pressing [SPACE BAR], then [ENTER] to choose from: LAN, WAN, LAN+WAN, DMZ, LAN+DMZ, WAN+DMZ, LAN+WAN+DMZ, WLAN, LAN+WLAN, WAN+WLAN, LAN+WAN+WLAN, DMZ+WLAN, LAN+DMZ+WLAN, WAN+DMZ+WLAN, LAN+WAN+DMZ+WLAN or Disable.
Secure Client IPThe default 0.0.0.0 allows any client to use this service to remotely manage the ZyWALL. Enter an IP address to restrict access to a client with a matching IP address.
CertificatePress [SPACE BAR] and then [ENTER] to select the certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Authentication Client CertificatesSelect Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see Appendix H on page 691 for details).
Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configuration, or press [ESC] to cancel.

44.1.1 Remote Management Limitations

Remote management over LAN or WAN will not work when:

1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
2 You have disabled that service in menu 24.11.
3 The IP address in the Secure Client IP field (menu 24.11) does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately.
4 There is an SMT console session running.
5 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.
6 There is a firewall rule that blocks it.

IP Policy Routing

This chapter covers setting and applying policies used for IP routing.

45.1 IP Routing Policy Summary

Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not. Each policy contains two lines. The former part is the criteria of the incoming packet and the latter is the action. Between these two parts, separator "||" means the action is taken on criteria matched and separator "=" means the action is taken on criteria not matched.

Figure 400 Menu 25: Sample IP Routing Policy Summary 

Menu 25 - IP Routing Policy Summary  
<h1 id="a-criteriaaction">A Criteria/Action</h1>
001 N SA=1.1.1.1-1.1.1.1 DA=2.2.2.2-2.2.2.5  
SP=20-25 DP=20-25 P=6 T=NM PR=0 |GW=192.168.1.1 T=MT PR=0  
002 N  
003 N  
004 N  
005 N  
006 N  
Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.

The following table describes the fields in this screen.

Table 241 Menu 25: Sample IP Routing Policy Summary

FIELDDESCRIPTION
#This is the policy index number.
AThis displays whether a policy is active (Y) or not (N).
Criteria/ActionThis displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 242 on page 612 for detailed information.
Select CommandPress [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands. Select None and then press [ENTER] to go to the "Press ENTER to Confirm..." prompt. Use Edit to create or edit a rule. Use Delete to remove a rule. To edit or delete a rule, first make sure you are on the correct page. When a rule is deleted, subsequent rules do not move up in the page list. Use Go To Rule to view the page where your desired rule is listed. Select Next Page or Previous Page to view the next or previous page of rules (respectively).
Select RuleType the policy index number you wish to edit or delete and then press [ENTER].
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel.

Table 242 IP Routing Policy Setup

ABBREVIATIONMEANING
CriterionSASource IP Address
SPSource Port
DADestination IP Address
DPDestination Port
PIP layer 4 protocol number (TCP=6, UDP=17...)
TType of service of incoming packet
PRPrecedence of incoming packet
ActionGWGateway IP address
TOutgoing Type of service
POutgoing Precedence
ServiceNMNormal
MDMinimum Delay
MTMaximum Throughput
MRMaximum Reliability
MCMinimum Cost

45.2 IP Routing Policy Setup

To setup a routing policy, perform the following procedures:

1 Type 25 in the main menu to open Menu 25 - IP Routing Policy Summary.

2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure).

Figure 401 Menu 25.1: IP Routing Policy Setup 

Menu 25.1 - IP Routing Policy Setup  
Rule Index= 1 Active= Yes  
Criteria:  
IP Protocol = 6  
Type of Service= Normal Packet length= 40  
Precedence = 0 Len Comp= Equal  
Source:  
addr start= 1.1.1.1 end= 1.1.1.1  
port start= 20 end= 25  
Destination:  
addr start= 2.2.2.2 end= 2.2.2.5  
port start= 20 end= 25  
Action= Matched  
Gateway Type= IP Address  
Gateway addr = 192.168.1.1 Redirect packet= N/A  
Type of Service= Max Thruput Log= No  
Precedence = 0  
Edit policy to packets received from= No  
Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this screen.

Table 243 Menu 25.1: IP Routing Policy Setup

FIELDDESCRIPTION
Rule IndexThis is the index number of the routing policy selected in Menu 25 - IP Routing Policy Summary.
ActivePress [SPACE BAR] and then [ENTER] to select Yes to activate the policy.
Criteria
IP ProtocolEnter a number that represents an IP layer 4 protocol, for example, UDP=17, TCP=6, ICMP=1 and Don't care=0.
Type of ServicePrioritize incoming network traffic by choosing from Don't Care, Normal, Min Delay, Max Thruput or Max Reliable.
PrecedencePrecedence value of the incoming packet. Press [SPACE BAR] and then [ENTER] to select a value from 0 to 7 or Don't Care.
Packet LengthType the length of incoming packets (in bytes). The operators in the Len Comp (next field) apply to packets of this length.
Len CompPress [SPACE BAR] and then [ENTER] to choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal.
Source
addr start / endSource IP address range from start to end.
port start / endSource port number range from start to end; applicable only for TCP/UDP.
Destination

Table 243 Menu 25.1: IP Routing Policy Setup

FIELDDESCRIPTION
addr start / endDestination IP address range from start to end.
port start / endDestination port number range from start to end; applicable only for TCP/UDP.
ActionSpecifies whether action should be taken on criteria Matched or Not Matched.
Gateway TypePress [SPACE BAR] and then [ENTER] to select IP Address and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router on the same segment as your ZyWALL's LAN or WAN port.Press [SPACE BAR] and then [ENTER] to select Remote Node to have the ZyWALL send traffic that matches the policy route through a specific WAN port.
Gateway addrThis field displays if you selected IP Address in the Gateway Type field. Defines the outgoing gateway address. The gateway must be on the same subnet as the ZyWALL if it is on the LAN, otherwise, the gateway must be the IP address of a remote node. The default gateway is specified as 0.0.0.0.
Remote Node IdxThis field displays if you selected Remote Node in the Gateway Type field. Type 1 for WAN port 1 or 2 for WAN port 2.
Redirect PacketThis field applies if you selected Remote Node in the Gateway Type field.Press [SPACE BAR] and then [ENTER] to select Yes to have the ZyWALL send traffic that matches the policy route through the other WAN interface if it cannot send the traffic through the WAN interface you selected.
Type of ServiceSet the new TOS value of the outgoing packet. Prioritize incoming network traffic by choosing Don't Care, Normal, Min Delay, Max Thruput, Max Reliable or Min Cost.
PrecedenceSet the new outgoing packet precedence value. Values are 0 to 7 or Don't Care.
LogPress [SPACE BAR] and then [ENTER] to select Yes to make an entry in the system log when a policy is executed.
Edit policy to packets received fromPress [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 25.1.1: IP Routing Policy Setup discussed next.
When you have completed this menu, press [ENTER] at the prompt "Press [ENTER] to confirm or [ESC] to cancel" to save your configuration or press [ESC] to cancel and go back to the previous screen.

45.2.1 Applying Policy to Packets

To apply the policy to packets received on the selected interface(s), go to Menu 25.1: IP Routing Policy Setup and press [SPACE BAR] to select Yes in the Edit policy to packets received from field. Press [ENTER] to display Menu 25.1.1 - IP Routing Policy Setup (shown next).

ZYXEL ZYWALL 2 WG - Applying Policy to Packets - 1
Figure 402 Menu 25.1.1: IP Routing Policy Setup

The following table describes the fields in this screen.

Table 244 Menu 25.1.1: IP Routing Policy Setup

FIELDDESCRIPTION
LAN/DMZ/WLAN/ALL WANPress [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to apply the policy to packets received on the specific interface(s).
Selected Remote Node indexIf you select No in the ALL WAN field, enter the number of the WAN interface.
When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel.

45.3 IP Policy Routing Example

If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure.

Route 1 represents the default IP route and route 2 represents the configured IP route.

Figure 403 Example of IP Policy Routing

ZYXEL ZYWALL 2 WG - IP Policy Routing Example - 1
Figure 404 IP Routing Policy Example 1

To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next.

1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.

Rule Index= 1 Active= Yes  
Criteria:  
IP Protocol = 6  
Type of Service= Don't Care Packet length= 10  
Precedence = Don't Care Len Comp= Equal  
Source:  
addr start= 192.168.1.33 end= 192.168.1.64  
port start= 0 end= N/A  
Destination:  
addr start= 0.0.0.0 end= N/A  
port start= 80 end= 80  
Action= Matched  
Gateway Type= IP Address  
Gateway addr = 192.168.1.1 Redirect packet= N/A  
Type of Service= Max Thruput Log= No  
Precedence = 0  
Edit policy to packets received from= No  
Press ENTER to Confirm or ESC to Cancel:

2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port.
3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly.
4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100).

Figure 405 IP Routing Policy Example 2 

Menu 25.1 - IP Routing Policy Setup  
Rule Index= 2 Active= No  
Criteria:  
IP Protocol = 6  
Type of Service= Don't Care Packet length= 10  
Precedence = Don't Care Len Comp= Equal  
Source:  
addr start= 0.0.0.0 end= N/A  
port start= 0 end= N/A  
Destination:  
addr start= 0.0.0.0 end= N/A  
port start= 20 end= 21  
Action= Matched  
Gateway Type= IP Address  
Gateway addr = 192.168.1.100 Redirect packet= N/A  
Type of Service= Don't Care Log= No  
Precedence = Don't Care  
Edit policy to packets received from= No  
Press ENTER to Confirm or ESC to Cancel:

5 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port.
6 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly.

Call Scheduling

Call scheduling allows you to dictate when a remote node should be called and for how long.

46.1 Introduction to Call Scheduling

The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.1 - Remote Node Profile. From the main menu, enter 26 to access Menu 26 - Schedule Setup as shown next.

ZYXEL ZYWALL 2 WG - Introduction to Call Scheduling - 1
Figure 406 Schedule Setup

Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts. For example, if sets 1, 2, 3 and 4 are applied in the remote node, then set 1 will take precedence over set 2, 3 and 4 as the ZyWALL, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.

You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node.

ZYXEL ZYWALL 2 WG - Introduction to Call Scheduling - 2

To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field.

To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.

Figure 407 Schedule Set Setup 

Menu 26.1 - Schedule Set Setup  
Active= Yes  
How Often= Once  
Start Date(yyyy-mm-dd) = N/A  
Once:  
    Date(yyyy-mm-dd) = 2000 - 01 - 01  
Weekdays:  
    Sunday= N/A  
    Monday= N/A  
    Tuesday= N/A  
    Wednesday= N/A  
    Thursday= N/A  
    Friday= N/A  
    Saturday= N/A  
Start Time (hh:mm) = 00 : 00  
Duration (hh:mm) = 00 : 00  
Action= Forced On  
Press ENTER to Confirm or ESC to Cancel:  
Press Space Bar to Toggle

If a connection has been already established, your ZyWALL will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.

Table 245 Schedule Set Setup

FIELDDESCRIPTION
ActivePress [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to activate the schedule set.
How OftenShould this schedule set recur weekly or be used just once only? Press [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. When Once is selected, the schedule rule deletes automatically after the scheduled time elapses.
Start DateEnter the start date when you wish the set to take effect in year -month-date format. Valid dates are from the present to 2036-February-5.
Once:
DateIf you selected Once in the How Often field above, then enter the date the set should activate here in year-month-date format.
Weekdays:
DayIf you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Start TimeEnter the start time when you wish the schedule set to take effect in hour-minute format.
DurationThe duration determines how long the ZyWALL is to apply the action configured in the Action field. Enter the maximum length of time in hour-minute format.
ActionForced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line. Enable Dial-On-Demand means that this schedule permits a demand call on the line. Disable Dial-On-Demand means that this schedule prevents a demand call on the line.
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.

Once your schedule sets are configured, you must then apply them to the desired remote node(s). Enter 11 from the Main Menu and then enter the target remote node index. Press [SPACE BAR] and then [ENTER] to select PPPoE in the Encapsulation field to make the schedule sets field available as shown next.

Figure 408 Applying Schedule Set(s) to a Remote Node (PPPoE)
Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation = PPPoE Edit IP = No Service Type = Standard Telco Option: Service Name = Allocated Budget(min)=0 Outgoing = Period(hr)=0 My Login Schedules = 1,2,3,4 My Password = Nailed-Up Connection = No Authen = CHAP/PAP Session Options: Edit Filter Sets = No Idle Timeout(sec) = 100 Press ENTER to Confirm or ESC to Cancel:

You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preference(s).

Figure 409 Applying Schedule Set(s) to a Remote Node (PPTP)
Menu 11.1 - Remote Node Profile 

Rem Node Name= ChangeMe Route= IP  
Active= Yes  
Encapsulation= PPTP Edit IP= No  
Service Type= Standard Telco Option:  
Outgoing= My Login= Allocated Budget(min)= 0  
My Login= Period(hr)= 0  
My Password= Nailed-up Connections= No  
Retype to Confirm= Nailed-up Connections= No  
Authen= CHAP/PAP  
PPTP: Session Options:  
My IP Addr= Edit Filter Sets= No  
My IP Mask= Idle Timeout(sec) = 100  
Server IP Addr=  
Connection ID/Name=  
Press ENTER to Confirm or ESC to Cancel:

Troubleshooting

This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories.

  • Power, Hardware Connections, and LEDs
    ZyWALL Access and Login
  • Internet Access

47.1 Power, Hardware Connections, and LEDs

ZYXEL ZYWALL 2 WG - Power, Hardware Connections, and LEDs - 1

The ZyWALL does not turn on. None of the LEDs turn on.

1 Make sure the ZyWALL is turned on.
2 Make sure you are using the power adaptor or cord included with the ZyWALL.
3 Make sure the power adaptor is connected to the ZyWALL and plugged in to an appropriate power source. Make sure the power source is turned on.
4 Turn the ZyWALL off and on or disconnect and re-connect the power adaptor to the ZyWALL.
5 If the problem continues, contact the vendor.

ZYXEL ZYWALL 2 WG - Power, Hardware Connections, and LEDs - 2

One of the LEDs does not behave as expected.

1 Make sure you understand the normal behavior of the LED. See Section 1.4.4 on page 54.
2 Check the hardware connections. See the Quick Start Guide.
3 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
4 Turn the ZyWALL off and on or disconnect and re-connect the power adaptor to the ZyWALL.
5 If the problem continues, contact the vendor.

47.2 ZyWALL Access and Login

ZYXEL ZYWALL 2 WG - ZyWALL Access and Login - 1

I forgot the LAN IP address for the ZyWALL.

1 The default LAN IP address is 192.168.1.1.
2 Use the console port to log in to the ZyWALL.
3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the ZyWALL (it depends on the network), so enter this IP address in your Internet browser.
4 If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 57.

ZYXEL ZYWALL 2 WG - I forgot the LAN IP address for the ZyWALL. - 1

I forgot the password.

1 The default password is 1234.
2 If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 57.

ZYXEL ZYWALL 2 WG - I forgot the password. - 1

I cannot see or access the Login screen in the web configurator.

1 Make sure you are using the correct IP address.

  • The default LAN IP address is 192.168.1.1.
  • Use the ZyWALL's LAN IP address when configuring from the LAN.
  • Use the ZyWALL's WAN IP address when configuring from the WAN.
  • If you changed the LAN IP address (Section 6.7 on page 116), use the new IP address.
  • If you changed the LAN IP address and have forgotten it, see the troubleshooting suggestions for I forgot the LAN IP address for the ZyWALL.

2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4.4 on page 54.
3 Make sure your Internet browser does not block pop-up windows and has JavaScript and Java enabled. See Appendix C on page 641.
4 Make sure your computer's Ethernet adapter is installed and functioning properly.
5 Make sure your computer is in the same subnet as the ZyWALL. (If you know that there are routers between your computer and the ZyWALL, skip this step.)

  • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Appendix D on page 647. Your ZyWALL is a DHCP server by default.
    6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address. See Section 2.3 on page 57.
    7 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

  • Try to access the ZyWALL using another service, such as Telnet. If you can access the ZyWALL, check the remote management settings, firewall rules,and SMT filters to find out why the ZyWALL does not respond to HTTP.
  • If your computer is connected to the WAN port or is connected wirelessly, use a computer that is connected to a LAN port.
  • You may also need to clear your Internet browser's cache. In Internet Explorer, click Tools and then Internet Options to open the Internet Options screen.

In the General tab, click Delete Files. In the pop-up window, select the Delete all offline content check box and click OK. Click OK in the Internet Options screen to close it.

  • If you disconnect your computer from one device and connect it to another device that has the same IP address, your computer's ARP (Address Resolution Protocol) table may contain an entry that maps the management IP address to the previous device's MAC address).

In Windows, use arp -d at the command prompt to delete all entries in your computer's ARP table.

ZYXEL ZYWALL 2 WG - Advanced Suggestions - 1

I can see the Login screen, but I cannot log in to the ZyWALL.

1 Make sure you have entered the user name and password correctly. The default user name is admin, and the default password is 1234. These fields are case-sensitive, so make sure [Caps Lock] is not on.
2 You cannot log in to the web configurator while someone is using the SMT, Telnet, or the console port to access the ZyWALL. Log out of the ZyWALL in the other session, or ask the person who is logged in to log out.
3 Turn the ZyWALL off and on or disconnect and re-connect the power adaptor or cord to the ZyWALL.
4 If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 57.

ZYXEL ZYWALL 2 WG - Advanced Suggestions - 2

I cannot access the SMT. / I cannot Telnet to the ZyWALL.

See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.

ZYXEL ZYWALL 2 WG - Advanced Suggestions - 3

I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.

See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.

47.3 Internet Access

ZYXEL ZYWALL 2 WG - Internet Access - 1

I cannot get a WAN IP address from the ISP.

1 The ISP provides the WAN IP address after authenticating you. Authentication may be through the user name and password, the MAC address or the host name. The username and password apply to PPPoE and PPPoA encapsulation only. Make sure that you have entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN setup chapter (web configurator or SMT).
2 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
3 If the problem continues, contact your ISP.

ZYXEL ZYWALL 2 WG - Internet Access - 2

I cannot access the Internet.

1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4.4 on page 54.
2 Make sure you entered your ISP account information correctly in the wizard, WAN screen or SMT menu. These fields are case-sensitive, so make sure [Caps Lock] is not on.
3 If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP.
4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
5 If the problem continues, contact your ISP.

ZYXEL ZYWALL 2 WG - Internet Access - 3

I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore.

1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4.4 on page 54.
2 Check the schedule rules. Refer to Chapter 46 on page 619 (SMT).
3 If you use PPPoA or PPPoE encapsulation, check the idle time-out setting. Refer to the Chapter 8 on page 131 (web configurator) or Chapter 31 on page 503 (SMT).
4Reboot the ZyWALL.
5 If the problem continues, contact your ISP.

ZYXEL ZYWALL 2 WG - I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore. - 1

The Internet connection is slow or intermittent.

1 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.4.4 on page 54. If the ZyWALL is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications.
2 Check the signal strength. If the signal strength is low, try moving the ZyWALL closer to the AP if possible, and look around to see if there are any devices that might be interfering with the wireless network (for example, microwaves, other wireless networks, and so on).
3Reboot the ZyWALL.
4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

  • Check the settings for bandwidth management. If it is disabled, you might consider activating it. If it is enabled, you might consider changing the allocations.

PART VII

Appendices and Index

Product Specifications (631)

Wall-mounting Instructions (639)

Pop-up Windows, JavaScript and Java Permissions (641)

Setting up Your Computer's IP Address (647)

IP Addresses and Subnetting (663)

Common Services (671)

Wireless LANs (675)

VPN Setup (689)

Importing Certificates (691)

Command Interpreter (701)

NetBIOS Filter Commands (709)

Brute-Force Password Guessing Protection (711)

Legal Information (713)

Customer Support (717)

Index (721)

Product Specifications

The following tables summarize the ZyWALL's hardware and firmware features.

Table 246 Hardware Specifications

Dimensions220 (W) x 148 (D) x 30.5 (H) mm
Weight517 g
Power Specification12V DC
Ethernet Interface
LAN/DMZFour LAN/DMZ/WLAN auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet ports.
WANOne auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet port
Reset ButtonRestores factory default settings
ConsoleRJ-45 port for RS-232 null modem connection
Dial BackupRJ-45 port for RS-232 connection
Extension Card SlotFor installing a 3G card.
AntennaTwo 2dBi fixed antenna
Distance between the centers of the holes (for wall mounting) on the device's back.165.75 mm
Screw size for wall-mountingM 3*10
Operation Temperature0° C ~ 50°C
Storage Temperature-30°C ~ 60°C
Operation Humidity20% ~ 95% RH (non-condensing)
Storage Humidity20% ~ 95% RH (non-condensing)
CertificationsEMC: FCC Part 15 Class B, CE-EMC Class B, C-Tick Class B, VCCI Class B Safety: CSA International, CE EN60950-1 (UL60950-1, CSA60950-1, EN60950-1, IEC60950-1)

Table 247 Firmware Specifications

FEATUREDESCRIPTION
Default IP Address192.168.1.1
Default Subnet Mask255.255.255.0 (24 bits)
Default Password1234
Default DHCP Pool192.168.1.33 to 192.168.1.160

Table 247 Firmware Specifications

FEATUREDESCRIPTION
Device ManagementUse the web configurator to easily configure the rich range of features on the ZyWALL.
Wireless FunctionalityAllow the IEEE 802.11a, IEEE 802.11b and/or IEEE 802.11g wireless clients to connect to the ZyWALL wirelessly. Enable wireless security (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network.
Firmware UpgradeDownload new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.Note: Only upload firmware for your specific model!
Configuration Backup & RestorationMake a copy of the ZyWALL's configuration. You can put it back on the ZyWALL later if you decide to revert back to an earlier configuration.
Network Address Translation (NAT)Each computer on your network must have its own unique IP address.Use NAT to convert your public IP address(es) to multiple private IP addresses for the computers on your network.
Port ForwardingIf you have a server (mail or web server for example) on your network, you can use this feature to let people access it from the Internet.
DHCP (Dynamic Host Configuration Protocol)Use this feature to have the ZyWALL assign IP addresses, an IP default gateway and DNS servers to computers on your network.
Dynamic DNS SupportWith Dynamic DNS (Domain Name System) support, you can use a fixed URL, www.zyxel.com for example, with a dynamic IP address. You must register for this service with a Dynamic DNS service provider.
IP MulticastIP multicast is used to send traffic to a specific group of computers. The ZyWALL supports versions 1 and 2 of IGMP (Internet Group Management Protocol) used to join multicast groups (see RFC 2236).
IP AliasIP alias allows you to subdivide a physical network into logical networks over the same Ethernet interface with the ZyWALL itself as the gateway for each subnet.
Time and DateGet the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. These dates and times are then used in logs.
Logging and TracingUse packet tracing and logs for troubleshooting. You can send logs from the ZyWALL to an external syslog server.
PPPoEPPPoE mimics a dial-up Internet access connection.
PPTP EncapsulationPoint-to-Point Tunneling Protocol (PPTP) enables secure transfer of data through a Virtual Private Network (VPN). The ZyWALL supports one PPTP connection at a time.
Universal Plug and Play (UPnP)A UPnP-enabled device can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.
RoadRunner SupportThe ZyWALL supports Time Warner's RoadRunner Service in addition to standard cable modem services.
FirewallYou can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example.

Table 247 Firmware Specifications

FEATUREDESCRIPTION
Content FilterThe ZyWALL blocks or allows access to web sites that you specify and blocks access to web sites with URLs that contain keywords that you specify. You can define time periods and days during which content filtering is enabled. You can also include or exclude particular computers on your network from content filtering. You can also subscribe to category-based content filtering that allows your ZyWALL to check web sites against an external database.
IPSec VPNThis allows you to establish a secure Virtual Private Network (VPN) tunnel to connect with business partners and branch offices using data encryption and the Internet without the expense of leased site-to-site lines. The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.
Bandwidth ManagementYou can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and/or to particular computers.
Remote ManagemetThis allows you to decide whether a service (HTTP or FTP traffic for example) from a computer on a network (LAN or WAN for example) can access the ZyWALL.

Table 248 Feature Specifications

FEATURESPECIFICATION
Number of Local User Database Entries32
Number of Static DHCP Table Entries32
Number of Static Routes30
Number of Policy Routes24
Number of NAT Sessions3,000
Number of Address Mapping Rules10
Number of Port Forwarding Rules20
Number of IPSec VPN Tunnels/Security Associations5
Number of Bandwidth Management Classes10
Number of Bandwidth Management Class Levels1
Number of DNS Address Record Entries30
Number of DNS Name Server Record Entries16

Table 249 Performance

CATEGORYPERFORMANCE
Firewall Throughput (with NAT)24 Mbps
VPN (3DES) Throughput24 Mbps
User LicensesUnlimited
Concurrent Sessions3,000
Simultaneous IPSec VPN Connections5
Output Power (Maximum)IEEE 802.11a: 14 dBm at 54 Mbps OFDM IEEE 802.11b: 18 dBm at 11 Mbps CCK, QPSK, BPSK IEEE 802.11g: 17 dBm at 54 Mbps OFDM

Compatible 3G Card

At the time of writing, you can only use the Sierra AC850/860 3G wireless card in the ZyWALL.

3G Card Installation

ZYXEL ZYWALL 2 WG - 3G Card Installation - 1

Do not insert or remove a card with the ZyWALL turned on.

Make sure the ZyWALL is off before inserting or removing a 3G card (to avoid damage). Slide the connector end of the card into the slot as shown next.

ZYXEL ZYWALL 2 WG - 3G Card Installation - 2

Only certain the 3G card is compatible with the ZyWALL. Do not force, bend or twist the 3G card.

Power Adaptor Specifications

NORTH AMERICAN PLUG STANDARDS
AC POWER ADAPTOR MODELPSA18R-120P (ZA)-R
INPUT POWER100-240VAC, 50/60HZ, 0.5A
OUTPUT POWER12VDC, 1.5A
POWER CONSUMPTION18 W MAX.
SAFETY STANDARDSUL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST.)
EUROPEAN PLUG STANDARDS
AC POWER ADAPTOR MODELPSA18R-120P (ZE)-R
INPUT POWER100-240VAC, 50/60HZ, 0.5A
OUTPUT POWER12VDC, 1.5A
POWER CONSUMPTION18 W MAX.
SAFETY STANDARDSTUV, CE (EN 60950-1)
UNITED KINGDOM PLUG STANDARDS
AC POWER ADAPTOR MODELPSA18R-120P (ZK)-R
INPUT POWER100-240VAC, 50/60HZ, 0.5A
OUTPUT POWER12VDC, 1.5A
POWER CONSUMPTION18 W MAX.
SAFETY STANDARDSTUV (BS EN 60950-1)
AUSTRALIA AND NEW ZEALAND PLUG STANDARDS
AC POWER ADAPTOR MODELPSA18R-120P (ZS)-R
INPUT POWER100-240VAC, 50/60HZ, 0.5A
OUTPUT POWER12VDC, 1.5A
POWER CONSUMPTION18 W MAX.
SAFETY STANDARDSAS/NZ60950
JAPAN PLUG STANDARDS
AC POWER ADAPTOR MODELPSA18R-120P (ZA)-R
INPUT POWER100-240VAC, 50/60HZ, 0.5A
OUTPUT POWER12VDC, 1.5A
POWER CONSUMPTION18 W MAX.
SAFETY STANDARDSJET
CHINA PLUG STANDARDS
AC POWER ADAPTOR MODELPSA18R-120P (ZA)-R
INPUT POWER100-240VAC, 50/60HZ, 0.5A
OUTPUT POWER12VDC, 1.5A
POWER CONSUMPTION18 W MAX.
SAFETY STANDARDSCCC

Cable Pin Assignments

In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port. The ZyWALL is DTE when you connect a modem to the dial backup port.4

The console cable and dial backup cable each have an RJ-45 connector and a DB-9 connector. The pin layout for the DB-9 connector end of the cables is as follows.

ZYXEL ZYWALL 2 WG - Cable Pin Assignments - 1
Figure 410 Console/Dial Backup Cable DB-9 End Pin Layout

Table 250 Console Cable Pin Assignments

PIN DEFINITIONRJ-45 ENDDB-9M (MALE) END
DSR16
DTR24
TX33
RTS47
GND55
RX62
CTS78
DCD81
N/A9

Table 251 Console Cable Pin Assignments

PIN DEFINITIONRJ-45 ENDDB-9M (MALE) END
DTR14
DSR26
RX32
CTS48
GND55
TX63
RTS77
DCD81
N/A9

Table 252 Ethernet Cable Pin Assignments

WAN / LAN ETHERNET CABLE PIN LAYOUT
Straight-throughCrossover
(Switch) (Adapter)(Switch)(Switch)

Table 252 Ethernet Cable Pin Assignments

WAN / LAN ETHERNET CABLE PIN LAYOUT
1IRD +1OTD +1IRD +
2IRD -2OTD -2IRD -
3OTD +3IRD +3OTD +
6OTD -6IRD -6OTD -

Wall-mounting Instructions

Do the following to hang your ZyWALL on a wall.

ZYXEL ZYWALL 2 WG - Wall-mounting Instructions - 1

See the product specifications appendix for the size of screws to use and how far apart to place them.

1 Locate a high position on wall that is free of obstructions. Use a sturdy wall.
2 Drill two holes for the screws. Make sure the distance between the centers of the holes matches what is listed in the product specifications appendix.

ZYXEL ZYWALL 2 WG - Wall-mounting Instructions - 2

Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws.

3 Do not screw the screws all the way into the wall. Leave a small gap of about 0.5cm between the heads of the screws and the wall.
4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyWALL with the connection cables.
5 Align the holes on the back of the ZyWALL with the screws on the wall. Hang the ZyWALL on the screws.

ZYXEL ZYWALL 2 WG - Wall-mounting Instructions - 3
Figure 411 Wall-mounting Example

Pop-up Windows, JavaScript and Java Permissions

In order to use the web configurator you need to allow:

  • Web browser pop-up windows from your device.
  • JavaScripts (enabled by default).
  • Java permissions (enabled by default).

ZYXEL ZYWALL 2 WG - Pop-up Windows, JavaScript and Java Permissions - 1

Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.

Internet Explorer Pop-up Blockers

You may have to disable pop-up blocking to log into your device.

Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device's IP address.

Disable pop-up Blockers

1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker.

ZYXEL ZYWALL 2 WG - Disable pop-up Blockers - 1
Figure 412 Pop-up Blocker

You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.

1 In Internet Explorer, select Tools, Internet Options, Privacy.
2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled.

ZYXEL ZYWALL 2 WG - Disable pop-up Blockers - 2
Figure 413 Internet Options

3 Click Apply to save this setting.

Enable pop-up Blockers with Exceptions

Alternatively, if you only want to allow pop-up windows from your device, see the following steps.

1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
2 Select Settings...to open the Pop-up Blocker Settings screen.

ZYXEL ZYWALL 2 WG - Enable pop-up Blockers with Exceptions - 1
Figure 414 Internet Options

3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://". For example, http://192.168.1.1.
4 Click Add to move the IP address to the list of Allowed sites.

ZYXEL ZYWALL 2 WG - Enable pop-up Blockers with Exceptions - 2
Figure 415 Pop-up Blocker Settings

5 Click Close to return to the Privacy screen.
6 Click Apply to save this setting.

JavaScript

If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.

1 In Internet Explorer, click Tools, Internet Options and then the Security tab.

ZYXEL ZYWALL 2 WG - JavaScript - 1
Figure 416 Internet Options

2 Click the Custom Level... button.
3 Scroll down to Scripting.
4 Under Active scripting make sure that Enable is selected (the default).
5 Under Scripting of Java applets make sure that Enable is selected (the default).
6 Click OK to close the window.

ZYXEL ZYWALL 2 WG - JavaScript - 2
Figure 417 Security Settings - Java Scripting

Java Permissions

1 From Internet Explorer, click Tools, Internet Options and then the Security tab.
2 Click the Custom Level... button.
3 Scroll down to Microsoft VM.
4 Under Java permissions make sure that a safety level is selected.
5 Click OK to close the window.

ZYXEL ZYWALL 2 WG - Java Permissions - 1
Figure 418 Security Settings - Java

JAVA (Sun)

1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab.
2 make sure that Use Java 2 for under Java (Sun) is selected.
3 Click OK to close the window.

ZYXEL ZYWALL 2 WG - JAVA (Sun) - 1
Figure 419 Java (Sun)

Setting up Your Computer's IP Address

All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed.

Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.

TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems.

After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network.

If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL's LAN port.

Windows 95/98/Me

Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.

ZYXEL ZYWALL 2 WG - Windows 95/98/Me - 1
Figure 420 Windows 95/98/Me: Network: Configuration

Installing Components

The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.

If you need the adapter:

1 In the Network window, click Add.
2 Select Adapter and then click Add.
3 Select the manufacturer and model of your network adapter and then click OK.

If you need TCP/IP:

1 In the Network window, click Add.
2 Select Protocol and then click Add.
3 Select Microsoft from the list of manufacturers.
4 Select TCP/IP from the list of network protocols and then click OK.

If you need Client for Microsoft Networks:

1 Click Add.
2 Select Client and then click Add.
3 Select Microsoft from the list of manufacturers.
4 Select Client for Microsoft Networks from the list of network clients and then click OK.
5 Restart your computer so the changes you made take effect.

Configuring

1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties
2 Click the IP Address tab.

  • If your IP address is dynamic, select Obtain an IP address automatically.
  • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.

ZYXEL ZYWALL 2 WG - Configuring - 1
Figure 421 Windows 95/98/Me: TCP/IP Properties: IP Address

3 Click the DNS Configuration tab.

  • If you do not know your DNS information, select Disable DNS.
  • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).

ZYXEL ZYWALL 2 WG - Configuring - 2
Figure 422 Windows 95/98/Me: TCP/IP Properties: DNS Configuration

4 Click the Gateway tab.

  • If you do not know your gateway's IP address, remove previously installed gateways.
  • If you have a gateway IP address, type it in the New gateway field and click Add.

5 Click OK to save and close the TCP/IP Properties window.
6 Click OK to close the Network window. Insert the Windows CD if prompted.
7 Turn on your ZyWALL and restart your computer when prompted.

Verifying Settings

1 Click Start and then Run.
2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration window.
3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway.

Windows 2000/NT/XP

The following example figures use the default Windows XP GUI theme.

1 Click start (Start in Windows 2000/NT), Settings, Control Panel.

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 1
Figure 423 Windows XP: Start Menu

2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT).

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 2
Figure 424 Windows XP: Control Panel

3 Right-click Local Area Connection and then click Properties.

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 3
Figure 425 Windows XP: Control Panel: Network Connections: Properties

4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties.

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 4
Figure 426 Windows XP: Local Area Connection Properties

5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).

  • If you have a dynamic IP address click Obtain an IP address automatically.
  • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
  • Click Advanced.

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 5
Figure 427 Windows XP: Internet Protocol (TCP/IP) Properties

6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.

Do one or more of the following if you want to configure additional IP addresses:

  • In the IP Settings tab, in IP addresses, click Add.
  • In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
  • Repeat the above two steps for each IP address you want to add.
  • Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways.
  • In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric.
  • Click Add.
  • Repeat the previous three steps for each default gateway you want to add.
  • Click OK when finished.

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 6
Figure 428 Windows XP: Advanced TCP/IP Properties

7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP):

  • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
  • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.

If you have previously configured DNS servers, click Advanced and then the DNS tab to order them.

ZYXEL ZYWALL 2 WG - Windows 2000/NT/XP - 7
Figure 429 Windows XP: Internet Protocol (TCP/IP) Properties

8 Click OK to close the Internet Protocol (TCP/IP) Properties window.
9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.
10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
11 Turn on your ZyWALL and restart your computer (if prompted).

Verifying Settings

1 Click Start, All Programs, Accessories and then Command Prompt.
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.

Macintosh OS 8/9

1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel.

Figure 430 Macintosh OS 8/9: Apple Menu
ZYXEL ZYWALL 2 WG - Macintosh OS 8/9 - 1
2 Select Ethernet built-in from the Connect via list.

ZYXEL ZYWALL 2 WG - Macintosh OS 8/9 - 2
Figure 431 Macintosh OS 8/9: TCP/IP

3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
4 For statically assigned settings, do the following:

From the Configure box, select Manually.

  • Type your IP address in the IP Address box.
  • Type your subnet mask in the Subnet mask box.
  • Type the IP address of your ZyWALL in the Router address box.

5 Close the TCP/IP Control Panel.
6 Click Save if prompted, to save changes to your configuration.
7 Turn on your ZyWALL and restart your computer (if prompted).

Verifying Settings

Check your TCP/IP properties in the TCP/IP Control Panel window.

Macintosh OS X

1 Click the Apple menu, and click System Preferences to open the System Preferences window.

ZYXEL ZYWALL 2 WG - Macintosh OS X - 1
Figure 432 Macintosh OS X: Apple Menu

2 Click Network in the icon bar.

  • Select Automatic from the Location list.
  • Select Built-in Ethernet from the Show list.
  • Click the TCP/IP tab.

3 For dynamically assigned settings, select Using DHCP from the Configure list.

ZYXEL ZYWALL 2 WG - Macintosh OS X - 2
Figure 433 Macintosh OS X: Network

4 For statically assigned settings, do the following:

From the Configure box, select Manually.
- Type your IP address in the IP Address box.
- Type your subnet mask in the Subnet mask box.
- Type the IP address of your ZyWALL in the Router address box.

5 Click Apply Now and close the window.
6 Turn on your ZyWALL and restart your computer (if prompted).

Verifying Settings

Check your TCP/IP properties in the Network window.

Linux

This section shows you how to configure your computer's TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version.

ZYXEL ZYWALL 2 WG - Linux - 1

Make sure you are logged in as the root administrator.

Using the K Desktop Environment (KDE)

Follow the steps below to configure your computer IP address using the KDE.

1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.

ZYXEL ZYWALL 2 WG - Using the K Desktop Environment (KDE) - 1
Figure 434 Red Hat 9.0: KDE: Network Configuration: Devices

2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown.

ZYXEL ZYWALL 2 WG - Using the K Desktop Environment (KDE) - 2
Figure 435 Red Hat 9.0: KDE: Ethernet Device: General

  • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list.
  • If you have a static IP address, click statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.

3 Click OK to save the changes and close the Ethernet Device General screen.
4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided.

ZYXEL ZYWALL 2 WG - Using the K Desktop Environment (KDE) - 3
Figure 436 Red Hat 9.0: KDE: Network Configuration: DNS

5 Click the Devices tab.
6 Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens.

ZYXEL ZYWALL 2 WG - Using the K Desktop Environment (KDE) - 4
Figure 437 Red Hat 9.0: KDE: Network Configuration: Activate

7 After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen.

Using Configuration Files

Follow the steps below to edit the network configuration files and set your computer IP address.

1 Assuming that you have only one network card on the computer, locate the ifconfig-eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor.

  • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example.

Figure 438 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0

DEVICE eth0
ONBOOT yes
BOOTPROTO dhcp
USERCTL no
PEERDNS yes
TYPE Ethernet

  • If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.

Figure 439 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0

DEVICE eth0
ONBOOT yes
BOOTPROTO static
IPADDR = 192.168.1.10 NETMASK = 255.255.255.0 USERCTL no
PEERDNS yes
TYPE Ethernet

2 If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified.

Figure 440 Red Hat 9.0: DNS Settings in resolv.conf

nameserver 172.23.5.1  
nameserver 172.23.5.2

3 After you edit and save the configuration files, you must restart the network card. Enter ./network restart in the /etc/rc.d/init.d directory. The following figure shows an example.

Figure 441 Red Hat 9.0: Restart Ethernet Card

[root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK]

Verifying Settings

Enter ifconfig in a terminal screen to check your TCP/IP properties.

Figure 442 Red Hat 9.0: Checking TCP/IP Properties 

[root@localhost]# ifconfig   
eth0 Link encaps:Ethernet HWaddr 00:50:BA:72:5B:44 inlet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000   
[root@localhost]#

IP Addresses and Subnetting

This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks.

Introduction to IP Addresses

An IP address has two parts: the network number and the host ID. Routers use the network number to send packets to the correct network, while the host ID identifies a single device on the network.

An IP address is made up of four octets, written in dotted decimal notation, for example, 192.168.1.1. (An octet is an 8-digit binary number. Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal.)

There are several classes of IP addresses. The first network number (192 in the above example) defines the class of IP address. These are defined as follows:

Class A: 0 to 127
Class B: 128 to 191
Class C: 192 to 223
Class D: 224 to 239
Class E: 240 to 255

IP Address Classes and Hosts

The class of an IP address determines the number of hosts you can have on your network.

  • In a class A address the first octet is the network number, and the remaining three octets are the host ID.
  • In a class B address the first two octets make up the network number, and the two remaining octets make up the host ID.
  • In a class C address the first three octets make up the network number, and the last octet is the host ID.

The following table shows the network number and host ID arrangement for classes A, B and C.

Table 253 Classes of IP Addresses

IP ADDRESSOCTET 1OCTET 2OCTET 3OCTET 4
Class ANetwork numberHost IDHost IDHost ID
Class BNetwork numberNetwork numberHost IDHost ID
Class CNetwork numberNetwork numberNetwork numberHost ID

An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 for example). Therefore, to determine the total number of hosts allowed in a network, deduct two as shown next:

  • A class C address (1 host octet: 8 host bits) can have 2^8 - 2 , or 254 hosts.
  • A class B address (2 host octets: 16 host bits) can have 2^16 - 2 , or 65534 hosts.

A class A address (3 host octets: 24 host bits) can have 2^24 - 2 hosts, or approximately 16 million hosts.

IP Address Classes and Network ID

The value of the first octet of an IP address determines the class of an IP address as already stated. These are the details of how that range is determined.

Class A addresses have a 0 in the leftmost bit.
Class B addresses have a 1 in the leftmost bit and a 0 in the next leftmost bit.
Class C addresses start with 1 1 0 in the first three leftmost bits.
- Class D addresses begin with 1 1 1 0. Class D addresses are used for multicasting, which is used to send information to groups of computers.
- There is also a class E. It is reserved for future use.

The following table shows the allowed ranges for the first octet of each class. This range determines the number of subnets you can have in a network.

Table 254 Allowed IP Address Range By Class

CLASSALLOWED RANGE OF FIRST OCTET (BINARY)ALLOWED RANGE OF FIRST OCTET (DECIMAL)
Class A00000000 to 011111110 to 127
Class B10000000 to 10111111128 to 191
Class C11000000 to 11011111192 to 223
Class D11100000 to 11101111224 to 239
Class E(reserved)11110000 to 11111111240 to 255

Subnet Masks

A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation).

A subnet mask has 32 bits. If a bit in the subnet mask is a "1" then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is "0" then the corresponding bit in the IP address is part of the host ID.

Subnet masks are expressed in dotted decimal notation just like IP addresses. The "natural" masks for class A, B and C IP addresses are as follows.

Table 255 "Natural" Masks

CLASSNATURAL MASK
A255.0.0.0
B255.255.0.0
C255.255.255.0

Subnetting

With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.

By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.

Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/” followed by the number of bits in the mask after the address.

For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128.

The following table shows all possible subnet masks for a class "C" address using both notations.

Table 256 Alternative Subnet Mask Notation

SUBNET MASKSUBNET MASK “1” BITSLAST OCTET BIT VALUEDECIMAL
255.255.255.0/240000 00000
255.255.255.128/251000 0000128
255.255.255.192/261100 0000192
255.255.255.224/271110 0000224
255.255.255.240/281111 0000240
255.255.255.248/291111 1000248
255.255.255.252/301111 1100252

The first mask shown is the class "C" natural mask. Normally if no mask is specified it is understood that the natural mask is being used.

Example: Two Subnets

As an example, you have a class "C" address 192.168.1.0 with subnet mask of 255.255.255.0.

Table 257 Two Subnets Example

IP/SUBNET MASKNETWORK NUMBERHOST ID
IP Address192.168.1.0
IP Address (Binary)11000000.10101000.00000001.00000000
Subnet Mask255.255.255.0
Subnet Mask (Binary)11111111.11111111.11111111.00000000

The first three octets of the address make up the network number (class "C").

To make two networks, divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The "borrowed" host ID bit can be either "0" or "1" thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128.

ZYXEL ZYWALL 2 WG - Example: Two Subnets - 1

In the following charts, shaded/bolded last octet bit values indicate host ID bits "borrowed" to make network ID bits. The number of "borrowed" host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after "borrowing") determines the number of hosts you can have on each subnet.

Table 258 Subnet 1

IP/SUBNET MASKNETWORK NUMBERLAST OCTET BIT VALUE
IP Address192.168.1.0
IP Address (Binary)11000000.10101000.00000001.00000000
Subnet Mask255.255.255.128
Subnet Mask (Binary)11111111.11111111.11111111.10000000
Subnet Address: 192.168.1.0Lowest Host ID: 192.168.1.1
Broadcast Address: 192.168.1.127Highest Host ID: 192.168.1.126

Table 259 Subnet 2

IP/SUBNET MASKNETWORK NUMBERLAST OCTET BIT VALUE
IP Address192.168.1.128
IP Address (Binary)11000000.10101000.00000001.10000000
Subnet Mask255.255.255.128
Subnet Mask (Binary)11111111.11111111.11111111.10000000
Subnet Address: 192.168.1.128Lowest Host ID: 192.168.1.129
Broadcast Address: 192.168.1.255Highest Host ID: 192.168.1.254

Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2^7 - 2 or 126 hosts for each subnet.

192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.

Example: Four Subnets

The above example illustrated using a 25-bit subnet mask to divide a class "C" address space into two subnets. Similarly to divide a class "C" address into four subnets, you need to "borrow" two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 2^6-2 or 62 hosts for each subnet (all zeroes is the subnet itself, all ones is the broadcast address on the subnet).

Table 260 Subnet 1

IP/SUBNET MASKNETWORK NUMBERLAST OCTET BIT VALUE
IP Address192.168.1.0
IP Address (Binary)11000000.10101000.00000001.00000000
Subnet Mask (Binary)11111111.11111111.11111111.11000000
Subnet Address: 192.168.1.0Lowest Host ID: 192.168.1.1
Broadcast Address: 192.168.1.63Highest Host ID: 192.168.1.62

Table 261 Subnet 2

IP/SUBNET MASKNETWORK NUMBERLAST OCTET BIT VALUE
IP Address192.168.1.64
IP Address (Binary)11000000.10101000.00000001.01000000
Subnet Mask (Binary)11111111.11111111.11111111.11000000
Subnet Address: 192.168.1.64Lowest Host ID: 192.168.1.65
Broadcast Address: 192.168.1.127Highest Host ID: 192.168.1.126

Table 262 Subnet 3

IP/SUBNET MASKNETWORK NUMBERLAST OCTET BIT VALUE
IP Address192.168.1.128
IP Address (Binary)11000000.10101000.00000001.10000000
Subnet Mask (Binary)11111111.11111111.11111111.11000000
Subnet Address: 192.168.1.128Lowest Host ID: 192.168.1.129
Broadcast Address: 192.168.1.191Highest Host ID: 192.168.1.190

Table 263 Subnet 4

IP/SUBNET MASKNETWORK NUMBERLAST OCTET BIT VALUE
IP Address192.168.1.192
IP Address (Binary)11000000.10101000.00000001.11000000
Subnet Mask (Binary)11111111.11111111.11111111.11000000
Subnet Address: 192.168.1.192Lowest Host ID: 192.168.1.193
Broadcast Address: 192.168.1.255Highest Host ID: 192.168.1.254

Example Eight Subnets

Similarly use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111).

The following table shows class C IP address last octet values for each subnet.

Table 264 Eight Subnets

SUBNETSUBNET ADDRESSFIRST ADDRESSLAST ADDRESSBROADCAST ADDRESS
1013031
232336263
364659495
49697126127
5128129158159
6160161190191
7192193222223
8224225254255

The following table is a summary for class "C" subnet planning.

Table 265 Class C Subnet Planning

NO. “BORROWED” HOST BITSSUBNET MASKNO. SUBNETSNO. HOSTS PER SUBNET
1255.255.255.128 (/25)2126
2255.255.255.192 (/26)462
3255.255.255.224 (/27)830
4255.255.255.240 (/28)1614
5255.255.255.248 (/29)326
6255.255.255.252 (/30)642
7255.255.255.254 (/31)1281

Subnetting With Class A and Class B Networks.

For class "A" and class "B" addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.

A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see Table 253 on page 663) available for subnetting.

The following table is a summary for class "B" subnet planning.

Table 266 Class B Subnet Planning

NO. “BORROWED” HOST BITSSUBNET MASKNO. SUBNETSNO. HOSTS PER SUBNET
1255.255.128.0 (/17)232766
2255.255.192.0 (/18)416382
3255.255.224.0 (/19)88190
4255.255.240.0 (/20)164094
5255.255.248.0 (/21)322046
6255.255.252.0 (/22)641022
7255.255.254.0 (/23)128510
8255.255.255.0 (/24)256254
9255.255.255.128 (/25)512126
10255.255.255.192 (/26)102462
11255.255.255.224 (/27)204830
12255.255.255.240 (/28)409614
13255.255.255.248 (/29)81926
14255.255.255.252 (/30)163842
15255.255.255.254 (/31)327681

Common Services

The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site.

  • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.
  • Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number.

  • Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers.

  • If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number.

  • If the Protocol is USER, this is the IP protocol number.

  • Description: This is a brief explanation of the applications that use this service or the situations in which this service is used.

Table 267 Commonly Used Services

NAMEPROTOCOLPORT(S)DESCRIPTION
AH(IPSEC_TUNNEL)User-Defined51The IPSEC AH (Authentication Header) tunneling protocol uses this service.
AIM/New-ICQTCP5190AOL's Internet Messenger service. It is also used as a listening port by ICQ.
AUTHTCP113Authentication protocol used by some servers.
BGPTCP179Border Gateway Protocol.
BOOTP_CLIENTUDP68DHCP Client.
BOOTP_SERVERUDP67DHCP Server.
CU-SEEMETCP7648A popular videoconferencing solution from White Pines Software.
UDP24032
DNSTCP/UDP53Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
ESP(IPSEC_TUNNEL)User-Defined50The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.
FINGERTCP79Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
FTPTCP20File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
TCP21
H.323TCP1720NetMeeting uses this protocol.
HTTPTCP80Hyper Text Transfer Protocol - a client/server protocol for the world wide web.
HTTPSTCP443HTTPS is a secured http session often used in e-commerce.
ICMPUser-Defined1Internet Control Message Protocol is often used for diagnostic or routing purposes.
ICQUDP4000This is a popular Internet chat program.
IGMP (MULTICAST)User-Defined2Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.
IKEUDP500The Internet Key Exchange algorithm is used for key distribution and management.
IRCTCP/UDP6667This is another popular Internet chat program.
MSN MessengerTCP1863Microsoft Networks' messenger service uses this protocol.
NEW-ICQTCP5190An Internet chat program.
NEWSTCP144A protocol for news groups.
NFSUDP2049Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.
NNTPTCP119Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
PINGUser-Defined1Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
POP3TCP110Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
PPTPTCP1723Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.
PPTP_TUNNEL (GRE)User-Defined47PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel.
RCMDTCP512Remote Command Service.
REAL=AUDIOTCP7070A streaming audio service that enables real time sound over the web.
REXECTCP514Remote Execution Daemon.
RLOGINTCP513Remote Login.
RTELNETTCP107Remote Telnet.
RTSPTCP/UDP554The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
SFTPTCP115Simple File Transfer Protocol.
SMTPTCP25Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
SNMPTCP/UDP161Simple Network Management Program.
SNMP-TRAPSTCP/UDP162Traps for use with the SNMP (RFC:1215).
SQL-NETTCP1521Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.
SSHTCP/UDP22Secure Shell Remote Login Program.
STRM WORKSUDP1558Stream Works Protocol.
SYSLOGUDP514Syslog allows you to send system logs to a UNIX server.
TACACSUDP49Login Host Protocol used for (Terminal Access Controller Access Control System).
TELNETTCP23Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
TFTPUDP69Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).
VDOLIVETCP7000Another videoconferencing solution.

Wireless LANs

Wireless LAN Topologies

This section discusses ad-hoc and infrastructure wireless LAN topologies.

Ad-hoc Wireless LAN Configuration

The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN.

ZYXEL ZYWALL 2 WG - Ad-hoc Wireless LAN Configuration - 1
Figure 443 Peer-to-Peer Communication in an Ad-hoc Network

BSS

A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP).

Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other.

ZYXEL ZYWALL 2 WG - BSS - 1
Figure 444 Basic Service Set

ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).

This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.

An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.

ZYXEL ZYWALL 2 WG - ESS - 1
Figure 445 Infrastructure WLAN

Channel

A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

ZYXEL ZYWALL 2 WG - RTS/CTS - 1
Figure 446 RTS/CTS

ZYXEL ZYWALL 2 WG - RTS/CTS - 2

When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.

When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.

Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake.

You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake.

If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

ZYXEL ZYWALL 2 WG - RTS/CTS - 3

Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.

Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.

A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.

If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Preamble Type

Preamble is used to signal that data is coming to the receiver. Short and Long refer to the length of the synchronization field in a packet.

Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11b/g compliant wireless adapters support long preamble, but not all support short preamble.

Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.

Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications.

Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble.

ZYXEL ZYWALL 2 WG - Preamble Type - 1

The AP and the wireless adapters MUST use the same preamble mode in order to communicate.

IEEE 802.11g Wireless LAN

IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:

Table 268 IEEE 802.11g

DATA RATE (MBPS)MODULATION
1DBPSK (Differential Binary Phase Shift Keyed)
2DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11CCK (Complementary Code Keying)
6/9/12/18/24/36/48/54OFDM (Orthogonal Frequency Division Multiplexing)

Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.

Wireless security methods available on the ZyWALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyWALL identity.

The following figure shows the relative effectiveness of these wireless security methods available on your ZyWALL.

Table 269 Wireless Security Levels

SECURITY LEVELSECURITY TYPE
Least Secure Most SecureUnique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
WPA2

ZYXEL ZYWALL 2 WG - Wireless Security Overview - 1

You must enable the same wireless security settings on the ZyWALL and on all wireless clients that you want to associate with it.

IEEE 802.1x

In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:

  • User based identification that allows for roaming.
  • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server.
  • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.

RADIUS

RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

Authentication

Determines the identity of the users.

  • Authorization

Determines the network services available to authenticated users once they are connected to the network.

  • Accounting

Keeps track of the client's network activity.

RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

  • Access-Request

Sent by an access point requesting authentication.

  • Access-Reject

Sent by a RADIUS server rejecting access.

  • Access-Accept

Sent by a RADIUS server allowing access.

  • Access-Challenge

Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

  • Accounting-Request

Sent by the access point requesting accounting.

  • Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

Types of EAP Authentication

This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types.

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x.

For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead.

EAP-TTLS (Tunnelled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.

ZYXEL ZYWALL 2 WG - Dynamic WEP Key Exchange - 1

EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 270 Comparison of EAP Authentication Types

EAP-MD5EAP-TLSEAP-TTLSPEAPLEAP
Mutual AuthenticationNoYesYesYesYes
Certificate – ClientNoYesOptionalOptionalNo
Certificate – ServerNoYesYesYesNo
Dynamic Key ExchangeNoYesYesYesYes
Credential IntegrityNoneStrongStrongStrongModerate
Deployment DifficultyEasyHardModerateModerateModerate
Client Identity ProtectionNoNoYesYesNo

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network.

The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)

User Authentication

WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.

Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.

Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Wireless Client WPA Suppliers

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it.

WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.

1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

ZYXEL ZYWALL 2 WG - WPA(2) with RADIUS Application Example - 1
Figure 447 WPA(2) with RADIUS Application Example

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).
2 The AP checks each wireless client's password and (only) allows it to join the network if the password matches.
3 The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key).

4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them.

ZYXEL ZYWALL 2 WG - WPA(2)-PSK Application Example - 1
Figure 448 WPA(2)-PSK Authentication

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.

Table 271 Wireless Security Relational Matrix

AUTHENTICATION METHOD/ KEYMANAGEMENT PROTOCOLENCRYPTION METHODENTERMANUAL KEYIEEE 802.1X
OpenNoneNoDisable
Enable without Dynamic WEP Key
OpenWEPNoEnable with Dynamic WEP Key
YesEnable without Dynamic WEP Key
YesDisable
SharedWEPNoEnable with Dynamic WEP Key
YesEnable without Dynamic WEP Key
YesDisable
WPATKIP/AESNoEnable
WPA-PSKTKIP/AESYesDisable
WPA2TKIP/AESNoEnable
WPA2-PSKTKIP/AESYesDisable

Roaming

An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point's coverage area.

In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.

The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the other access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in Figure 449 on page 687.

If the roaming feature is not enabled on the access points, information is not communicated between the access points when a wireless station moves between coverage areas. The wireless station may not be able to communicate with other wireless stations on the network and vice versa.

ZYXEL ZYWALL 2 WG - Roaming - 1
Figure 449 Roaming Example

The steps below describe the roaming process.

1 Wireless station Y moves from the coverage area of access point AP 1 to that of access point AP 2.
2 Wireless station Y scans and detects the signal of access point AP 2.
3 Wireless station Y sends an association request to access point AP 2.
4 Access point AP 2 acknowledges the presence of wireless station Y and relays this information to access point AP 1 through the wired LAN.

Requirements for Roaming

The following requirements must be met in order for wireless stations to roam between the coverage areas.

1 All the access points must be on the same subnet and configured with the same ESSID.
2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station.

3 The adjacent access points should use different radio channels when their coverage areas overlap.
4 All access points must use the same port number to relay roaming information.
5 The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment.

Antenna Overview

An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air.

Positioning the antennas properly increases the range and coverage area of a wireless LAN.

Antenna Characteristics

Frequency

An antenna in the frequency of 2.4GHz (IEEE 802.11b) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN.

Radiation Pattern

A radiation pattern is a diagram that allows you to visualize the shape of the antenna's coverage area.

Antenna Gain

Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications.

For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5% . For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5% . Actual results may vary depending on the network environment.

Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides.

Types of Antennas for WLAN

There are two types of antennas used for wireless LAN applications.

  • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points.

  • Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications.

Positioning Antennas

In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to-point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance.

For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible.

For directional antennas, point the antenna in the direction of the desired coverage area.

Importing Certificates

This appendix shows importing certificates examples using Internet Explorer 5.

Import ZyWALL Certificates into Netscape Navigator

In Netscape Navigator, you can permanently trust the ZyWALL's server certificate by importing it into your operating system as a trusted certification authority.

Select Accept This Certificate Permanently in the following screen to do this.

ZYXEL ZYWALL 2 WG - Import ZyWALL Certificates into Netscape Navigator - 1
Figure 450 Security Certificate

Importing the ZyWALL's Certificate into Internet Explorer

For Internet Explorer to trust a self-signed certificate from the ZyWALL, simply import the self-signed certificate into your operating system as a trusted certification authority.

To have Internet Explorer trust a ZyWALL certificate issued by a certificate authority, import the certificate authority's certificate into your operating system as a trusted certification authority.

The following example procedure shows how to import the ZyWALL's (self-signed) server certificate into your operating system as a trusted certification authority.

1 In Internet Explorer, double click the lock shown in the following screen.

Figure 451 Login Screen
ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 1
2 Click Install Certificate to open the Install Certificate wizard.

Figure 452 Certificate General Information before Import
ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 2
3 Click Next to begin the Install Certificate wizard.

ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 3
Figure 453 Certificate Import Wizard 1

4 Select where you would like to store the certificate and then click Next.

ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 4
Figure 454 Certificate Import Wizard 2

5 Click Finish to complete the Import Certificate wizard.

Figure 455 Certificate Import Wizard 3
ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 5
6 Click Yes to add the ZyWALL certificate to the root store.

ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 6
Figure 456 Root Certificate Store

ZYXEL ZYWALL 2 WG - Importing the ZyWALL's Certificate into Internet Explorer - 7
Figure 457 Certificate General Information after Import

Enrolling and Importing SSL Client Certificates

The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL.

You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).

Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL's Trusted CA web configurator screen).

ZYXEL ZYWALL 2 WG - Enrolling and Importing SSL Client Certificates - 1
Figure 458 ZyWALL Trusted CA Screen

The CA sends you a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).

Installing the CA's Certificate

1 Double click the CA's trusted certificate to produce a screen similar to the one shown next.

Figure 459 CA Certificate Example
ZYXEL ZYWALL 2 WG - Installing the CA's Certificate - 1
2 Click Install Certificate and follow the wizard as shown earlier in this appendix.

Installing Your Personal Certificate(s)

You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next

1 Click Next to begin the wizard.

ZYXEL ZYWALL 2 WG - Installing Your Personal Certificate(s) - 1
Figure 460 Personal Certificate Import Wizard 1

2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.

Figure 461 Personal Certificate Import Wizard 2
ZYXEL ZYWALL 2 WG - Installing Your Personal Certificate(s) - 2
3 Enter the password given to you by the CA.

Figure 462 Personal Certificate Import Wizard 3
ZYXEL ZYWALL 2 WG - Installing Your Personal Certificate(s) - 3
4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.

Figure 463 Personal Certificate Import Wizard 4
ZYXEL ZYWALL 2 WG - Installing Your Personal Certificate(s) - 4
5 Click Finish to complete the wizard and begin the import process.

Figure 464 Personal Certificate Import Wizard 5
ZYXEL ZYWALL 2 WG - Installing Your Personal Certificate(s) - 5
6 You should see the following screen when the certificate is correctly installed on your computer.

ZYXEL ZYWALL 2 WG - Installing Your Personal Certificate(s) - 6
Figure 465 Personal Certificate Import Wizard 6

Using a Certificate When Accessing the ZyWALL Example

Use the following procedure to access the ZyWALL via HTTPS.

1 Enter 'https://ZyWALL IP Address/ in your browser's web address field.

ZYXEL ZYWALL 2 WG - Using a Certificate When Accessing the ZyWALL Example - 1
Figure 466 Access the ZyWALL Via HTTPS

2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example.

ZYXEL ZYWALL 2 WG - Using a Certificate When Accessing the ZyWALL Example - 2
Figure 467 SSL Client Authentication

3 You next see the ZyWALL login screen.

ZYXEL ZYWALL 2 WG - Using a Certificate When Accessing the ZyWALL Example - 3
Figure 468 ZyWALL Secure Login Screen

Command Interpreter

The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.

ZYXEL ZYWALL 2 WG - Command Interpreter - 1

Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.

Command Syntax

  • The command keywords are in courier new font.
  • Enter the command keywords exactly as shown, do not abbreviate.
  • The required fields in a command are enclosed in angle brackets .
  • The optional fields in a command are enclosed in square brackets [ ] .
  • The | symbol means or.

For example,

sys filter netbios config

means that you must specify the type of netbios filter and whether to turn it on or off.

Command Usage

A list of valid commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished.

Command Examples

This section provides some examples of commands you can use on the ZyWALL. See the other appendices for more examples.

Configuring What You Want the ZyWALL to Log

1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.
2 Use sys logs category to view a list of the log categories.

Figure 469 Displaying Log Categories Example

ras>sys logs category  
8021x access attack display  
error icmp ike ipsec  
javablocked mten packetfilter ppp  
cdr pki TLS remote  
tcpreset traffic upnp urlblocked  
urlforward wireless

3 Use sys logs category followed by a log category to display the parameters that are available for the category.

Figure 470 Displaying Log Parameters Example

ras> sys logs category access  
Usage: [0:none/1:log/2:alert/3:both] [0:don't show debug type/1:show debug type]

4 Use sys logs category followed by a log category and a parameter to decide what to record.

Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category. Not every parameter is available with every category.

5 Use the sys logs save command to store the settings in the ZyWALL (you must do this in order to record logs).

Displaying Logs

  • Use the sys logs display command to show all of the logs in the ZyWALL's log.
  • Use the sys logs category display command to show the log settings for all of the log categories.
  • Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category.
  • Use the sys logs clear command to erase all of the ZyWALL's logs.

Log Command Example

This example shows how to set the ZyWALL to record the access logs and alerts and then view the results.

ras>sys logs load ras>sys logs category access 3 ras>sys logs save ras>sys logs display access #.time source destination notes message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.255.250 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 2|06/08/2004 05:58:20 |172.21.0.2 |239.255.255.254 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 3|06/08/2004 05:58:20 |172.21.3.191 |224.0.1.22 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 4|06/08/2004 05:58:20 |172.21.0.254 |224.0.0.1 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 5|06/08/2004 05:58:20 |172.21.4.187:137 |172.21.255.255:137 ACCESS BLOCK Firewall default policy: UDP (W to W/ZW)

Routing Command

Syntax: ip nat routing [0:LAN|1:DMZ|2:WLAN] [0:no|1:yes]

Use this command to set the ZyWALL to route traffic that does not match a NAT rule through a specific interface. An example of when you may want to use this is if you have servers with public IP addresses connected to the LAN, DMZ or WLAN. By default the ZyWALL routes traffic that does not match a NAT rule out through the DMZ interface.

The following command example sets the ZyWALL to route traffic that does not match a NAT rule through the WLAN interface.

Figure 471 Routing Command Example

ras>ip nat routing 21   
Routing can work in NAT when no NAT rule match. LAN: no DMZ: yes WLAN: yes

ARP Behavior and the ARP ackGratuitous Commands

The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request. This helps prevent the ZyWALL from updating its ARP table with an incorrect IP address to MAC address mapping due to a spoofed ARP. An incorrect IP to MAC address mapping in the ZyWALL's ARP table could cause the ZyWALL to send packets to the wrong device.

Commands for Using or Ignoring Gratisous ARP Requests

A host can send an ARP request to resolve its own IP address. This is called a gratuitous ARP request. The packet uses the host's own IP address as the source and destination IP address. The packet uses the Ethernet broadcast address (FF:FF:FF:FF:FF) as the destination MAC address. This is used to determine if any other hosts on the network are using the same IP address as the sending host. The other hosts in the network can also update their ARP table IP address to MAC address mappings with this host's MAC address.

The ip arp ack Gratisous commands set how the ZyWALL handles Gratisous ARP requests.

  • Use ip arp ack Gratisous active no to have the ZyWALL ignore Gratisous ARP requests.
  • Use ip arp ackGratuitous active yes to have the ZyWALL respond to gratuitous ARP requests.

For example, say the regular gateway goes down and a backup gateway sends a gratuitous ARP request. If the request is for an IP address that is not already in the ZyWALL's ARP table, the ZyWALL sends an ARP request to ask which host is using the IP address. After the ZyWALL receives a reply from the backup gateway, it adds an ARP table entry.

If the ZyWALL's ARP table already has an entry for the IP address, the ZyWALL's response depends on how you configure the ip arp ack Gratisous forceUpdate command.

  • Use ip arp ack Gratisous forceUpdate on to have the ZyWALL update the MAC address in the ARP entry.
  • Use ip arp ackGravitous forceUpdate off to have the ZyWALL not update the MAC address in the ARP entry.

A backup gateway (as in the following graphic) is an example of when you might want to turn on the forced update for gratuitous ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address. If ackGratuitous

is on and set to force updates, the ZyWALL receives the gratuitous ARP request and updates its ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B.

ZYXEL ZYWALL 2 WG - Commands for Using or Ignoring Gratisous ARP Requests - 1
Figure 472 Backup Gateway

Updating the ARP entries could increase the danger of spoofing attacks. It is only recommended that you turn on ack Gratisous and force update if you need it like in the previous backup gateway example. Turning on the force updates option is more dangerous than leaving it off because the ZyWALL updates the ARP table even when there is an existing entry.

Managing the Bandwidth of VPN Traffic

Syntax: bm vpnTraffic [on|off]

By default the ZyWALL uses the inner source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. This means that it looks at the IP address of the computer that sent the packets and the IP address of the computer to which it is sending the packets. The following figure shows an example of this. The ZyWALL uses the IP addresses of computers A and B to manage the bandwidth of the VPN traffic for their respective IPSec SA.

ZYXEL ZYWALL 2 WG - Managing the Bandwidth of VPN Traffic - 1
Figure 473 Managing the Bandwidth of an IPSec SA

Use on with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router. The following figure shows an example of this. The ZyWALL uses the IP addresses of the ZyWALL (X in the figure) and remote IPSec router (Y) to manage the bandwidth of the VPN traffic for the IKE SA.

ZYXEL ZYWALL 2 WG - Managing the Bandwidth of VPN Traffic - 2
Figure 474 Managing the Bandwidth of an IKE SA

How you configure this command affects how you can implement bandwidth management as follows.

  • Leave this command set to off to be able to create bandwidth management groups for individual phase 2 IPSec SAs that are connecting through the same remote IPSec router. With this setting you can also specify the type of traffic either using the service list (like SIP or FTP) or by specifying port numbers.
  • Use bm vpnTraffic to be able to create a single bandwidth management group that includes all of the phase 2 IPSec SAs that are connecting through the same remote IPSec router. With this setting the bandwidth management applies to ESP or AH packets so you can only specify IP addresses. You cannot specify a service or port numbers.

Setting the Key Length for Phase 2 IPSec AES Encryption

Syntax: ipsec ipsecConfig encryKeyLen <0:128 | 1:192 | 2:256>

By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key.

See the following example. Say you have a VPN rule one that uses AES for the phase 2 encryption and you want it to use 192 bit encryption.

  • Use the first line to start editing the VPN rule.
  • The second line sets VPN rule one to use 192 bit AES for the phase 2 encryption.
    The third line displays the results.

Figure 475 Routing Command Example
ras> ipsec ipsecEdit 1
ras> ipsec ipsecConfig encryKeyLen 1
ras> ipsec ipsecDisplay
-------- IPSec Setup
Index # = 1 Active = No Multi Pro = No Protocol = 0 Global SW = 0 xA
Bound IKE 9999 NailUp = No Netbios = No Name = test
ControlPing = No LogControlPing = No Control ping address = 0.0.0.0 Local: Addr Type = SINGLE Port Start = 0 End = N/A
IP Addr Start = 0.0.0.0 Mask = N/A
Remote: Addr Type = SINGLE Port Start = 0 End = N/A
IP Addr Start = 0.0.0.0 Mask = N/A
Enable Replay Detection = No Key Management = IKE
Phase 2 - Active Protocol = ESP
Encryption Algorithm = AES Authentication Algorithm = SHA1
Encryption Key Length = 192 SA Life Time (Seconds) = 28800 Encapsulation = Tunnel Perfect Forward Secrecy (PFS) = None
ras>

NetBIOS Filter Commands

The following describes the NetBIOS packet filter commands. See Appendix I on page 701 for information on the command structure.

Introduction

NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.

For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.

You can configure NetBIOS filters to do the following:

  • Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN.
  • Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN.
  • Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ and from the DMZ to the WAN.
  • Allow or disallow the sending of NetBIOS packets through VPN connections.
  • Allow or disallow NetBIOS packets to initiate calls.

Display NetBIOS Filter Settings

Syntax: sys filter netbios disp

This command gives a read-only list of the current NetBIOS filter modes for The ZyWALL.

NetBIOS Display Filter Settings Command Example

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 1 Between LAN and WAN: Block
Between LAN and DMZ: Block
Between WAN and DMZ: Block
IPSec Packets: Forward
Trigger Dial: Disabled

The filter types and their default settings are as follows.

Table 272 NetBIOS Filter Default Settings

NAMEDESCRIPTIONEXAMPLE
Between LAN and WANThis field displays whether NetBIOS packets are blocked or forwarded between the LAN and the WAN.Block
Between LAN and DMZThis field displays whether NetBIOS packets are blocked or forwarded between the LAN and the DMZ.Block
Between WAN and DMZThis field displays whether NetBIOS packets are blocked or forwarded between the WAN and the DMZ.Block
IPSec PacketsThis field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded.Forward
Trigger dialThis field displays whether NetBIOS packets are allowed to initiate calls. Disabled means that NetBIOS packets are blocked from initiating calls.Disabled

NetBIOS Filter Configuration

Syntax:sys filter netbios config

where

Identify which NetBIOS filter (numbered 0-3) to configure.

0 = Between LAN and WAN

1 = Between LAN and DMZ

2 = Between WAN and DMZ

3 = IPSec packet pass through

4 = Trigger Dial

= For type 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets.

For type 3, use on to block NetBIOS packets from being sent through a VPN connection. Use off to allow NetBIOS packets to be sent through a VPN connection.

For type 4, use on to allow NetBIOS packets to initiate dial backup calls. Use off to block NetBIOS packets from initiating dial backup calls.

Example commands

sys filter netbios This command blocks LAN to WAN and WAN to LAN NetBIOS config 0 on packets.

sys filter netbios This command forwards LAN to DMZ and DMZ to LAN NetBIOS config 1 off packets.

sys filter netbios This command blocks IPSec NetBIOS packets.

sys filter netbios This command stops NetBIOS commands from initiating calls. config 4 off

Brute-Force Password Guessing Protection

Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered.

The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix I on page 701 for information on the command structure.

Table 273 Brute-Force Password Guessing Protection Commands

COMMANDDESCRIPTION
sys pwderrtmThis command displays the brute-force guessing password protection settings.
sys pwderrtm 0This command turns off the password's protection from brute-force guessing. The brute-force password guessing protection is turned off by default.
sys pwderrtm NThis command sets the password protection to block all access attempts for N (a number from 1 to 60) minutes after the third time an incorrect password is entered.

Example

sys pwderrrtm 5

This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered.

Copyright © 2007 by ZyXEL Communications Corporation.

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Published by ZyXEL Communications Corporation. All rights reserved.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

Certifications

Federal Communications Commission (FCC) Interference Statement

The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

  • This device may not cause harmful interference.
  • This device must accept any interference received, including interference that may cause undesired operations.

This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.

If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

1 Reorient or relocate the receiving antenna.
2 Increase the separation between the equipment and the receiver.
3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4 Consult the dealer or an experienced radio/TV technician for help.

ZYXEL ZYWALL 2 WG - Federal Communications Commission (FCC) Interference Statement - 1

FCC Radiation Exposure Statement

  • This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
  • For operation within 5.15 5.25GHz frequency range, it is restricted to indoor environment.
  • IEEE 802.11b or 802.11g operation of this product in the U.S.A. is firmware-limited to channels 1 through 11.
  • To comply with FCC RF exposure compliance requirements, a separation distance of at least 20~cm must be maintained between the antenna of this device and all persons.

注意!

依據低功率電波輻射性電機管理辦法

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France.

This Class B digital apparatus complies with Canadian ICES-003.

Viewing Certifications

1 Go to http://www.zyxel.com.
2 Select your product on the ZyXEL home page to go to that product's page.
3 Select the certification you wish to view from this page.

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Registration

Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.

Customer Support

Please have the following information ready when you contact customer support.

Required Information

Product model and serial number.
Warranty Information.
- Date that you received your device.
- Brief description of the problem and the steps you took to solve it.

Corporate Headquarters (Worldwide)

  • Support E-mail: support@zyxel.com.tw
    Sales E-mail: sales@zyxel.com.tw
    Telephone: +886-3-578-3942
    Fax: +886-3-578-2439
  • Web Site: www.zyxel.com, www.europe.zyxel.com
  • FTP Site: ftp.zyxel.com, ftp.europe.zyxel.com
  • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan

Costa Rica

  • Support E-mail: soporte@zyxel.co.cr
    Sales E-mail: sales@zyxel.co.cr
    Telephone: +506-2017878
    Fax: +506-2015098
  • Web Site: www.zyxel.co.cr
  • FTP Site: ftp.zyxel.co.kr
  • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica

Czech Republic

E-mail: info@cz.zyxel.com
Telephone: +420-241-091-350
Fax: +420-241-091-359
Web Site: www.zyxel.cz
- Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika

Denmark

  • Support E-mail: support@zyxel.dk
    Sales E-mail: sales@zyxel.dk
    Telephone: +45-39-55-07-00
    Fax: +45-39-55-07-07
    Web Site: www.zyxel.dk
  • Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark

Finland

  • Support E-mail: support@zyxel.fi
    Sales E-mail: sales@zyxel.fi
    Telephone: +358-9-4780-8411
    Fax: +358-9-4780 8448
    Web Site: www.zyxel.fi
  • Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland

France

E-mail: info@zyxel.fr
Telephone: +33-4-72-52-97-97
Fax: +33-4-72-52-19-20
Web Site: www.zyxel.fr
- Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France

Germany

  • Support E-mail: support@zyxel.de
    Sales E-mail: sales@zyxel.de
    Telephone: +49-2405-6909-0
    Fax: +49-2405-6909-99
    Web Site: www.zyxel.de
  • Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen, Germany

Hungary

  • Support E-mail: support@zyxel.hu
    Sales E-mail: info@zyxel.hu
    Telephone: +36-1-3361649
    Fax: +36-1-3259100
    Web Site: www.zyxel.hu
    Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, Hungary

Kazakhstan

  • Support: http://zyxel.kz/support
    Sales E-mail: sales@zyxel.kz

Telephone: +7-3272-590-698
Fax: +7-3272-590-689
Web Site: www.zyxel.kz
- Regular Mail: ZyXEL Kazakhstan, 43, Dostyk ave., Office 414, Dostyk Business Centre, 050010, Almaty, Republic of Kazakhstan

North America

  • Support E-mail: support@zyxel.com
  • Sales E-mail: sales@zyxel.com
    Telephone: +1-800-255-4101, +1-714-632-0882
    Fax: +1-714-632-0858
    Web Site: www.us.zyxel.com
  • FTP Site: ftp.us.zyxel.com
  • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806-2001, U.S.A.

Norway

  • Support E-mail: support@zyxel.no
    Sales E-mail: sales@zyxel.no
    Telephone: +47-22-80-61-80
    Fax: +47-22-80-61-81
    Web Site: www.zyxel.no
    Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway

Poland

E-mail: info@pl.zyxel.com
Telephone: +48 (22) 333 8250
Fax: +48 (22) 333 8251
Web Site: www.pl.zyxel.com
Regular Mail: ZyXEL Communications, ul. Okrzej 1A, 03-715 Warszawa, Poland

Russia

  • Support: http://zyxel.ru/support
    Sales E-mail: sales@zyxel.ru
    Telephone: +7-095-542-89-29
    Fax: +7-095-542-89-25
    Web Site: www.zyxel.ru
  • Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow, 117279, Russia

Spain

  • Support E-mail: support@zyxel.es
    Sales E-mail: sales@zyxel.es
    Telephone: +34-902-195-420
    Fax: +34-913-005-345

Web Site: www.zyxel.es
- Regular Mail: ZyXEL Communications, Arte, 215^a planta, 28033 Madrid, Spain

Sweden

  • Support E-mail: support@zyxel.se
    Sales E-mail: sales@zyxel.se
    Telephone: +46-31-744-7700
    Fax: +46-31-744-7701
    Web Site: www.zyxel.se
  • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden

Ukraine

  • Support E-mail: support@ua.zyxel.com
    Sales E-mail: sales@ua.zyxel.com
    Telephone: +380-44-247-69-78
    Fax: +380-44-494-49-32
    Web Site: www.ua.zyxel.com
  • Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev, 04050, Ukraine

United Kingdom

  • Support E-mail: support@zyxel.co.uk
    Sales E-mail: sales@zyxel.co.uk
  • Telephone: +44-1344 303044, 08707 555779 (UK only)
    Fax: +44-1344 303034
    Web Site: www.zyxel.co.uk
    FTP Site: ftp.zyxel.co.uk
  • Regular Mail: ZyXEL Communications UK, Ltd.,11 The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)

“+” is the (prefix) number you dial to make an international telephone call.

Index

Numerics

3G

introduction 152

3G. see third generation 152

9600 baud 469

AT command 485, 586

authentication 524

authentication algorithms 261, 267

and active protocol 261

Authentication Header. See AH.

authentication protocol 488, 494, 524

authentication type 155

CHAP 155

PAP 155

A

Access point

See also AP.

access point 173

active protocol 273

AH 273

and encapsulation 274

ESP 273

Address Assignment 371

address assignment 141

Advanced Encryption Standard

See AES.

AES 684

AH 273

and transport mode 274

ALG 415

RTP 416

SIP 418

STUN 418

allocated budget 488, 524

alternative subnet mask notation 665

antenna

directional 689

gain 688

omni-directional 689

anti-probing 220

AP 173

See also access point.

AP (access point) 677

AP. see Access Point Name 154

Application Layer Gateway. See ALG.

Applications 52

broadband connection 52

applications 52

asymmetrical routes 211

vs virtual interfaces 211

B

backup configuration 464, 586

TFTP 588

bandwidth class 355

bandwidth filter 355

bandwidth management 355

address type 366

bandwidth borrowing 359

bandwidth class 355

bandwidth filter 355, 366

class configuration 364

class setup 363

fairness-based scheduler 357

maximize bandwidth usage 357, 362

monitor 368

priority-based scheduler 357

proportional allocation 356

root class 363

schedule 357, 362

statistics 367

sub-class layers 363

Basic Service Set, See BSS 675

baud 469

BPDU 126

bridge firewall62,127,458,460

Bridge Protocol Data Unit. See BPDU.

broadcast 115

BSS 675

budget 524

budget management 601

C

CA 297, 682

call back delay 487

call control 601

call history 602

call scheduling 619

max number of schedule sets 619

PPPoE 621

precedence 619

setting up a schedule 620

call-triggering packet 581

certificate 270

Certificate Authority

See CA.

certificates 297

and IKE SA 263

CA 297

thumbprint algorithms 298

thumbprints 298

verifying fingerprints 298

Certification Authority. See CA.

certifications 713

notices 714

viewing 715

changing the password 474

Channel

ID 186

channel 174, 677

interference 677

CHAP 488, 494, 524

CNM 402

command interpreter mode 599

command line 587

commands

FTP 587

computer names 116, 118

configuration backup 464, 586

TFTP 588

configuration restore 464, 590

via console port 597

connection ID/name 525

console port 469, 575

configuration upload 597

data bits 469

file backup 589

file upload 596

flow control 469

parity 469

restoring files 592

settings 469

speed 575, 576

stop bit 469

contact information 717

content filter general 231

content filtering 231

categories 231, 234

customizing 243

days and times 231

filter list 231

restrict web features 231

URL for blocked access 233

copyright 713

cost of transmission 135

CTS (Clear to Send) 678

custom ports 225

customer support 717

D

data bits 469

Data Terminal Ready. See DTR

date setting 453, 603

daylight saving 455, 605

Daytime time protocol 455

DDNS

configuration 479

host 481

offline 481

type 481

use server detected IP 482

wildcard 481

default configuration 57

default server IP address 339

default settings 465

Denial of Service. See DoS.

device introduction 51

DHCP 71, 115, 116, 380, 499

Relay 499

Server 499

WAN 583

DHCP clients 452

DHCP table 71

diagnostic 582

dial backup

AT command strings 160

DTR signal 161

response strings 161

dial timeout 487

Diffie-Hellman key group 262

Perfect Forward Secrecy (PFS) 274

disclaimer 713

DMZ

IP alias setup 511

port filter setup 509

setup 509

TCP/IP setup 510

DNS 401

DNS Server

For VPN Host 372

DNS server address assignment 142

DNS service 339

domain name 451, 576

Domain Name System. See DNS.

DoS 201, 223

drop timeout 487

DSLmodem523

DTR 161,486

DynamicDNS380,381

Dynamic Host Configuration Protocol. See DHCP.

dynamic WEP key exchange 683

DYNDNS Wildcard 372, 380

E

EAP Authentication 681

ECHO service 339

Encapsulating Security Payload. See ESP.

encapsulation 504, 522, 525

and active protocol 274

transport mode 274

tunnel mode 274

VPN 274

encryption 183, 684

and local (user) database 184

key 184

WEP 191

encryption algorithms 261, 267

and active protocol 261

entering information 471

ESP 273

and transport mode 274

ESS 676

Ethernet

encapsulation 76, 503, 522

extended authentication 264

Extended Service Set, See ESS 676

F

F/W version 576

factory defaults 465

factory-default configuration file 57

FCC interference statement 713

feature specifications 633

file backup

console port 589

file maintenance

over WAN 588

file upload

console port 596

FTP 595

TFTP 595

Xmodem 597

filename conventions 585

filter 492, 509, 527, 555

and NAT 566

applying 567

configuration 555

configuring 558

DMZ 568

example 564

filter rule execution 556

generic filter rule 562

incoming protocol 501

IP filter logic flow 561

protocol 501

remote node 569

structure 556

Finger service 339

firewall

action for matched packets 220

activating 553

address type 219

anti-probing

creating/editing rules 217

custom ports 225

DoS 223

Dos threshold 223

maximum incomplete high 223

maximum incomplete low 223

one minute high 223

one minute low 223

rules 201

rules for VPN 95, 99

service type 225

SMT menus 553

stateful inspection 201

TCP maximum incomplete 223

three-way handshake 221

threshold 222

VPN 99

when to use 567

firmware

file maintenance 585

upload 461

firmware upload 593

FTP 593

flow control 469

fragmentation threshold 678

FTP 380, 397

commands 587

file upload 595

firmware upload 593

GUI-based clients 588

restoring files 591

service 339

G

gateway IP address 505, 526, 531

general setup 451, 477

GMT 455

Greenwich Mean Time. See GMT.

Group Key Update Timer 196

H

H.323 416

RTP 416

Hello BPDU 127

hidden menus 470

hidden node 677

hide SSID 182

HTTP service 339

HTTPS 384

example 387

HyperTerminal 589, 592, 597, 598

1

IANA 114

IBSS 675

iCard 109

idletimeout488,495,524

IEEE 802.11g 679

IEEE 802.1x

installation requirements 184

IGMP 115, 116

version 115

IKE SA

aggressive mode 258, 264

and certificates 263

and RADIUS 264

authentication algorithms 261, 267

Diffie-Hellman key group 262

encryption algorithms 261, 267

extended authentication 264

ID content 263

ID type 263

IP address, remote IPSec router 259

IP address, ZyXEL device 259

local identity 263

main mode 258, 264

NAT traversal 265

negotiation mode 258

password 264

peer identity 263

pre-shared key 262

proposal 261

SA life time 265

user name 264

IKE SA. See also VPN.

incoming protocol filter 501

Independent Basic Service Set

See IBSS 675

initialization vector (IV) 684

Internet access setup 75, 503, 504

Internet Assigned Number Authority. See IANA.

Internet Protocol Security. See IPSec.

IP address

assignment 504, 526

pool 115, 118, 165, 176, 499

private 114

IP alias 501

IP alias setup 501

DMZ 511

IP policy routing 349, 611

IP protocol type 219

IP routing policy 611

IP static route 529

active 530

destination IP address 530

name 530

route number 530

IPSec 257

high availability 266

IPSec SA

active protocol 273

authentication algorithms 261, 267

authentication key (manual keys) 284

encapsulation 274

encryption algorithms 261, 267

encryption key (manual keys) 284

local policy 273

manual keys 284

nail up 266

Perfect Forward Secrecy (PFS) 274

proposal 274

remote policy 273

SA life time 265

Security Parameter Index (SPI) (manual keys) 284

transport mode 274

tunnel mode 274

when IKE SA is disconnected 266, 273

IPSec SA. See also VPN.

IPSec. See also VPN.

ISP parameters 76

L

LAN 116

port filter setup 497

setup 497

license key 109

link type 64

load balancing 131

algorithms 132

introduction 132

load balancing method

least load first 132

spillover 134

weighted round robin 133

load sharing 131

loading a configuration file 464

local (user) database 183

and encryption 184

log 577

log and trace 577

log facility 578

login screen 470

M

MAC address 142, 183, 484

filter 196

MAC address filter 183

MAC service data unit 186

main menu commands 470

maintenance 451

Management Information Base. See MIB.

managing subscription services 107

managing the device

good habits 52

using FTP. See FTP.

using Telnet. See command interface.

using the command interface. See command interface.

Max Age 127

maximum incomplete high 223

maximum incomplete low 223

Media Access Control. See MAC address.

menu overview 473

Message Integrity Check (MIC) 684

metric 135, 347, 490, 524, 527, 531

MIB 399

MSDU. see MAC service data unit 186

multicast 115, 176, 490, 500, 527

multiple WAN 131

myZyXEL.com 107

N

nailed-up connection 524, 525

NAT 114,329,339,340,489,505,526,527,566

andVPN265

application 331

configuring 535

default server IP address 339

definitions 329

examples 543

how NAT works 330

in the SMT 533

inside global address 329

inside local address 329

Many to Many No Overload 332

Many to Many Overload 332

Many to One 332

mapping types 332

NAT unfriendly applications 548

One to One 332

ordering rules 538

portforwarding338

port restricted cone 332

Server 333

server set 535

Single User Account 333

trigger port forwarding 550

what NAT does 330, 335

NAT traversal 265, 405

navigation panel 65

NBNS 116, 118

NetBIOS 118

NetBIOS Name Server. See NBNS.

Network Address Translation. See NAT.

Network Basic Input/Output System. See NetBIOS.

NNTP service 339

NTP time protocol 455

0

one minute high 223

one minute low 223

online services center 107

outgoing protocol filter 501

P

packet filtering 566

Pairwise Master Key (PMK) 684, 685

PAP 488, 494, 524

parity 469

password 55, 452, 470

path cost 126

Perfect Forward Secrecy. see PFS.

PFS 274

Diffie-Hellman key group 274

PIN code 155

PIN number 109

PIN. see Personal Identification Number 155

ping 584

Point-to-Point Protocol over Ethernet 146

Point-to-Point Protocol over Ethernet. See PPPoE

Point-to-Point Tunneling Protocol. See PPTP.

policyrouting349,611

benefits 349

cost savings 349

criteria 349

load sharing 349

policy-basedrouting349

pool of IP addresses 115, 118

POP3 service 339

port filter setup

DMZ 509

LAN 497

portforwarding338

port restricted cone NAT 332

port statistics 69

PPPoE

client 506

encapsulation 77, 146, 503, 507, 522, 523, 524

idle timeout 507

PPTP 78,149

Client 505

configuring a client 505

encapsulation 78, 149, 524

idle timeout 506

service 339

preamble mode 679

precedence 349

pre-shared key 195

private 348, 490, 527, 531

private IP address 114, 141

product overview 51

product registration 715

protocol filter 501

incoming 501

outgoing 501

PSK 684

Q

QoS 349

Quality of Service. See QoS.

R

RADIUS 680

and IKE SA 264

message types 681

messages 681

shared secret key 681

RADIUS server 183

Rapid Spanning Tree Protocol. See Rapid STP.

Rapid STP 126

Real time Transport Protocol. See RTP.

registering your ZyWALL 108

registration

product 715

related documentation 3

reload factory-default configuration file 57

remote management 384, 607

CNM 402

DNS 401

FTP 397

how SSH works 391

HTTPS 384

HTTPS example 387

limitations 384, 609

secure FTP using SSH 395

secure telnet using SSH 394

SNMP 398

SSH 391

SSH implementation 392

systemtimeout384

Telnet 396

WWW 385

remote node 521

filter 492, 527

reports 429

host IP address 430, 431

protocol/port 430, 432

resetting the time 456

resetting the ZyWALL 57

restore configuration 464, 590

via console port 597

restoring factory defaults 465

restoring files

via console port 592

via FTP 591

rety count 487

rety interval 487

RFC 1058. See RIP.

RFC 1305. See NTP time protocol.

RFC 1389. See RIP.

RFC 1466. See IP address.

RFC 1597. See private IP address.

RFC 1631. See NAT.

RFC 1889. See RTP.

RFC 2131. See DHCP.

RFC 2132. See DHCP

RFC 2402. See AH.

RFC 2406. See ESP.

RFC 3489. See STUN.

RFC 867. See Daytime time protocol.

RFC 868. See Time protocol.

RIP 115, 490, 500, 501, 527

direction 115, 501

version 115, 501, 527

roaming 686

example 687

requirements 687

route priority 135

routing 349

Routing Information Protocol. See RIP.

routing policy 349, 611

RSTP 126

RTC 453,603

RTP 416

RTS (Request To Send) 678

threshold 677, 678

RTS/CTS handshake 186

s

SA

life time 265

safety warnings 6

schedule 523, 525

duration 620

schedule 357

secure FTP using SSH 395

secure Telnet using SSH 394

security associations. See VPN.

security settings for VPN traffic 95

server set 535

Service Set 187

Service Set IDentification. see SSID 187

Service Set Identity. See SSID.

service type 225, 504, 522

services 107, 339

Session Initiation Protocol. See SIP.

Simple Traversal of User Datagram Protocol (UDP)

through Network Address Translators. See STUN.

Single User Account. See SUA.

SIP 418

RTP 416

SIP ALG 415

SMT 469

changing the password 474

entering information 471

general setup 477

hidden menus 470

initial screen 469

login screen 470

main menu commands 470

menu overview 473

navigation 470

password 470

required fields 471

SMTP service 339

SNMP 398

community 571

configuration 571

Get 399

GetNext 399

manager 399

MIB 399

password 571

Set 399

Trap 399

trusted host 571

SNMP service 339

source address 219

source-basedrouting349

Spanning Tree Protocol. See STP.

SSH 391

how SSH works 391

implementation 392

SSID 174

hide 182

SSID profile 187

stateful inspection firewall 201

static route 345, 529

static WEPkey 190

stop bit 469

STP 126

BPDU 126

Hello BPDU 127

how it works 126

Max Age 127

port states 127

STUN 418

SUA 533

subset 663

subset mask 113,664

subsetting 665

subscription services 107

syntax conventions 4

syslog logging 578

system

information 573

maintenance 573

name 451, 477

status 573

timeout 384

System Management Terminal. See SMT.

T

target market 51

TCP maximum incomplete 223

TCP/IP 525

and DHCP Ethernet setup 498

filter rule 560

setup 500

TCP/IP priority 135

Telnet 396

Temporal Key Integrity Protocol (TKIP) 684

terminal emulation 469

TFTP

configuration backup 588

file upload 595

GUI-based clients 589

threshold 222

time 453

and date setting 603

Daylight Saving Time 455

resetting 456

synchronization with server 456

zone 455, 605

Time protocol 455

time protocol 455

Daytime 455

NTP 455

Time 455

time setting 603

timeout

system 384

ToS 349

trace 577

trademarks 713

traffic

redirect 156

transparent firewall62,127,458,460

triangle routes 211

vs virtual interfaces 211

trigger port forwarding 550

Trivial File Transfer Protocol. See TFTP.

Type of Service. See ToS.

U

unicast 115

Universal Plug and Play. See UPnP.

upgrading firmware 461

upload 597

firmware 593

UPnP 405, 406

examples 408

forum 406

NAT traversal 405

port mapping 407

UPnP Implementers Corp. 406

user authentication 183

local (user) database 183

RADIUS server 183

weaknesses 183

user profiles 323

V

Vantage CNM 402

virtual interfaces

vs asymmetrical routes 211

vs triangle routes 211

Virtual Private Network. See VPN.

VPN 149, 257

active protocol 273

adjust TCP maximum segment size 291

and NAT 265

and the firewall 95

certificate 270

established in two phases 258

gateway policy 84, 259, 260, 267

high availability 266

IKE SA. See IKE SA.

IPSec 257

IPSec SA. See IPSec SA.

local network 257

network policy 86, 259, 260, 275

pre-shared key 270

proposal 261

remote IPSec router 257

remote network 257

security associations (SA) 258

security on traffic 95

VPN. See also IKE SA, IPSec SA.

VT100 terminal emulation 469

W

Wall-mounting instructions 639

WAN

file maintenance 588

WAN DHCP 583

WAN IP address 141

WAN setup 483, 493

warranty 715

note 715

web configurator 55

Windows Internet Naming Service. See WINS.

WINS 116, 118

WINS server 118

wireless client 173

wireless client WPA supplicants 685

wireless LAN

introduction 173

wireless network

basic guidelines 173

channel 174

encryption 183

example 173

MAC address filter 183

overview 173

security 174

SSID 174

wireless security 174, 679

IEEE 802.1x 191

none 190

overview 182

static WEP 190

type 182

WPA/WPA2 194

WPA-PSK/WPA2-PSK 195

wireless technologies comparison 153

wizard setup 75

WLAN

interference 677

IP alias 518

roaming 686

security parameters 686

setup 517

TCP/IP setup 518

WPA 683

group key update timer 196

key caching 684

pre-authentication 684

user authentication 684

vs WPA-PSK 684

wireless client supplicant 685

with RADIUS application example 685

WPA2 683

user authentication 684

vs WPA2-PSK 684

wireless client supplicant 685

with RADIUS application example 685

WPA2-Pre-Shared Key 683

WPA2-PSK 683, 684

application example 685

WPA-PSK 683, 684

application example 685

WWW385

www.dyndns.org 481

X

Xmodem 597

file upload 597

protocol 586

Z

ZyNOS 576, 586

ZyWALL registration 108

ZyXEL's Network Operating System. See ZyNOS.

Table of contents Click a title to access it
Manual assistant
Powered by Anthropic
Waiting for your message
Product information

Brand : ZYXEL

Model : ZYWALL 2 WG

Category : VPN Router