PRESTIGE 661H - Modem/Router ZYXEL - Free user manual and instructions

Name: PRESTIGE 661H
Brand: ZYXEL
Rating: 6.5 (148 reviews)

Find the device manual for free PRESTIGE 661H ZYXEL in PDF.

📄 383 pages

EN 💬 AI Question

View the manual :

User questions about PRESTIGE 661H ZYXEL

0 question about this device. Answer the ones you know or ask your own.

Ask a new question about this device

No questions yet. Be the first to ask one.

Download the instructions for your Modem/Router in PDF format for free! Find your manual PRESTIGE 661H - ZYXEL and take your electronic device back in hand. On this page are published all the documents necessary for the use of your device. PRESTIGE 661H by ZYXEL.

USER MANUAL PRESTIGE 661H ZYXEL

802.11g Wireless ADSL2+ 4-port Security Gateway

User's Guide

Version 3.40

Edition 1

5/2006

ZyXEL

Copyright

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

Certifications

Federal Communications Commission (FCC) Interference Statement

This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

This device may not cause harmful interference.
This device must accept any interference received, including interference that may cause undesired operations.

This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna.
Increase the separation between the equipment and the receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.

Notice 1

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

This Class B digital apparatus complies with Canadian ICES-003.

1 Go to www.zyxel.com.
2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page.
3 Select the certification you wish to view from this page.

ZYXEL PRESTIGE 661H - Notice 1 - 1

SafetyWarnings

For your safety, be sure to read and follow all warning notices and instructions.

Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information.
Connect the power cord to the right supply voltage (110V AC in North America or 230V AC in Europe).
Place connecting cables carefully so that no one will step on them or stumble over them. Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord.
If you wall mount your device, make sure that no electrical, gas or water pipes will be damaged.
Do NOT install nor use your device during a thunderstorm. There may be a remote risk of electric shock from lightning.
Do NOT expose your device to dampness, dust or corrosive liquids.
Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
Make sure to connect the cables to the correct ports.
Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.
Do NOT store things on the device.
Connect ONLY suitable accessories to the device.

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Customer Support

Please have the following information ready when you contact customer support.

Product model and serial number.
Warranty Information.
- Date that you received your device.
- Brief description of the problem and the steps you took to solve it.

METHOD LOCATION	SUPPORT E-MAIL	TELEPHONEA	WEB SITE	REGULAR MAIL
	SALES E-MAIL	FAX	FTP SITE
CORPORATE HEADQUARTERS (WORLDWIDE)	support@zyxel.com.tw	+886-3-578-3942	www.zyxel.com www.europe.zyxel.com	ZyXEL Communications Corp. 6 Innovation Road II Science Park Hsinchu 300 Taiwan
	sales@zyxel.com.tw	+886-3-578-2439	ftp.zyxel.com ftp.europe.zyxel.com
CZECH REPUBLIC	info@cZ.zyxel.com	+420-241-091-350	www.zyxel.cz	ZyXEL Communications Czech s.r.o. Modranská 621 143 01 Praha 4 - Modraney Ceská Republika
	info@cZ.zyxel.com	+420-241-091-359
DENMARK	support@zyxel.dk	+45-39-55-07-00	www.zyxel.dk	ZyXEL Communications A/S Columbusvej 2860 Soeborg Denmark
	sales@zyxel.dk	+45-39-55-07-07
FINLAND	support@zyxel.fi	+358-9-4780-8411	www.zyxel.fi	ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland
	sales@zyxel.fi	+358-9-4780 8448
FRANCE	info@zyxel.fr	+33-4-72-52-97-97	www.zyxel.fr	ZyXEL France 1 rue des Vergers Bat. 1 / C 69760 Limonest France
		+33-4-72-52-19-20
GERMANY	support@zyxel.de	+49-2405-6909-0	www.zyxel.de	ZyXEL Deutschland GmbH. Adenauerstr. 20/A2 D-52146 Wuerselen Germany
	sales@zyxel.de	+49-2405-6909-99
HUNGARY	support@zyxel.hu	+36-1-3361649	www.zyxel.hu	ZyXEL Hungary 48, Zoldlomb Str. H-1025, Budapest Hungary
	info@zyxel.hu	+36-1-3259100
KAZAKHSTAN	http://zyxel.kz/support	+7-3272-590-698	www.zyxel.kz	ZyXEL Kazakhstan 43, Dostyk ave., Office 414 Dostyk Business Centre 050010, Almaty Republic of Kazakhstan
	sales@zyxel.kz	+7-3272-590-689
NORTH AMERICA	support@zyxel.com	1-800-255-4101	www.us.zyxel.com	ZyXEL Communications Inc. 1130 N. Miller St. Anaheim
		+1-714-632-0882
	sales@zyxel.com	+1-714-632-0858	ftp.us.zyxel.com	CA 92806-2001 U.S.A.
NORWAY	support@zyxel.no	+47-22-80-61-80	www.zyxel.no	ZyXEL Communications A/S Nils Hansens vei 13 0667 Oslo Norway
	sales@zyxel.no	+47-22-80-61-81
POLAND	info@pl.zyxel.com	+48-22-5286603	www.pl.zyxel.com	ZyXEL Communications ul Emilli Plater 53 00-113 Warszawa Poland
		+48-22-5206701
RUSSIA	http://zyxel.ru/support	+7-095-542-89-29	www.zyxel.ru	ZyXEL Russia Ostrovityanova 37a Str. Moscow, 117279 Russia
	sales@zyxel.ru	+7-095-542-89-25
SPAIN	support@zyxel.es	+34-902-195-420	www.zyxel.es	ZyXEL Communications Arte, 21 5a planta 28033 Madrid Spain
	sales@zyxel.es	+34-913-005-345
SWEDEN	support@zyxel.se	+46-31-744-7700	www.zyxel.se	ZyXEL Communications A/S Sjöporten 4, 41764 Göteborg Sweden
	sales@zyxel.se	+46-31-744-7701
UKRAINE	support@ua.zyxel.com	+380-44-247-69-78	www.ua.zyxel.com	ZyXEL Ukraine 13, Pimonenko Str. Kiev, 04050 Ukraine
	sales@ua.zyxel.com	+380-44-494-49-32
UNITED KINGDOM	support@zyxel.co.uk	+44-1344 303044 08707 555779 (UK only)	www.zyxel.co.uk	ZyXEL Communications UK Ltd.,11 The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)
	sales@zyxel.co.uk	+44-1344 303034	ftp.zyxel.co.uk

A. “+” is the (prefix) number you enter to make an international telephone call.

Certifications 4

SafetyWarnings 6

ZyXEL Limited Warranty 7

Customer Support 8

Table of Contents 11

List of Figures 23

List of Tables 29

Preface 33

Chapter 1
Getting To Know Your ZyXEL Device 35

1.1 Introducing the ZyXEL Device 35

1.2 Features 36

1.2.1 Wireless Features (Wireless Devices Only) 38

1.3 Applications for the ZyXEL Device 39

1.3.1 Protected Internet Access 39

1.3.2 LAN to LAN Application 40

1.4 Front Panel LEDs 40

1.5 Hardware Connection 41

1.6 Splitters and Microfilters 41

1.6.1 Connecting a POTS Splitter 42

1.6.2 Telephone Microfilters 42

Chapter 2 Introducing the Web Configurator 45

2.1 Web Configurator Overview 45

2.2 Accessing the Web Configurator 45

2.3 Resetting the ZyXEL Device 47

2.3.1 Using the Reset Button 47

2.4 Navigating the Web Configurator 47

2.4.1 Navigation Panel 47

2.4.2 Status Screen 51

2.4.3 Status: Any IP Table 53
2.4.4 Status: WLAN Status (Wireless devices only) 54
2.4.5 Status: VPN Status 54
2.4.6 Status: Bandwidth Status 55
2.4.7 Status: Packet Statistics 56
2.4.8 Changing Login Password 57

Chapter 3 Wizards 59

3.1 Internet Setup Wizard 60

3.1.1 Automatic Detection 60
3.1.2 Manual Configuration 61

3.1.2.1 Screen 1 61
3.1.2.2 Screen 2 61
3.1.2.3 Screen 3 .62

3.1.3 No DSL Detection 65

3.2 Wireless Connection Wizard Setup (wireless devices only) 66

3.2.1 Manually assign a WPA-PSK key 69
3.2.2 Manually assign a WEP key 69

3.3 Bandwidth Management Wizard 72

3.3.1 Screen 1 73
3.3.2 Screen 2 74
3.3.3 Screen 3 75

Chapter 4 WAN Setup 77

4.1 WAN Overview 77

4.1.1 Encapsulation 77

4.1.1.1 ENET ENCAP 77
4.1.1.2 PPP over Ethernet 77
4.1.1.3 PPPoA 78
4.1.1.4 RFC 1483 78

4.1.2 Multiplexing 78

4.1.2.1 VC-based Multiplexing 78
4.1.2.2 LLC-based Multiplexing 78

4.1.3 VPI and VCI 78

4.1.4 IP Address Assignment 79

4.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation 79
4.1.4.2 IP Assignment with RFC 1483 Encapsulation ..... 79
4.1.4.3 IP Assignment with ENET ENCAP Encapsulation 79

4.1.5 Nailed-Up Connection (PPP) 79
4.1.6 NAT 79

4.2 Metric 80

4.3 Traffic Shaping 80

4.3.1 ATM Traffic Classes 81
4.3.1.1 Constant Bit Rate (CBR) 81
4.3.1.2 Variable Bit Rate (VBR) 81
4.3.1.3 Unspecified Bit Rate (UBR) 82

4.4 Zero Configuration Internet Access 82

4.5 Internet Connection 82

4.5.1 Configuring Advanced Internet Connection 84

4.6 Configuring More Connections 86

4.6.1 More Connections Edit 87
4.6.2 Configuring More Connections Advanced Setup 90

4.7 Traffic Redirect 91
4.8 Configuring WAN Backup 92

Chapter 5 LAN Setup 95

5.1 LAN Overview 95

5.1.1 LANs, WANs and the ZyXEL Device 95
5.1.2 DHCP Setup 96

5.1.2.1 IP Pool Setup 96

5.1.3 DNS Server Address 96
5.1.4 DNS Server Address Assignment 97

5.2 LAN TCP/IP 97

5.2.1 IP Address and Subnet Mask 97
5.2.1.1 Private IP Addresses 98

5.2.2 RIP Setup 98
5.2.3 Multicast 99
5.2.4 Any IP 99

5.2.4.1 How Any IP Works 100

5.3 Configuring LAN IP 101
5.3.1 Configuring Advanced LAN Setup 101
5.4 DHCP Setup 103
5.5 LAN Client List 104
5.6 LAN IP Alias 106

Chapter 6 Wireless LAN 109

6.1 Wireless Network Overview 109
6.2 Wireless Security Overview 110

6.2.1 SSID 110
6.2.2 MAC Address Filter 110
6.2.3UserAuthentication 110
6.2.4 Encryption 111

6.2.5 One-Touch Intelligent Security Technology (OTIST) 112

6.3 Wireless Performance Overview 112

6.3.1 Quality of Service (QoS) 112

6.4 General Wireless LAN Screen 112

6.4.1 No Security 114

6.4.2 WEP Encryption 114

6.4.3 WPA-PSK/WPA2-PSK 115

6.4.4 WPA/WPA2 117

6.4.5 Wireless LAN Advanced Setup 119

6.5 OTIST 120

6.5.1 Enabling OTIST 120

6.5.1.1 AP 121

6.5.1.2 Wireless Client 122

6.5.2 Starting OTIST 123

6.5.3 Notes on OTIST 123

6.6 MAC Filter 124

6.7 WMM QoS 126

6.7.1 WMM QoS Example 126

6.7.2 WMM QoS Priorities 126

6.7.3 Services 127

6.8 QoS Screen 128

6.8.1 ToS (Type of Service) and WMM QoS 129

6.8.2 Application Priority Configuration 130

Chapter 7 Network Address Translation (NAT) Screens 133

7.1 NAT Overview 133

7.1.1 NAT Definitions 133

7.1.2 What NAT Does 134

7.1.3 How NAT Works 134

7.1.4 NAT Application 135

7.4 Port Forwarding 137

7.4.1 Default Server IP Address 138

7.4.2 Port Forwarding: Services and Port Numbers 138

7.4.3 Configuring Servers Behind Port Forwarding (Example) 138

7.5 Configuring Port Forwarding 139

7.5.1 Port Forwarding Rule Edit 140

7.6 Address Mapping 141

7.6.1 Address Mapping Rule Edit 143

Chapter 8 Firewalls 145

8.1 Firewall Overview 145
8.2 Types of Firewalls 145

8.2.1 Packet Filtering Firewalls 145
8.2.2 Application-level Firewalls 146
8.2.3 Stateful Inspection Firewalls 146

8.3 Introduction to ZyXEL's Firewall 146
8.3.1 Denial of Service Attacks 147

8.4 Denial of Service 147

8.4.1 Basics 147
8.4.2 Types of DoS Attacks 148

8.4.2.1 ICMP Vulnerability 150
8.4.2.2 Illegal Commands (NetBIOS and SMTP) 150
8.4.2.3Traceroute 151

8.5 Stateful Inspection 151

8.5.1 Stateful Inspection Process 152
8.5.2 Stateful Inspection and the ZyXEL Device 152
8.5.3 TCP Security 153
8.5.4 UDP/ICMP Security 153
8.5.5 Upper Layer Protocols 154

8.6 Guidelines for Enhancing Security with Your Firewall 154

8.6.1 Security In General 154

8.7 Packet Filtering Vs Firewall 155

8.7.1 Packet Filtering: 155
8.7.1.1 When To Use Filtering 156

8.7.2 Firewall 156

8.7.2.1 When To Use The Firewall 156

Chapter 9 Firewall Configuration 157

9.1 Access Methods 157
9.2 Firewall Policies Overview 157

9.3 Rule Logic Overview 158

9.3.1 Rule Checklist 158
9.3.2 Security Ramifications 158

9.3.3 Key Fields For Configuring Rules 159

9.3.3.1 Action 159
9.3.3.2 Service 159
9.3.3.3 Source Address 159
9.3.3.4 Destination Address 159

9.4 Connection Direction 159

9.4.1 LAN to WAN Rules 160

9.4.2 Alerts 160

9.5 Triangle Route 160

9.5.1 The "Triangle Route" Problem 160
9.5.2 Solving the "Triangle Route" Problem 161

9.6 General Firewall Policy 162

9.7 Firewall Rules Summary 163

9.7.1 Configuring Firewall Rules 164
9.7.2 Customized Services 167
9.7.3 Configuring A Customized Service 168

9.8 Example Firewall Rule 168
9.9 Predefined Services 172
9.10 Anti-Probing 174

9.11 DoS Thresholds 175

9.11.1 Threshold Values 175
9.11.2 Half-Open Sessions 176

9.11.2.1 TCP Maximum Incomplete and Blocking Time 176

9.11.3 Configuring Firewall Thresholds 177

Chapter 10 Trend Micro Security Services. 179

10.1 Trend Micro Security Services Overview 179
10.1.1 TMSS Web Page 179

10.2 Configuring TMSS on the ZyXEL Device 182

10.2.1 General TMSS Settings 182
10.2.2 TMSS Exception List 184

10.3 TMSS Virus Protection 185
10.4 Parental Controls 186
10.4.1 Parental Controls Statistics 188
10.5 ActiveX Controls in Internet Explorer 189

Chapter 11 Content Filtering 193

11.1 Content Filtering Overview 193
11.2 Configuring Keyword Blocking 193
11.3 Configuring the Schedule 194
11.4 Configuring Trusted Computers 195

Chapter 12 Introduction to IPsec 197

12.1 VPN Overview 197
12.1.1 IPSec 197
12.1.2 Security Association 197
12.1.3 Other Terminology 197

12.1.3.1 Encryption 197
12.1.3.2 Data Confidentiality 198
12.1.3.3 Data Integrity 198
12.1.3.4 Data Origin Authentication 198

12.1.4 VPN Applications 198

12.2 IPSec Architecture 199

12.2.1 IPSec Algorithms 199
12.2.2 Key Management 199

12.3 Encapsulation 199

12.3.1 Transport Mode 200
12.3.2 Tunnel Mode 200

12.4 IPSec and NAT 200

Chapter 13 VPN Screens 203

13.1 VPN/IPSec Overview 203
13.2 IPSec Algorithms 203

13.2.1 AH (Authentication Header) Protocol 203
13.2.2 ESP (Encapsulating Security Payload) Protocol 203

13.3 My IP Address 204
13.4 Secure Gateway Address 205

13.4.1 Dynamic Secure Gateway Address 205

13.5 VPN Setup Screen 205
13.6 Keep Alive 207
13.7 VPN, NAT, and NAT Traversal 207

13.8 Remote DNS Server 208
13.9 ID Type and Content 209
13.9.1 ID Type and Content Examples 210

13.10 Pre-Shared Key 211
13.11 Editing VPN Policies 211

13.12 IKE Phases 216

13.12.1 Negotiation Mode 217
13.12.2 Diffie-Hellman (DH) Key Groups 218
13.12.3 Perfect Forward Secrecy (PFS) 218

13.13 Configuring Advanced IKE Settings 218

13.14 Manual Key Setup 221
13.14.1 Security Parameter Index (SPI) 221
13.15 Configuring Manual Key 221
13.16 Viewing SA Monitor 224
13.17 Configuring Global Setting 225
13.18 Telecommuter VPN/IPSec Examples 226
13.18.1 Telecommuters Sharing One VPN Rule Example 226
13.18.2 Telecommuters Using Unique VPN Rules Example 227

13.19 VPN and Remote Management 229

Chapter 14

Static Route 231

14.1 Static Route 231

14.2 Configuring Static Route 231

14.2.1 Static Route Edit 232

Chapter 15

Bandwidth Management 235

15.1 Bandwidth Management Overview 235

15.2 Application-based Bandwidth Management 235

15.3 Subnet-based Bandwidth Management 235

15.4 Application and Subnet-based Bandwidth Management 236

15.5 Scheduler 236

15.5.1 Priority-based Scheduler 236

15.5.2 Fairness-based Scheduler 237

15.6 Maximize Bandwidth Usage 237

15.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic 237

15.6.2 Maximize Bandwidth Usage Example 238

15.6.2.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth 238

15.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth ... 239

15.6.3 Over Allotment of Bandwidth 239

15.6.4 Bandwidth Management Priorities 240

15.7 Configuring Summary 240

15.8 Bandwidth Management Rule Setup 241

15.8.1 Rule Configuration 243

15.9 Bandwidth Monitor 245

Chapter 16

Dynamic DNS Setup 247

16.1 Dynamic DNS Overview 247

16.1.1 DYNDNS Wildcard 247

16.2 Configuring Dynamic DNS 247

Chapter 17

Remote Management Configuration 251

17.1 Remote Management Overview 251

17.1.1 Remote Management Limitations 251

17.1.2 Remote Management and NAT 252

17.1.3 System Timeout 252

17.2 WWW 252

17.3 Telnet 253
17.4 Configuring Telnet 253
17.5 Configuring FTP 254
17.6 SNMP 255

17.6.1 Supported MIBs 256
17.6.2 SNMP Traps 257
17.6.3 Configuring SNMP 257

17.7 Configuring DNS 259

17.8 Configuring ICMP 259
17.9 TR-069 (P-661H Only) 261

Chapter 18

Universal Plug-and-Play (UPnP) 263

18.1 Introducing Universal Plug and Play 263

18.1.1 How do I know if I'm using UPnP? 263
18.1.2 NAT Traversal 263
18.1.3 Cautions with UPnP 264

18.2 UPnP and ZyXEL 264

18.2.1 Configuring UPnP 264

18.3 Installing UPnP in Windows Example 265
18.4 Using UPnP in Windows XP Example 268

Chapter 19

System 275

19.1 General Setup 275

19.1.1 General Setup and System Name 275
19.1.2 General Setup 275

19.2 Time Setting 277

Chapter 20

Logs 281

20.1 Logs Overview 281
20.1.1 Alerts and Logs 281
20.2 Viewing the Logs 281
20.3 Configuring Log Settings 282

Chapter 21

Tools 285

21.1 Firmware Upgrade 285
21.2 Configuration 287
21.3 Restart 289

Chapter 22

Diagnostic 291

22.1 General Diagnostic 291
22.2 DSL Line Diagnostic 292

Chapter 23

Troubleshooting 293

23.1 Problems Starting Up the ZyXEL Device 293
23.2 Problems with the LAN 293
23.3 Problems with the WAN 294
23.4 Problems Accessing the ZyXEL Device 295

Appendix A

Product Specifications 297

Appendix B

About ADSL 301

Introduction to DSL 301
ADSL Overview 301
Advantages of ADSL 301

Appendix C

Wall-mounting Instructions 303

Appendix D

Setting up Your Computer's IP Address 305

Windows 95/98/Me 305
Windows 2000/NT/XP 308
Macintosh OS X 313
Linux 315

Appendix E

IP Subnetting 319

IP Addressing 319
IP Classes 319
Subnet Masks 320
320
Example: Two Subnets 321
Example: Four Subnets 323
Example Eight Subnets 324
Subnetting With Class A and Class B Networks 325

Appendix F

Command Interpreter 327

Command Syntax 327

Command Usage 327

Appendix G

Firewall Commands 329

Appendix H

NetBIOS Filter Commands 335

Introduction 335

Display NetBIOS Filter Settings 335

NetBIOS Filter Configuration 336

Appendix I

PPPoE 337

PPPoE in Action 337

Benefits of PPPoE 337

Traditional Dial-up Scenario 337

How PPPoE Works 338

ZyXEL Device as a PPPoE Client 338

Appendix J

Log Descriptions 339

Log Commands 353

Log Command Example 354

Appendix K

Wireless LANs (wireless devices only) 355

Wireless LAN Topologies 355

Channel 357

RTS/CTS 357

Fragmentation Threshold 358

Preamble Type 359

IEEE 802.11g Wireless LAN 359

Wireless Security Overview 360

IEEE 802.1x 360

RADIUS 361

Types of Authentication 362

Dynamic WEP Key Exchange 363

WPA and WPA2 364

Security Parameters Summary 367

Appendix L

Pop-up Windows, JavaScript and Java Permissions 369

Internet Explorer Pop-up Blockers 369

Java Permissions 374

Index 377

List of Figures

Figure 1 Protected Internet Access Applications 40

Figure 2 LAN-to-LAN Application Example 40

Figure 3 Front Panel 40

Figure 4 Connecting a POTS Splitter 42

Figure 5 Connecting a Microfilter 43

Figure 6 Password Screen 46

Figure 7 Change Password at Login 46

Figure 8 Select a Mode 47

Figure 9 Web Configurator: Main Screen 48

Figure 10 Status Screen 51

Figure 11 Status: Any IP Table 53

Figure 12 Status: WLAN Status 54

Figure 13 Status: VPN Status 55

Figure 14 Status: Bandwidth Status 55

Figure 15 Status: Packet Statistics 56

Figure 16 System General 58

Figure 17 Wizard Main Screen 59

Figure 18 Internet Setup Wizard: Connection Test 60

Figure 19 Internet Setup Wizard: Automatic Detection 60

Figure 20 Internet Setup Wizard: Manual Configuration 61

Figure 21 Internet Access Wizard Setup: ISP Parameters 61

Figure 22 Internet Setup Wizard: ISP Parameters (Ethernet) 62

Figure 23 Internet Setup Wizard: ISP Parameters (PPPoE) 63

Figure 24 Internet Setup Wizard: ISP Parameters (RFC1483 + Routing Mode) 64

Figure 25 Internet Setup Wizard: ISP Parameters (PPPoA) 65

Figure 26 Internet Setup Wizard: No DSL Connection 66

Figure 27 Connection Test Successful 66

Figure 28 Wireless LAN Setup Wizard 1 67

Figure 29 Wireless LAN Setup Wizard 2 68

Figure 30 Manually assign a WPA key 69

Figure 31 Manually assign a WEP key 70

Figure 32 Wireless LAN Setup: Apply 71

Figure 33 Internet Setup Wizard: Summary Screen 71

Figure 34 Bandwidth Management Wizard: General Information 73

Figure 35 Bandwidth Management Wizard: Configuration 74

Figure 36 Bandwidth Management Wizard: Complete 75

Figure 37 Example of Traffic Shaping 81

Figure 38 Internet Connection (PPPoE) 83

Figure 39 Advanced Internet Connection 85

Figure 40 More Connections 87

Figure 41 More Connections Edit 88

Figure 42 More Connections Advanced Setup 90

Figure 43 Traffic Redirect Example 91

Figure 44 Traffic Redirect LAN Setup 92

Figure 45 WAN Backup Setup 93

Figure 46 LAN and WAN IP Addresses 95

Figure 47 Any IP Example 100

Figure 48 LAN IP 101

Figure 49 Advanced LAN Setup 102

Figure 50 DHCP Setup 103

Figure 51 LAN Client List 105

Figure 52 Physical Network & Partitioned Logical Networks 106

Figure 53 LAN IP Alias 106

Figure 54 Wireless LAN: General 113

Figure 55 Wireless: No Security 114

Figure 56 Wireless: Static WEP Encryption 115

Figure 57 Wireless: WPA-PSK/WPA2-PSK 116

Figure 58 Wireless: WPA/WPA2 117

Figure 59 Wireless LAN: Advanced 119

Figure 60 Wireless LAN: OTIST 121

Figure 61 Example Wireless Client OTIST Screen 122

Figure 62 Security Key 123

Figure 63 OTIST in Progress (AP) 123

Figure 64 OTIST in Progress (Client) 123

Figure 65 No AP with OTIST Found 123

Figure 66 Start OTIST? 124

Figure 67 MAC Address Filter 125

Figure 68 Wireless LAN: QoS 129

Figure 69 Application Priority Configuration 130

Figure 70 How NAT Works 134

Figure 71 NAT Application With IP Alias 135

Figure 72 NAT General 137

Figure 73 Multiple Servers Behind NAT Example 139

Figure 74 Port Forwarding 139

Figure 75 Port Forwarding Rule Setup 140

Figure 76 Address Mapping Rules 142

Figure 77 Edit Address Mapping Rule 143

Figure 78 ZyXEL Device Firewall Application 147

Figure 79 Three-Way Handshake 148

Figure 80 SYN Flood 149

Figure 81 Smurf Attack 150

Figure 82 Stateful Inspection 151

Figure 83 Ideal Firewall Setup 160

Figure 84 "Triangle Route" Problem 161

Figure 85 IP Alias 161

Figure 86 Firewall: General 162

Figure 87 Firewall Rules 163

Figure 88 Firewall: Edit Rule 165

Figure 89 Firewall: Customized Services 167

Figure 90 Firewall: Configure Customized Services 168

Figure 91 Firewall Example: Rules 169

Figure 92 Edit Custom Port Example 169

Figure 93 Firewall Example: Edit Rule: Destination Address 170

Figure 94 Firewall Example: Edit Rule: Select Customized Services 171

Figure 95 Firewall Example: Rules: MyService 172

Figure 96 Firewall: Anti Probing 174

Figure 97 Firewall: Threshold 177

Figure 98 TMSS First Time Access 179

Figure 99 Download ActiveX to View TMSS Web Page 180

Figure 100 TMSS Web Page ( Dashboard) 180

Figure 101 TMSS Service Summary 180

Figure 102 TMSS 3 Steps 181

Figure 103 TMSS Registration Form 181

Figure 104 Example TMSS Activated Service Summary Screen 182

Figure 105 Example TMSS Activated Parental Controls Screen 182

Figure 106 General TMSS Settings 183

Figure 107 TMSS Exception List 184

Figure 108 Virus Protection 185

Figure 109 No Parental Controls License 186

Figure 110 Parental Controls 187

Figure 111 Parental Controls Statistics 189

Figure 112 Internet Options Security 190

Figure 113 Security Setting ActiveX Controls 191

Figure 114 Content Filter: Keyword 193

Figure 115 Content Filter: Schedule 194

Figure 116 Content Filter: Trusted 195

Figure 117 Encryption and Decryption 198

Figure 118 IPSec Architecture 199

Figure 119 Transport and Tunnel Mode IPSec Encapsulation 200

Figure 120 IPSec Summary Fields 205

Figure 121 VPN Setup 206

Figure 122 NAT Router Between IPSec Routers 208

Figure 123 VPN Host using Intranet DNS Server Example 209

Figure 124 Edit VPN Policies 212

Figure 125 Two Phases to Set Up the IPSec SA 216

Figure 126 Advanced VPN Policies 219

Figure 127 VPN: Manual Key 222

Figure 128 VPN: SA Monitor 225

Figure 129 VPN: Global Setting 226

Figure 130 Telecommuters Sharing One VPN Rule Example 227

Figure 131 Telecommuters Using Unique VPN Rules Example 228

Figure 132 Example of Static Routing Topology 231

Figure 133 Static Route 232

Figure 134 Static Route Edit 233

Figure 135 Subnet-based Bandwidth Management Example 236

Figure 136 Bandwidth Management: Summary 240

Figure 137 Bandwidth Management: Rule Setup 242

Figure 138 Bandwidth Management Rule Configuration 243

Figure 139 Bandwidth Management: Monitor 245

Figure 140 Dynamic DNS 248

Figure 141 Remote Management: WWW 252

Figure 142 Telnet Configuration on a TCP/IP Network 253

Figure 143 Remote Management: Telnet 254

Figure 144 Remote Management: FTP 255

Figure 145 SNMP Management Model 256

Figure 146 Remote Management: SNMP 258

Figure 147 Remote Management: DNS 259

Figure 148 Remote Management: ICMP 260

Figure 149 Enabling TR-069 261

Figure 150 Configuring UPnP 264

Figure 151 Add/Remove Programs: Windows Setup: Communication 266

Figure 152 Add/Remove Programs: Windows Setup: Communication: Components 266

Figure 153 Network Connections 267

Figure 154 Windows Optional Networking Components Wizard 267

Figure 155 Networking Services 268

Figure 156 Network Connections 269

Figure 157 Internet Connection Properties 270

Figure 158 Internet Connection Properties: Advanced Settings 271

Figure 159 Internet Connection Properties: Advanced Settings: Add 271

Figure 160 System Tray Icon 272

Figure 161 Internet Connection Status 272

Figure 162 Network Connections 273

Figure 163 Network Connections: My Network Places 274

Figure 164 Network Connections: My Network Places: Properties: Example 274

Figure 165 System General Setup 276

Figure 166 System Time Setting 277

Figure 167 View Log 281

Figure 168 Log Settings 283

Figure 169 Firmware Upgrade 285

Figure 170 Firmware Upload In Progress 286

Figure 171 Network Temporarily Disconnected 286

Figure 172 Error Message 287

Figure 173 Configuration 287

Figure 174 Configuration Upload Successful 288

Figure 175 Network Temporarily Disconnected 289

Figure 176 Configuration Upload Error 289

Figure 177 Restart Screen 289

Figure 178 Diagnostic: General 291

Figure 179 Diagnostic: DSL Line 292

Figure 180 Wall-mounting Example 303

Figure 181 Windows 95/98/Me: Network: Configuration 306

Figure 182 Windows 95/98/Me: TCP/IP Properties: IP Address 307

Figure 183 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 308

Figure 184 Windows XP: Start Menu 309

Figure 185 Windows XP: Control Panel 309

Figure 186 Windows XP: Control Panel: Network Connections: Properties 310

Figure 187 Windows XP: Local Area Connection Properties 310

Figure 188 Windows XP: Internet Protocol (TCP/IP) Properties 311

Figure 189 Windows XP: Advanced TCP/IP Properties 312

Figure 190 Windows XP: Internet Protocol (TCP/IP) Properties 313

Figure 191 Macintosh OS X: Apple Menu 314

Figure 192 Macintosh OS X: Network 314

Figure 193 Red Hat 9.0: KDE: Network Configuration: Devices 315

Figure 194 Red Hat 9.0: KDE: Ethernet Device: General 316

Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS 316

Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate 317

Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 317

Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 318

Figure 199 Red Hat 9.0: DNS Settings in resolv.conf 318

Figure 200 Red Hat 9.0: Restart Ethernet Card 318

Figure 201 Red Hat 9.0: Checking TCP/IP Properties 318

Figure 202 Single-Computer per Router Hardware Configuration 338

Figure 203 ZyXEL Device as a PPPoE Client 338

Figure 204 Displaying Log Categories Example 353

Figure 205 Displaying Log Parameters Example 353

Figure 206 Peer-to-Peer Communication in an Ad-hoc Network 355

Figure 207 Basic Service Set 356

Figure 208 Infrastructure WLAN 357

Figure 209 RTS/CTS 358

Figure 210 WPA(2) with RADIUS Application Example 366

Figure 211 WPA(2)-PSK Authentication 367

Figure 212 Pop-up Blocker 369

Figure 213 Internet Options 370

Figure 214 Internet Options 371

Figure 215 Pop-up Blocker Settings 372

Figure 216 Internet Options 373

Figure 217 Security Settings - Java Scripting 374

Figure 218 Security Settings - Java 375

Figure 219 Java (Sun) 376

List of Tables

Table 1 ADSL Standards 35

Table 2 Front Panel LEDs 41

Table 3 Web Configurator Screens Summary 48

Table 4 Status Screen 51

Table 5 Status: Any IP Table 53

Table 6 Status: WLAN Status 54

Table 7 Status: VPN Status 55

Table 8 Status: Packet Statistics 56

Table 9 System General: Password 58

Table 10 Wizard Main Screen 59

Table 11 Internet Setup Wizard: ISP Parameters 62

Table 12 Internet Setup Wizard: ISP Parameters (Ethernet) 63

Table 13 Internet Setup Wizard: ISP Parameters (PPPoE) 64

Table 14 Internet Setup Wizard: ISP Parameters (RFC1483 + Routing Mode) 64

Table 15 Internet Setup Wizard: ISP Parameters (PPPoA) 65

Table 16 Wireless LAN Setup Wizard 1 67

Table 17 Wireless LAN Setup Wizard 2 68

Table 18 Manually assign a WPA key 69

Table 19 Manually assign a WEP key 70

Table 20 Internet Setup Wizard: Summary 71

Table 21 Media Bandwidth Management Setup: Services 72

Table 22 Bandwidth Management Wizard: General Information 74

Table 23 Bandwidth Management Wizard: Configuration 75

Table 24 Internet Connection 83

Table 25 Advanced Internet Connection 85

Table 26 More Connections 87

Table 27 More Connections Edit 88

Table 28 More Connections Advanced Setup 90

Table 29 WAN Backup Setup 93

Table 30 LAN IP 10

Table 31 Advanced LAN Setup 10

Table 32 DHCP Setup 10

Table 33 LAN Client List 10

Table 34 LAN IP Alias 10

Table 35 Types of Encryption for Each Type of Authentication 11

Table 36 Wireless LAN: General 11

Table 37 Wireless: No Security 11

Table 38 Wireless: Static WEP Encryption 11

Table 39 Wireless: WPA-PSK/WPA2-PSK 116

Table 40 Wireless: WPA/WPA2 118

Table 41 Wireless LAN: Advanced 119

Table 42 OTIST 122

Table 43 MAC Address Filter 125

Table 44 WMM QoS Priorities 126

Table 45 Commonly Used Services 127

Table 46 Wireless LAN: QoS 129

Table 47 Application Priority Configuration 130

Table 48 NAT Definitions 133

Table 49 NAT Mapping Types 136

Table 50 NAT General 137

Table 51 Services and Port Numbers 138

Table 52 Port Forwarding 140

Table 53 Port Forwarding Rule Setup 141

Table 54 Address Mapping Rules 142

Table 55 Edit Address Mapping Rule 143

Table 56 Common IP Ports 148

Table 57 ICMP Commands That Trigger Alerts 150

Table 58 Legal NetBIOS Commands 150

Table 59 Legal SMTP Commands 150

Table 60 Firewall: General 162

Table 61 Firewall Rules 164

Table 62 Firewall: Edit Rule 166

Table 63 Customized Services 167

Table 64 Firewall: Configure Customized Services 168

Table 65 Predefined Services 172

Table 66 Firewall: Anti Probing 175

Table 67 Firewall: Threshold 177

Table 68 General TMSS Settings 183

Table 69 TMSS Exception List 184

Table 70 Virus Protection 185

Table 71 Parental Controls 187

Table 72 Parental Controls Statistics 189

Table 73 Content Filter: Keyword 194

Table 74 Content Filter: Schedule 195

Table 75 Content Filter: Trusted 195

Table 76 VPN and NAT 201

Table 77 AH and ESP 204

Table 78 VPN Setup 206

Table 79 VPN and NAT 208

Table 80 Local ID Type and Content Fields 210

Table 81 Peer ID Type and Content Fields 210

Table 82 Matching ID Type and Content Configuration Example 210

Table 83 Mismatching ID Type and Content Configuration Example 211

Table 84 Edit VPN Policies 212

Table 85 Advanced VPN Policies 219

Table 86 VPN: Manual Key 222

Table 87 VPN: SA Monitor 225

Table 88 VPN: Global Setting 226

Table 89 Telecommuters Sharing One VPN Rule Example 227

Table 90 Telecommuters Using Unique VPN Rules Example 228

Table 91 Static Route 232

Table 92 Static Route Edit 233

Table 93 Application and Subnet-based Bandwidth Management Example 236

Table 94 Maximize Bandwidth Usage Example 238

Table 95 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example 238

Table 96 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example .... 239

Table 97 Over Allotment of Bandwidth Example 239

Table 98 Bandwidth Management Priorities 240

Table 99 Media Bandwidth Management: Summary 240

Table 100 Bandwidth Management: Rule Setup 242

Table 101 Bandwidth Management Rule Configuration 243

Table 102 Services and Port Numbers 245

Table 103 Dynamic DNS 248

Table 104 Remote Management: WWW 253

Table 105 Remote Management: Telnet 254

Table 106 Remote Management: FTP 255

Table 107 SNMPv1 Traps 257

Table 108 SNMPv2 Traps 257

Table 109 Remote Management: SNMP 258

Table 110 Remote Management: DNS 259

Table 111 Remote Management: ICMP 260

Table 112 TR-069 Commands 261

Table 113 Configuring UPnP 265

Table 114 System General Setup 276

Table 115 System Time Setting 278

Table 116 View Log 282

Table 117 Log Settings 283

Table 118 Firmware Upgrade 285

Table 119 Configuration 287

Table 120 Diagnostic: General 291

Table 121 Diagnostic: DSL Line 292

Table 122 Troubleshooting Starting Up Your ZyXEL Device 293

Table 123 Troubleshooting the LAN 293

Table 124 Troubleshooting the WAN 294

Table 125 Troubleshooting Accessing the ZyXEL Device 295

Table 126 Device 297

Table 127 Firmware 298

Table 128 Classes of IP Addresses 319

Table 129 Allowed IP Address Range By Class 320

Table 130 "Natural" Masks 320

Table 131 Alternative Subnet Mask Notation 321

Table 132 Two Subnets Example 321

Table 133 Subnet 1 322

Table 134 Subnet 2 322

Table 135 Subnet 1 323

Table 136 Subnet 2 323

Table 137 Subnet 3 323

Table 138 Subnet 4 324

Table 139 Eight Subnets 324

Table 140 Class C Subnet Planning 324

Table 141 Class B Subnet Planning 325

Table 142 Firewall Commands 329

Table 143 NetBIOS Filter Default Settings 336

Table 144 System Maintenance Logs 339

Table 145 System Error Logs 340

Table 146 Access Control Logs 340

Table 147 TCP Reset Logs 341

Table 148 Packet Filter Logs 341

Table 149 ICMP Logs 342

Table 150 CDR Logs 342

Table 151 PPP Logs 342

Table 152 UPnP Logs 343

Table 153 Content Filtering Logs 343

Table 154 Attack Logs 344

Table 155 IPSec Logs 345

Table 156 IKE Logs 345

Table 157 PKI Logs 348

Table 158 Certificate Path Verification Failure Reason Codes 349

Table 159 802.1X Logs 350

Table 160 ACL Setting Notes 351

Table 161 ICMP Notes 351

Table 162 Syslog Logs 352

Table 163 RFC-2408 ISAKMP Payload Types 352

Table 164 IEEE 802.11g 359

Table 165 Wireless Security Levels 360

Table 166 Comparison of EAP Authentication Types 363

Table 167 Wireless Security Relational Matrix 367

Preface

Congratulations on your purchase of the ZyXEL Device series ADSL 2+ gateway. The ZyXEL Device has a 4-port switch that allows you to connect up to 4 computers to the ZyXEL Device without purchasing a switch/hub.

Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.

About This User's Guide

This manual is designed to guide you through the configuration of your ZyXEL Device for its various applications. The web configurator parts of this guide contain background information on features configurable by web configurator.

Note: Use the web configurator or command interpreter interface to configure your ZyXEL Device. Not all features can be configured through all interfaces.

Syntax Conventions

"Enter" means for you to type one or more characters. "Select" or "Choose" means for you to use one of the predefined choices.
Mouse action sequences are denoted using a comma or right angle bracket (>) . For example, "In Windows, click Start, Settings, Control Panel" (or click Start > Settings > Control Panel) means first click the Start button, then point your mouse pointer to Settings and then click Control Panel.
"e.g.," is a shorthand for "for instance", and "i.e.," means "that is" or "in other words".
The P-661H/HW series may be referred to as the "ZyXEL Device" in this User's Guide.

Supporting Disk

Refer to the included CD for support documents.

Quick Start Guide

The Quick Start Guide is designed to help you get up and running right away. It contains connection information and instructions on getting started.

Web Configurator Online Help

Embedded web help for descriptions of individual screens and supplementary information.

ZyXEL Glossary and Web Site

Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation.

User Guide Feedback

Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.

Graphics Icons Key

ZyXEL Device	Computer	Notebook computer
Server	DSLAM	Firewall
Telephone	Switch	Router

CHAPTER 1 Getting To Know Your ZyXEL Device

This chapter describes the key features and applications of your ZyXEL Device.

1.1 Introducing the ZyXEL Device

The ZyXEL Device is an ADSL2+ gateway that allows super-fast, secure Internet access over analog (POTS) or digital (ISDN) telephone lines (depending on your model).

In the ZyXEL Device product name, "H" denotes an integrated 4-port switch (hub) and "W" denotes an included wireless LAN card that provides wireless connectivity.

Models ending in "1", for example P-661H-D1, denote a device that works over the analog telephone system, POTS (Plain Old Telephone Service). Models ending in "3" denote a device that works over ISDN (Integrated Services Digital Network). Models ending in "7" denote a device that works over T-ISDN (UR-2).

Note: Only use firmware for your ZyXEL Device's specific model. Refer to the label on the bottom of your ZyXEL Device.

The DSL RJ-11 (ADSL over POTS models) or RJ-45 (ADSL over ISDN models) connects to your ADSL-enabled telephone line. The ZyXEL Device is compatible with the ADSL/ ADSL2/ADSL2+ standards. Maximum data rates attainable by the ZyXEL Device for each standard are shown in the next table.

Table 1 ADSL Standards

DATA RATE STANDARD	UPSTREAM	DOWNSTREAM
ADSL	832 kbps	8Mbps
ADSL2	3.5Mbps	12Mbps
ADSL2+	3.5Mbps	24Mbps

Note: The standard your ISP supports determines the maximum upstream and downstream speeds attainable. Actual speeds attained also depend on the distance from your ISP, line quality, etc.

1.2 Features

High Speed Internet Access

Your ZyXEL Device ADSL/ADSL2/ADSL2+ router can support downstream transmission rates of up to 24Mbps and upstream transmission rates of 3.5Mbps. Actual speeds attained depend on the ADSL service you subscribed to, distance from your ISP, line quality, etc.

Triple Play Service

The ZyXEL Device is a Triple Play Gateway, capable of simultaneously transferring data, voice and video over the Internet. The Gateway possesses advanced Quality of Service (QoS) features to provide a high standard of Triple Play delivery.

Zero Configuration Internet Access

Once you connect and turn on the ZyXEL Device, it automatically detects the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and makes the necessary configuration changes. In cases where additional account information (such as an Internet account user name and password) is required or the ZyXEL Device cannot connect to the ISP, you will be redirected to web screen(s) for information input or troubleshooting.

Any IP

The Any IP feature allows a computer to access the Internet and the ZyXEL Device without changing the network settings (such as IP address and subnet mask) of the computer, when the IP addresses of the computer and the ZyXEL Device are not in the same subnet.

Firewall

The ZyXEL Device is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyXEL Device firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.

Content Filtering

Content filtering allows you to block access to forbidden Internet web sites, schedule when the ZyXEL Device should perform the filtering and give trusted LAN IP addresses unfiltered Internet access.

Traffic Redirect

Traffic redirect forwards WAN traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet, thus acting as an auxiliary if your regular WAN connection fails.

Media Bandwidth Management

ZyXEL's Media Bandwidth Management allows you to specify bandwidth classes based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth classes.

Universal Plug and Play (UPnP)

Using the standard TCP/IP protocol, the ZyXEL Device and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.

PPPoE (RFC2516)

PPPoE (Point-to-Point Protocol over Ethernet) emulates a dial-up connection. It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the ZyXEL Device is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers. The ZyXEL Device also includes PPPoE idle time-out (the PPPoE connection terminates after a period of no traffic that you configure) and PPPoE Dial-on-Demand (the PPPoE connection is brought up only when an Internet access request is made).

Network Address Translation (NAT)

Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).

Dynamic DNS Support

With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.

DHCP

DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyXEL Device has built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The ZyXEL Device can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.

IP Alias

IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.

TR-069 Compliance (P-661H Only)

TR-069 is a protocol that defines how your ZyXEL Device can be managed via a management server such as ZyXEL's Vantage CNM Access. The management server can securely manage and update configuration changes in ZyXEL Devices.

Housing

Your ZyXEL Device's compact and ventilated housing minimizes space requirements making it easy to position anywhere in your busy office.

4-port Switch

A combination of switch and router makes your ZyXEL Device a cost-effective and viable network solution. You can connect up to four computers to the ZyXEL Device without the cost of a hub. Use a hub to add more than four computers to your LAN.

1.2.1 Wireless Features (Wireless Devices Only)

Wireless LAN

The ZyXEL Device supports the IEEE 802.11g standard, which is fully compatible with the IEEE 802.11b standard, meaning that you can have both IEEE 802.11b and IEEE 802.11g wireless clients in the same wireless network.

Note: The ZyXEL Device may be prone to RF (Radio Frequency) interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices, and other wireless LANs.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification standard. Key differences between WPA and WEP are user authentication and improved data encryption.

WPA2

WPA 2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption.

Antenna

The ZyXEL Device is equipped with one 3dBi fixed antenna to provide clear radio signal between the wireless stations and the access points.

WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

Output Power Management

Output power management is the ability to set the level of output power.

There may be interference or difficulty with channel assignment when there is a high density of APs within a coverage area. In this case you can lower the output power of each access point, thus enabling you to place access points closer together.

Wireless LAN MAC Address Filtering

Your ZyXEL Device can check the MAC addresses of wireless stations against a list of allowed or denied MAC addresses.

1.3 Applications for the ZyXEL Device

Here are some example uses for which the ZyXEL Device is well suited.

1.3.1 Protected Internet Access

The ZyXEL Device is the ideal high-speed Internet access solution. It is compatible with all major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers and supports the ADSL standards as shown in Table 1 on page 35.

The ZyXEL Device provides protection from attacks by Internet hackers. By default, the firewall blocks all incoming traffic from the WAN. The firewall supports TCP/UDP inspection and DoS (Denial of Services) detection and prevention, as well as real time alerts, reports and logs.

ZYXEL PRESTIGE 661H - Protected Internet Access - 1
Figure 1 Protected Internet Access Applications

1.3.2 LAN to LAN Application

You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application example is shown as follows.

ZYXEL PRESTIGE 661H - LAN to LAN Application - 1
Figure 2 LAN-to-LAN Application Example

1.4 Front Panel LEDs

The following figure shows the front panel LEDs.

ZYXEL PRESTIGE 661H - Front Panel LEDs - 1
Figure 3 Front Panel

The following table describes the LEDs.

Table 2 Front Panel LEDs

LED	COLOR	STATUS	DESCRIPTION
POWER	Green	On	The ZyXEL Device is receiving power and functioning properly.
	Green	Blinking	The ZyXEL Device is rebooting or performing diagnostics.
	Rd	On	Power to the ZyXEL Device is too low.
		Off	The system is not ready or has malfunctioned.
ETHERNET	Green	On	The ZyXEL Device has a successful 10Mb Ethernet connection.
	Green	Blinking	The ZyXEL Device is sending/receiving data.
	Amber	On	The ZyXEL Device has a successful 100Mb Ethernet connection.
	Amber	Blinking	The ZyXEL Device is sending/receiving data.
		Off	The LAN is not connected.
WLAN (wireless devices only)	Green	On	The ZyXEL Device is ready, but is not sending/receiving data through the wireless LAN.
	Green	Blinking	The ZyXEL Device is sending/receiving data through the wireless LAN.
		Off	The wireless LAN is not ready or has failed.
DSL	Green	On	The DSL line is up.
		Blinking	The ZyXEL Device is initializing the DSL line.
		Off	The DSL line is down.
INTERNET	Green	On	The Internet connection is up.
		Blinking	The ZyXEL Device is sending/receiving data.
		Off	The Internet connection is down.

1.5 Hardware Connection

Refer to the Quick Start Guide for information on hardware connection.

1.6 Splitters and Microfilters

This section describes how to connect ADSL splitters and microfilters. See your Quick Start Guide for details on other hardware connections.

1.6.1 Connecting a POTS Splitter

When you use the Full Rate (G.dmt) ADSL standard, you can use a POTS (Plain Old Telephone Service) splitter to separate the telephone and ADSL signals. This allows simultaneous Internet access and telephone service on the same line. A splitter also eliminates the destructive interference conditions caused by telephone sets.

Install the POTS splitter at the point where the telephone line enters your residence, as shown in the following figure.

ZYXEL PRESTIGE 661H - Connecting a POTS Splitter - 1
Figure 4 Connecting a POTS Splitter

1 Connect the side labeled "Phone" to your telephone.
2 Connect the side labeled "Modem" or "DSL" to your ZyXEL Device.
3 Connect the side labeled "Line" to the telephone wall jack.

1.6.2 Telephone Microfilters

Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz. A microfilter acts as a low-pass filter, for your telephone, to ensure that ADSL transmissions do not interfere with your telephone voice transmissions. The use of a telephone microfilter is optional.

1 Locate and disconnect each telephone.
2 Connect a cable from the wall jack to the "wall side" of the microfilter.
3 Connect the "phone side" of the microfilter to your telephone as shown in the following figure.
4 After you are done, make sure that your telephone works. If your telephone does not work, disconnect the microfilter and contact either your local telephone company or the provider of the microfilter.

ZYXEL PRESTIGE 661H - Telephone Microfilters - 1
Figure 5 Connecting a Microfilter

CHAPTER 2 Introducing the Web

Configurator

This chapter describes how to access and navigate the web configurator.

2.1 Web Configurator Overview

The web configurator is an HTML-based management interface that allows easy ZyXEL Device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.

In order to use the web configurator you need to allow:

Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.
JavaScripts (enabled by default).
Java permissions (enabled by default).

See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Explorer.

2.2 Accessing the Web Configurator

Note: Even though you can connect to the device wirelessly (wireless devices only), it is recommended that you connect your computer to a LAN port for initial configuration.

1 Make sure your ZyXEL Device hardware is properly connected (refer to the Quick Start Guide).
2 Prepare your computer/computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).
3 Launch your web browser.
4 Type "192.168.1.1" as the URL.
5 A window displays as shown. Enter the default admin password 1234 to configure the wizards and the advanced features or enter the default user password user to view the

status only. Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password.

ZYXEL PRESTIGE 661H - Accessing the Web Configurator - 1
Figure 6 Password Screen

6 If you entered the user password, skip the next two steps and refer to Section 2.4.2 on page 51 for more information about the Status screen.
7 If you entered the admin password, it is highly recommended you change the default admin password! Enter a new password between 1 and 30 characters, retype it to confirm and click Apply; alternatively click Ignore to proceed to the main menu if you do not want to change the password now.

Note: If you do not change the password at least once, the following screen appears every time you log in with the admin password.

ZYXEL PRESTIGE 661H - Accessing the Web Configurator - 2
Figure 7 Change Password at Login

8 The next screen depends on which password (admin or user) you used in step 5. Select Go to Wizard setup, and click Apply to display the wizard main screen. Select Go to Advanced setup or View Device Status, and click Apply to display the Status screen. Select Change Password if you want to change the user password.

Figure 8 Select a Mode
ZYXEL PRESTIGE 661H - Accessing the Web Configurator - 3
Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyXEL Device if this happens to you.

2.3 Resetting the ZyXEL Device

If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the ZyXEL Device to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to "1234".

2.3.1 Using the Reset Button

1 Make sure the POWER LED is on (not blinking).
2 Press the RESET button for ten seconds or until the POWER LED begins to blink and then release it. When the POWER LED begins to blink, the defaults have been restored and the ZyXEL Device restarts.

2.4 Navigating the Web Configurator

We use the P-661H-D1 web screens in this guide as an example. Screens vary slightly for different ZyXEL Device models.

After you enter the admin password, use the sub-menus on the navigation panel to configure ZyXEL Device features. The following table describes the sub-menus.

ZYXEL PRESTIGE 661H - Navigation Panel - 1
Figure 9 Web Configurator: Main Screen

Note: Click the icon (located in the top right corner of most screens) to view embedded help.

Table 3 Web Configurator Screens Summary

LINK/ICON	SUB-LINK	FUNCTION
Wizard	INTERNET SETUP	Use these screens for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC address assignment.
Wizard	BANDWIDTH MANAGEMENT SETUP	Use these screens to limit bandwidth usage by application or packet size.
Logout		Click this icon to exit the web configurator.
Status		Use this screen to look at the ZyXEL Device's general device, system and interface status information. You can also access the summary statistics tables.
Network
WAN	Internet Connection	Use this screen to configure ISP parameters, WAN IP address assignment, and more advanced properties.
	More Connections	Use this screen to configure and place calls to a remote gateway.
	WAN Backup Setup	Use this screen to configure your traffic redirect properties and WAN backup settings.
LAN	IP	Use this screen to configure LAN TCP/IP settings, enable Any IP and other advanced properties.
	DHCP Setup	Use this screen to configure LAN DHCP settings.
	Client List	Use this screen to view current DHCP client information and to always assign an IP address to a MAC address (and host name).
	IP Alias	Use this screen to partition your LAN interface into subnets.
Wireless LAN (wireless devices only)	General	Use this screen to configure the wireless LAN settings and WLAN authentication/security settings.
	OTIST	This screen allows you to assign wireless clients the ZyXEL Device's wireless security settings.
	MAC Filter	Use this screen to configure the ZyXEL Device to block access to devices or block the devices from accessing the ZyXEL Device.
	QoS	WMM QoS allows you to prioritize wireless traffic according to the delivery requirements of the individual and applications.
NAT	General	Use this screen to enable NAT.
	Port Forwarding	Use this screen to configure servers behind the ZyXEL Device.
	Address Mapping	Use this screen to configure network address translation mapping rules.
Security
Firewall	General	Use this screen to activate/deactivate the firewall and the direction of network traffic to which to apply the rule.
	Rules	This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule.
	Anti Probing	Use this screen to change your anti-probing settings.
	Threshold	Use this screen to configure the threshold for DoS attacks.
TMSS	General	Use this screen to enable and disable TMSS services and parental control. You can also use this screen to check for updates regularly.
	Exception List	Use this screen to stop specific computers from using TMSS services.
	Virus Protection	Use this screen to look at the current status of anti-virus software on each computer.
	Parental Control	Use this screen to place restrictions on children's use.
Content Filter	Keyword	Use this screen to block sites containing certain keywords in the URL.
	Schedule	Use this screen to set the days and times for the ZyXEL Device to perform content filtering.
	Trusted	Use this screen to exclude a range of users on the LAN from content filtering on your ZyXEL Device.
VPN	Setup	Use this screen to configure each VPN tunnel.
	Monitor	Use this screen to look at the current status of each VPN tunnel.
	VPN Global Setting	Use this screen to allow NetBIOS traffic through VPN tunnels.
Advanced
Static Route		Use this screen to configure IP static routes.
Bandwidth MGMT	Summary	Use this screen to enable bandwidth management on an interface.
	Rule Setup	Use this screen to define a bandwidth rule.
	Monitor	Use this screen to view the ZyXEL Device's bandwidth usage and allotments.
Dynamic DNS		Use this screen to set up dynamic DNS.
Remote MGMT	WWW	Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyXEL Device.
	Telnet	Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the ZyXEL Device.
	FTP	Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyXEL Device.
	SNMP	Use this screen to configure your ZyXEL Device's settings for Simple Network Management Protocol management.
	DNS	Use this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the ZyXEL Device.
	ICMP	Use this screen to change your anti-probing settings.
UPnP		Use this screen to enable UPnP on the ZyXEL Device.
Maintenance
System	General	This screen contains administrative and system-related information and also allows you to change your password.
System	Time Setting	Use this screen to change your ZyXEL Device's time and date.
Logs	View Log	Use this screen to view the logs for the categories that you selected.
Logs	Log Settings	Use this screen to change your ZyXEL Device's log settings.
Tools	Firmware	Use this screen to upload firmware to your ZyXEL Device.
	Configuration	Use this screen to backup and restore the configuration or reset the factory defaults to your ZyXEL Device.
	Restart	This screen allows you to reboot the ZyXEL Device without turning the power off.
Diagnostic	General	These screens display information to help you identify problems with the ZyXEL Device general connection.
Diagnostic	DSL Line	These screens display information to help you identify problems with the DSL line.

2.4.2 Status Screen

The following summarizes how to navigate the web configurator from the Status screen. Some fields or links are not available if you entered the user password in the login password screen (see Figure 6 on page 46).

ZYXEL PRESTIGE 661H - Status Screen - 1
Figure 10 Status Screen

The following table describes the labels shown in the Status screen.

Table 4 Status Screen

LABEL	DESCRIPTION
Refresh Interval	Select a number of seconds or None from the drop-down list box to refresh all screen statistics automatically at the end of every time interval or to not refresh the screen statistics.
Apply	Click this button to refresh the status screen statistics.
Device Information
Host Name	This is the System Name you enter in the Maintenance, System, General screen. It is for identification purposes.
Model Number
MAC Address	This is the MAC (Media Access Control) or Ethernet address unique to your ZyXEL Device.
ZyNOS Firmware Version	This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design.
WAN Information
DSL Mode	This is the standard that your ZyXEL Device is using.
IP Address	This is the WAN port IP address.
IP Subnet Mask	This is the WAN port IP subnet mask.

Table 4 Status Screen

LABEL	DESCRIPTION
Default Gateway	This is the IP address of the default gateway, if applicable.
VPI/VCI	This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the Wizard or WAN screen.
LAN Information
IP Address	This is the LAN port IP address.
IP Subnet Mask	This is the LAN port IP subnet mask.
DHCP	This is the WAN port DHCP role - Server, Relay or None.
WLAN Information (Wireless devices only)
SSID	This is the descriptive name used to identify the ZyXEL Device in the wireless LAN.
Channel	This is the channel number used by the ZyXEL Device now.
WEP	This displays the status of WEP data encryption.
Security
Firewall	This displays whether or not the ZyXEL Device's firewall is activated.
Content Filter	This displays whether or not the ZyXEL Device's content filtering is activated.
System Status
System Uptime	This is the total time the ZyXEL Device has been on.
Current Date/Time	This field displays your ZyXEL Device's present date and time.
System Mode	This displays whether the ZyXEL Device is functioning as a router or a bridge.
CPU Usage	This number shows how many kilobytes of the heap memory the ZyXEL Device is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.The bar displays what percent of the ZyXEL Device's heap memory is in use. The bar turns from green to red when the maximum is being approached.
Memory Usage	This number shows the ZyXEL Device's total heap memory (in kilobytes).The bar displays what percent of the ZyXEL Device's heap memory is in use. The bar turns from green to red when the maximum is being approached.
Interface Status
Interface	This displays the ZyXEL Device port types.
Status	This field displays Down (line is down), Up (line is up or connected) if you're using Ethernet encapsulation and Down (line is down), Up (line is up or connected), Idle (line (ppp) idle), Dial (starting to trigger a call) and Drop (dropping a call) if you're using PPPoE encapsulation.For the WLAN port, it displays Active when WLAN is enabled or Inactive when WLAN is disabled.

Table 4 Status Screen

LABEL	DESCRIPTION
Rate	For the LAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full-duplex refers to a device's ability to send and receive simultaneously, while half-duplex indicates that traffic can flow in only one direction at a time. The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect. Simultaneous transmissions over the same port (Full-duplex) essentially double the bandwidth.For the WAN port, it displays the downstream and upstream transmission rate.For the WLAN port, it displays the transmission rate when WLAN is enabled or N/A when WLAN is disabled.
Summary
Any IP Table	Use this screen to view a list of IP addresses and MAC addresses of computers, which are not in the same subnet as the ZyXEL Device.
VPN Status	Use this screen to view the status of any VPN tunnels the ZyXEL Device has negotiated.
Bandwidth Status	Use this screen to view the ZyXEL Device's bandwidth usage and allotments.
Packet Statistics	Use this screen to view port status and packet specific statistics.
WLAN Status (wireless devices only)	This screen displays the MAC address(es) of the wireless stations that are currently associating with the ZyXEL Device.

2.4.3 Status: Any IP Table

Click the Any IP Table hyperlink in the Status screen. The Any IP table shows current readily information (including the IP address and the MAC address) of all network devices that use the Any IP feature to communicate with the ZyXEL Device.

ZYXEL PRESTIGE 661H - Status: Any IP Table - 1
Figure 11 Status: Any IP Table

The following table describes the labels in this screen.

Table 5 Status: Any IP Table

LABEL	DESCRIPTION
#	This is the index number of the host computer.
IP Address	This field displays the IP address of the network device.
MAC Address	This field displays the MAC (Media Access Control) address of the computer with the displayed IP address. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Refresh	Click Refresh to update this screen.

2.4.4 Status: WLAN Status (Wireless devices only)

Click WLAN Status in the Status screen to open this screen. Use this screen to view the wireless stations that are currently associated to the ZyXEL Device.

ZYXEL PRESTIGE 661H - Status: WLAN Status (Wireless devices only) - 1
Figure 12 Status: WLAN Status

The following table describes the labels in this screen.

Table 6 Status: WLAN Status

LABEL	DESCRIPTION
#	This is the index number of an associated wireless station.
MAC Address	This field displays the MAC (Media Access Control) address of an associated wireless station.
Association Time	This field displays the time a wireless station first associated with the ZyXEL Device.
Refresh	Click Refresh to reload this screen.

2.4.5 Status: VPN Status

Click the VPN Status hyperlink in the Status screen. The VPN Status shows the current status of any VPN tunnels the ZyXEL Device has negotiated.

ZYXEL PRESTIGE 661H - Status: VPN Status - 1
Figure 13 Status: VPN Status

The following table describes the labels in this screen.

Table 7 Status: VPN Status

LABEL	DESCRIPTION
No	This is the security association index number.
Name	This field displays the identification name for this VPN policy.
Encapsulation	This field displays Tunnel or Transport mode.
IPSec Algorithm	This field displays the security protocol, encryption algorithm, and authentication algorithm used in each SA.
Disconnect	Select one of the security associations, and then click Disconnect to stop that security association.
Refresh	Click Refresh to display the current active VPN connection(s).

2.4.6 Status: Bandwidth Status

Select the Bandwidth Status hyperlink in the Status screen. View the bandwidth usage of the configured bandwidth rules. This is also shown as bandwidth usage over the bandwidth budget for each rule. The gray section of the bar represents the percentage of unused bandwidth and the orange color represents the percentage of bandwidth in use.

ZYXEL PRESTIGE 661H - Status: Bandwidth Status - 1
Figure 14 Status: Bandwidth Status

2.4.7 Status: Packet Statistics

Click the Packet Statistics hyperlink in the Status screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable.

ZYXEL PRESTIGE 661H - Status: Packet Statistics - 1
Figure 15 Status: Packet Statistics

The following table describes the fields in this screen.

Table 8 Status: Packet Statistics

LABEL	DESCRIPTION
System Monitor
System up Time	This is the elapsed time the system has been up.
Current Date/Time	This field displays your ZyXEL Device's present date and time.
CPU Usage	This field specifies the percentage of CPU utilization.
Memory Usage	This field specifies the percentage of memory utilization.
WAN Port Statistics	This is the WAN or LAN port.
Link Status	This is the status of your WAN link.
WAN IP Address	This is the IP address assigned to your ZyXEL Device on the WAN.
Upstream Speed	This is the upstream speed of your ZyXEL Device.
Downstream Speed	This is the downstream speed of your ZyXEL Device.
Node-Link	This field displays the remote node index number and link type. Link types are PPPoA, ENET, RFC 1483 and PPPoE.
Status	This field displays Down (line is down), Up (line is up or connected) if you're using Ethernet encapsulation and Down (line is down), Up (line is up or connected), Idle (line (ppp) idle), Dial (starting to trigger a call) and Drop (dropping a call) if you're using PPPoE encapsulation.
TxPkts	This field displays the number of packets transmitted on this port.
RxPkts	This field displays the number of packets received on this port.
Errors	This field displays the number of error packets on this port.
Tx B/s	This field displays the number of bytes transmitted in the last second.
Rx B/s	This field displays the number of bytes received in the last second.
Up Time	This field displays the elapsed time this port has been up.
LAN Port Statistics
Interface	This field displays the type of port.
Status	This field displays Down (line is down), Up (line is up or connected) if you're using Ethernet encapsulation and Down (line is down), Up (line is up or connected), Idle (line (ppp) idle), Dial (starting to trigger a call) and Drop (dropping a call) if you're using PPPoE encapsulation.For the WLAN port (wireless devices only), it displays the transmission rate when WLAN is enabled or N/A when WLAN is disabled.
TxPkts	This field displays the number of packets transmitted on this port.
RxPkts	This field displays the number of packets received on this port.
Collisions	This is the number of collisions on this port.
Poll Interval(s)	Type the time interval for the browser to refresh system statistics.
Set Interval	Click this button to apply the new poll interval you entered in the Poll Interval field above.
Stop	Click this button to halt the refreshing of the system statistics.

It is highly recommended that you periodically change the password for accessing the ZyXEL Device. If you didn't change the default one after you logged in or you want to change to a new password again, then click Maintenance > System to display the screen as shown next.

ZYXEL PRESTIGE 661H - Changing Login Password - 1
Figure 16 System General

The following table describes the fields in this screen.

Table 9 System General: Password

LABEL	DESCRIPTION
Old Password	Type the default password or the existing password you use to access the system in this field.
New Password	Type the new password in this field.
Retype to Confirm	Type the new password again in this field.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 3 Wizards

Use these screens to configure Internet access or to configure basic bandwidth management.

Note: See the advanced menu chapters for background information on these fields.

To access the wizards, click Go to Wizard setup in Figure 8 on page 47, or click the wizard icon ( ) in the top right corner of the web configurator. The wizard main screen appears.

ZYXEL PRESTIGE 661H - Wizards - 1
Figure 17 Wizard Main Screen

The following table describes the fields in this screen.

Table 10 Wizard Main Screen

LABEL	DESCRIPTION
INTERNET/WIRELESSSETUP	Click this if you want to configure Internet access and wireless network settings (wireless devices only). See Section 3.1 on page 60.
BANDWIDTHMANAGEMENTSETUP	Click this if you want to configure basic bandwidth management. See Section 3.3 on page 72.
Exit	Click this to close the wizard main screen and return to the Status screen or the main window.

3.1 Internet Setup Wizard

Use these screens to configure Internet access and wireless network settings (wireless devices only). To access this wizard, click INTERNET/WIRELESS SETUP in the wizard main screen.

Wait while the device tries to detect your DSL connection and connection type.

Figure 18 Internet Setup Wizard: Connection Test
ZYXEL PRESTIGE 661H - Internet Setup Wizard - 1
The next screen depends on the results.

3.1.1 Automatic Detection

The ZyXEL Device detected the DSL connection and the Internet settings.

Figure 19 Internet Setup Wizard: Automatic Detection
ZYXEL PRESTIGE 661H - Automatic Detection - 1
Click Next to continue to the next screen, or click Exit to close the wizard main screen and return to the Status screen or the main window.

3.1.2 Manual Configuration

The ZyXEL Device detected the DSL connection but not the Internet settings. You should specify the Internet settings manually.

3.1.2.1 Screen 1

ZYXEL PRESTIGE 661H - Screen 1 - 1
Figure 20 Internet Setup Wizard: Manual Configuration

Click Back to return to the wizard main screen. Click Next to continue to the next screen. Click Exit to close the wizard main screen and return to the Status screen or the main window.

3.1.2.2 Screen 2

This screen lets you enter some of the ISP settings for your Internet connection.

ZYXEL PRESTIGE 661H - Screen 2 - 1
Figure 21 Internet Access Wizard Setup: ISP Parameters

The following table describes the fields in this screen.

Table 11 Internet Setup Wizard: ISP Parameters

LABEL	DESCRIPTION
Mode	Select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise, select Bridge.
Encapsulation	Select the encapsulation type your ISP uses from the Encapsulation drop-down list box. Choices vary depending on what you select in the Mode field. If you select Bridge in the Mode field, select either PPPoA or RFC 1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET ENCAP or PPPoE.
Multiplexing	Select the multiplexing method used by your ISP from the Multiplex drop-down list box either VC-based or LLC-based.
Virtual Circuit ID	VPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) define a virtual circuit. Refer to the appendix for more information.
VPI	Enter the VPI assigned to you. This field may already be configured.
VCI	Enter the VCI assigned to you. This field may already be configured.
Back	Click Back to go back to the previous screen.
Next	Click Next to continue to the next wizard screen. The next wizard screen you see depends on what mode and encapsulation you selected above.
Exit	Click Exit to close the wizard screen without saving your changes.

3.1.2.3 Screen 3

These screens let you enter the rest of the Internet settings, which depend on the encapsulation your Internet connection uses (and the mode you selected, for RFC1483).

This screen appears if your Internet connection uses Ethernet encapsulation.

ZYXEL PRESTIGE 661H - Screen 3 - 1
Figure 22 Internet Setup Wizard: ISP Parameters (Ethernet)

The following table describes the fields in this screen.

Table 12 Internet Setup Wizard: ISP Parameters (Ethernet)

LABEL	DESCRIPTION
Obtain an IP Address Automatically	Select this if you have a dynamic IP address.
Static IP Address	Select this if you have a static (fixed) IP address, and enter the information below.
	These fields appear if you select Static IP Address.
IP Address	Enter the static IP address provided by your ISP.
Subnet Mask	Enter the subnet mask provided by your ISP.
Gateway IP Address	Enter the IP address of the gateway provided by your ISP. If your ISP did not provide one, use the default value.
First DNS Server Second DNS Server	Enter the IP address(es) of the DNS server(s) provided by your ISP. If your ISP did not provide one or both, use the default value(s).
Back	Click Back to go back to the previous screen.
Apply	Click Apply to finish manual configuration. The ZyXEL Device tries to detect the connection again. See Section 3.1 on page 60.
Exit	Click Exit to close the wizard screen without saving your changes.

This screen appears if your Internet connection uses PPPoE encapsulation.

ZYXEL PRESTIGE 661H - Screen 3 - 2
Figure 23 Internet Setup Wizard: ISP Parameters (PPPoE)

The following table describes the fields in this screen.

Table 13 Internet Setup Wizard: ISP Parameters (PPPoE)

LABEL	DESCRIPTION
User Name	Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.
Password	Enter the password associated with the user name above.
Service Name	Type the name of your PPPoE service here. Leave this field blank if your ISP did not provide you a PPPoE service.
Back	Click Back to go back to the previous screen.
Apply	Click Apply to finish manual configuration. The ZyXEL Device tries to detect the connection again. See Section 3.1 on page 60.
Exit	Click Exit to close the wizard screen without saving your changes.

This screen appears if your Internet connection uses RFC1483 encapsulation in routing mode.

ZYXEL PRESTIGE 661H - Screen 3 - 3
Figure 24 Internet Setup Wizard: ISP Parameters (RFC1483 + Routing Mode)

The following table describes the fields in this screen.

Table 14 Internet Setup Wizard: ISP Parameters (RFC1483 + Routing Mode)

LABEL	DESCRIPTION
IP Address	Enter the static IP address provided by your ISP.
Back	Click Back to go back to the previous screen.
Apply	Click Apply to finish manual configuration. The ZyXEL Device tries to detect the connection again. See Section 3.1 on page 60.
Exit	Click Exit to close the wizard screen without saving your changes.

This screen appears if your Internet connection uses PPPoA encapsulation.

ZYXEL PRESTIGE 661H - Screen 3 - 4
Figure 25 Internet Setup Wizard: ISP Parameters (PPPoA)

The following table describes the fields in this screen.

Table 15 Internet Setup Wizard: ISP Parameters (PPPoA)

LABEL	DESCRIPTION
User Name	Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.
Password	Enter the password associated with the user name above.
Back	Click Back to go back to the previous screen.
Apply	Click Apply to finish manual configuration. The ZyXEL Device tries to detect the connection again. See Section 3.1 on page 60.
Exit	Click Exit to close the wizard screen without saving your changes.

No additional screen appears if your Internet connection uses RFC1483 encapsulation in bridge mode. In this case, the ZyXEL Device immediately tries to detect the connection again. See Section 3.1 on page 60.

3.1.3 No DSL Detection

The ZyXEL Device cannot detect the DSL connection. Check your hardware connections.

ZYXEL PRESTIGE 661H - No DSL Detection - 1
Figure 26 Internet Setup Wizard: No DSL Connection

Click Restart the Internet/Wireless Setup Wizard to return to the wizard main screen. Click Next to continue to the Wireless Setup Wizard (wireless devices only), or click Exit to close the wizard main screen and return to the Status screen or the main window.

3.2 Wireless Connection Wizard Setup (wireless devices only)

After you configure the Internet access information, use the following screens to set up your wireless LAN.

1 Select Yes and click Next to configure wireless settings. Otherwise, select No and skip to Step 6.

ZYXEL PRESTIGE 661H - Wireless Connection Wizard Setup (wireless devices only) - 1
Figure 27 Connection Test Successful

2 Use this screen to activate the wireless LAN and OTIST. Click Next to continue.

ZYXEL PRESTIGE 661H - Wireless Connection Wizard Setup (wireless devices only) - 2
Figure 28 Wireless LAN Setup Wizard 1

The following table describes the labels in this screen.

Table 16 Wireless LAN Setup Wizard 1

LABEL	DESCRIPTION
Active	Select the check box to turn on the wireless LAN.
Enable OTIST	Select the check box to enable OTIST if you want to transfer your ZyXEL Device's SSID and WPA-PSK security settings to wireless clients that support OTIST and are within transmission range. You must also activate and start OTIST on the wireless client at the same time. The process takes three minutes to complete. Note: Enable OTIST only if your wireless clients support WPA and OTIST
Setup Key	Type an OTIST Setup Key of up to eight ASCII characters in length. Be sure to use the same OTIST Setup Key on the ZyXEL Device and wireless clients.
Back	Click Back to display the previous screen.
Next	Click Next to proceed to the next screen.
Exit	Click Exit to close the wizard screen without saving.

3 Configure your wireless settings in this screen. Click Next.

ZYXEL PRESTIGE 661H - Wireless Connection Wizard Setup (wireless devices only) - 3
Figure 29 Wireless LAN Setup Wizard 2

The following table describes the labels in this screen.

Table 17 Wireless LAN Setup Wizard 2

LABEL	DESCRIPTION
Network Name(SSID)	Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. If you change this field on the ZyXEL Device, make sure all wireless stations use the same SSID in order to access the network.
Channel Selection	The range of radio frequencies used by IEEE 802.11b/g wireless devices is called a channel. Select a channel ID that is not already in use by a neighboring device.
Security	Select Automatically assign a WPA key (Recommended) to have the ZyXEL Device create a pre-shared key (WPA-PSK) automatically only if your wireless clients support WPA and OTIST. This option is available only when you enable OTIST in the previous wizard screen. Select Manually assign a WPA-PSK key to configure a Pre-Shared Key (WPA-PSK). Choose this option only if your wireless clients support WPA. See Section 3.2.1 on page 69 for more information. Select Manually assign a WEP key to configure a WEP Key. See Section 3.2.2 on page 69 for more information. Select Disable wireless security to have no wireless LAN security configured and your network is accessible to any wireless networking device that is within range. Note: If you enable OTIST in the previous wizard screen but select Disable wireless security here, the ZyXEL Device still creates a pre-shared key (WPA-PSK) automatically. If you enable OTIST and select Manually assign a WEP key, the ZyXEL Device will replace the WEP key with a WPA-PSK
Back	Click Back to display the previous screen.
Next	Click Next to proceed to the next screen.
Exit	Click Exit to close the wizard screen without saving.

Note: The wireless stations and ZyXEL Device must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-PSK is enabled) for wireless communication.

4 This screen varies depending on the security mode you selected in the previous screen. Fill in the field (if available) and click Next.

3.2.1 Manually assign a WPA-PSK key

Choose Manually assign a WPA-PSK key in the Wireless LAN setup screen to set up a PreShared Key.

ZYXEL PRESTIGE 661H - Manually assign a WPA-PSK key - 1
Figure 30 Manually assign a WPA key

The following table describes the labels in this screen.

Table 18 Manually assign a WPA key

LABEL	DESCRIPTION
Pre-Shared Key	Type from 8 to 63 case-sensitive ASCII characters. You can set up the most secure wireless connection by configuring WPA in the wireless LAN screens. You need to configure an authentication server to do this.
Back	Click Back to display the previous screen.
Next	Click Next to proceed to the next screen.
Exit	Click Exit to close the wizard screen without saving.

3.2.2 Manually assign a WEP key

Choose Manually assign a WEP key to setup WEP Encryption parameters.

ZYXEL PRESTIGE 661H - Manually assign a WEP key - 1
Figure 31 Manually assign a WEP key

The following table describes the labels in this screen.

Table 19 Manually assign a WEP key

LABEL	DESCRIPTION
Key	The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission. Enter any 5, 13 or 29 ASCII characters or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or 256-bit WEP key respectively.
Back	Click Back to display the previous screen.
Next	Click Next to proceed to the next screen.
Exit	Click Exit to close the wizard screen without saving.

5 Click Apply to save your wireless LAN settings.

ZYXEL PRESTIGE 661H - Manually assign a WEP key - 2
Figure 32 Wireless LAN Setup: Apply

ZYXEL PRESTIGE 661H - Manually assign a WEP key - 3
Figure 33 Internet Setup Wizard: Summary Screen

6 Use the read-only summary table to check whether what you have configured is correct. Click Finish to complete and save the wizard setup. The following table describes the fields in this screen.

Table 20 Internet Setup Wizard: Summary

LABEL	DESCRIPTION
Return to Wizard Main Page	Click this to return to the wizard main page.
Go to Advanced Setup Page	This field is displayed if you are using the admin password. Click this to go to the main window.
View Device Status	This field is displayed if you are using the user password. Click this to go to the Status screen.
Finish	Click this to close the wizard main screen and return to the Status screen or the main window.

Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this guide for more detailed information on the complete range of ZyxEL Device features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct.

3.3 Bandwidth Management Wizard

Use these screens to control the amount of bandwidth going out through the ZyXEL Device's WAN port and prioritize the distribution of the bandwidth. This helps keep one service, or application, from using all of the available bandwidth and shutting out other services.

The following table describes the services you can select.

Table 21 Media Bandwidth Management Setup: Services

SERVICE	DESCRIPTION
E-Mail	Electronic mail consists of messages sent through a computer network to specific groups or individuals. Here are some default ports for e-mail:POP3 - port 110IMAP - port 143SMTP - port 25HTTP - port 80
FTP	File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail. FTP uses port number 21.
NetMeeting (H.323)	A multimedia communications product from Microsoft that enables groups to teleconference and videoconference over the Internet. NetMeeting supports VoIP, text chat sessions, a whiteboard, and file transfers and application sharing.NetMeeting uses H.323. H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service.H.323 is transported primarily over TCP, using the default port number 1720.
VoIP (H.323)	Sending voice signals over the Internet is called Voice over IP or VoIP.H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service.H.323 is transported primarily over TCP, using the default port number 1720.
VoIP (SIP)	Sending voice signals over the Internet is called Voice over IP or VoIP. Session Initiated Protocol (SIP) is an internationally recognized standard for implementing VoIP. SIP is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.SIP is transported primarily over UDP but can also be transported over TCP, using the default port number 5060.
Telnet	Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. Telnet uses TCP port 23.
TFTP	Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).
WWW	The World Wide Web (WWW) is an Internet system to distribute graphical, hyper-linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server protocol for the World Wide Web. The Web is not synonymous with the Internet; rather, it is just one service on the Internet. Other services on the Internet include Internet Relay Chat and Newsgroups. The Web is accessed through use of a browser.

To access this wizard, open the web configurator (see Section 2.2 on page 45) and click BANDWIDTH MANAGEMENT SETUP in the wizard main screen.

3.3.1 Screen 1

Activate bandwidth management and select to allocate bandwidth to packets based on the services.

ZYXEL PRESTIGE 661H - Screen 1 - 1
Figure 34 Bandwidth Management Wizard: General Information

The following fields describe the label in this screen.

Table 22 Bandwidth Management Wizard: General Information

LABEL	DESCRIPTION
Active	Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device's WAN, LAN or WLAN port. Select Services Setup to allocate bandwidth based on the service requirements.
Back	Click Back to display the previous screen.
Next	Click Next to proceed to the next screen.
Exit	Click Exit to close the wizard screen without saving.

3.3.2 Screen 2

Use the second wizard screen to select the services that you want to apply bandwidth management, and select the priorities that you want to apply to the services listed.

ZYXEL PRESTIGE 661H - Screen 2 - 1
Figure 35 Bandwidth Management Wizard: Configuration

The following table describes the labels in this screen.

Table 23 Bandwidth Management Wizard: Configuration

LABEL	DESCRIPTION
Active	Select an entry's Active check box to turn on bandwidth management for the service/application.
Service	These fields display the services names.
Priority	Select High, Mid or Low priority for each service to have your ZyXEL Device use a priority for traffic that matches that service.A service with High priority is given as much bandwidth as it needs.If you select services as having the same priority, then bandwidth is divided equally amongst those services.Services not specified in bandwidth management are allocated bandwidth after all specified services receive their bandwidth requirements.If the rules set up in this wizard are changed in Advanced > Bandwidth MGMT > Rule Setup, then the service priority radio button will be set to User Configured.The Advanced > Bandwidth MGMT > Rule Setup screen allows you to edit these rule configurations.
Auto classifier rest bandwidth	Select Auto classifier rest bandwidth to automatically allocate unbudgeted or unused bandwidth to services based on the packet type.
Back	Click Back to go back to the previous wizard screen.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Exit	Click Exit to close the wizard screen without saving your changes.

3.3.3 Screen 3

Follow the on-screen instructions and click Finish to complete the wizard setup and save your configuration.

ZYXEL PRESTIGE 661H - Screen 3 - 1
Figure 36 Bandwidth Management Wizard: Complete

CHAPTER 4 WAN Setup

This chapter describes how to configure WAN settings.

4.1 WAN Overview

A WAN (Wide Area Network) is an outside connection to another network or the Internet.

4.1.1 Encapsulation

Be sure to use the encapsulation method required by your ISP. The ZyXEL Device supports the following methods.

4.1.1.1 ENETENCAP

The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol. IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment. For instance, it encapsulates routed Ethernet frames into bridged ATM cells. ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen. You can get this information from your ISP.

4.1.1.2 PPP over Ethernet

PPPoE (Point-to-Point Protocol over Ethernet) provides access control and billing functionality in a manner similar to dial-up services using PPP. PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection.

For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example RADIUS).

One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function known as dynamic service selection. This enables the service provider to easily create and offer new IP services for individuals.

Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site.

By implementing PPPoE directly on the ZyXEL Device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL Device does that part of the task. Furthermore, with NAT, all of the LANs' computers will have access.

4.1.1.3 PPPoA

PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection functions like a dial-up Internet connection. The ZyXEL Device encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider's (ISP) DSLAM (digital access multiplexer). Please refer to RFC 2364 for more information on PPPoA. Refer to RFC 1661 for more information on PPP.

4.1.1.4 RFC 1483

RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 (AAL5). The first method allows multiplexing of multiple protocols over a single ATM virtual circuit (LLC-based multiplexing) and the second method assumes that each protocol is carried over a separate ATM virtual circuit (VC-based multiplexing). Please refer to the RFC for more detailed information.

4.1.2 Multiplexing

There are two conventions to identify what protocols the virtual circuit (VC) is carrying. Be sure to use the multiplexing method required by your ISP.

4.1.2.1 VC-based Multiplexing

In this case, by prior mutual agreement, each protocol is assigned to a specific virtual circuit; for example, VC1 carries IP, etc. VC-based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical.

4.1.2.2 LLC-based Multiplexing

In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header. Despite the extra bandwidth and processing overhead, this method may be advantageous if it is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs.

4.1.3 VPI and VCI

Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Please see the appendix for more information.

4.1.4 IP Address Assignment

A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway.

4.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation

If you have a dynamic IP, then the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field.

4.1.4.2 IP Assignment with RFC 1483 Encapsulation

In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above.

4.1.4.3 IP Assignment with ENET Encapsulation

In this case you can have either a static or dynamic IP. For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP. However for a dynamic IP, the ZyXEL Device acts as a DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable (N/A) as the DHCP server assigns them to the ZyXEL Device.

4.1.5 Nailed-Up Connection (PPP)

A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The ZyXEL Device does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyXEL Device will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.

Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern

4.1.6 NAT

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.

4.2 Metric

The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost".

The metric sets the priority for the ZyXEL Device's routes to the Internet. If any two of the default routes have the same metric, the ZyXEL Device uses the following pre-defined priorities:

Normal route: designated by the ISP (see Section 4.5 on page 82)
Traffic-direct route (see Section 4.7 on page 91)
WAN-backup route, also called dial-backup (see Section 4.8 on page 92)

For example, if the normal route has a metric of "1" and the traffic-direct route has a metric of "2" and dial-backup route has a metric of "3", then the normal route acts as the primary default route. If the normal route fails to connect to the Internet, the ZyXEL Device tries the traffic-direct route next. In the same manner, the ZyXEL Device uses the dial-backup route if the traffic-direct route also fails.

If you want the dial-backup route to take first priority over the traffic-direct route or even the normal route, all you need to do is set the dial-backup route's metric to "1" and the others to "2" (or greater).

IP Policy Routing overrides the default routing behavior and takes priority over all of the routes mentioned above.

4.3 Traffic Shaping

Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network. This agreement helps eliminate congestion, which is important for transmission of real time data such as audio and video connections.

Peak Cell Rate (PCR) is the maximum rate at which the sender can send cells. This parameter may be lower (but not higher) than the maximum line speed. 1 ATM cell is 53 bytes (424 bits), so a maximum speed of 832Kbps gives a maximum PCR of 1962 cells/sec. This rate is not guaranteed because it is dependent on the line speed.

Sustained Cell Rate (SCR) is the mean cell rate of each bursty traffic source. It specifies the maximum average rate at which cells can be sent over the virtual connection. SCR may not be greater than the PCR.

Maximum Burst Size (MBS) is the maximum number of cells that can be sent at the PCR. After MBS is reached, cell rates fall below SCR until cell rate averages to the SCR again. At this time, more cells (up to the MBS) can be sent at the PCR again.

If the PCR, SCR or MBS is set to the default of "0", the system will assign a maximum value that correlates to your upstream line rate.

The following figure illustrates the relationship between PCR, SCR and MBS.

ZYXEL PRESTIGE 661H - Traffic Shaping - 1
Figure 37 Example of Traffic Shaping

4.3.1 ATM Traffic Classes

These are the basic ATM traffic classes defined by the ATM Forum Traffic Management 4.0 Specification.

4.3.1.1 Constant Bit Rate (CBR)

Constant Bit Rate (CBR) provides fixed bandwidth that is always available even if no data is being sent. CBR traffic is generally time-sensitive (doesn't tolerate delay). CBR is used for connections that continuously require a specific amount of bandwidth. A PCR is specified and if traffic exceeds this rate, cells may be dropped. Examples of connections that need CBR would be high-resolution video and voice.

4.3.1.2 Variable Bit Rate (VBR)

The Variable Bit Rate (VBR) ATM traffic class is used with bursty connections. Connections that use the Variable Bit Rate (VBR) traffic class can be grouped into real time (VBR-RT) or non-real time (VBR-nRT) connections.

The VBR-RT (real-time Variable Bit Rate) type is used with bursty connections that require closely controlled delay and delay variation. It also provides a fixed amount of bandwidth (a PCR is specified) but is only available when data is being sent. An example of an VBR-RT connection would be video conferencing. Video conferencing requires real-time data transfers and the bandwidth requirement varies in proportion to the video image's changing dynamics.

The VBR-nRT (non real-time Variable Bit Rate) type is used with bursty connections that do not require closely controlled delay and delay variation. It is commonly used for "bursty" traffic typical on LANs. PCR and MBS define the burst levels, SCR defines the minimum level. An example of an VBR-nRT connection would be non-time sensitive data file transfers.

4.3.1.3 Unspecified Bit Rate (UBR)

The Unspecified Bit Rate (UBR) ATM traffic class is for bursty data transfers. However, UBR doesn't guarantee any bandwidth and only delivers traffic when the network has spare bandwidth. An example application is background file transfer.

4.4 Zero Configuration Internet Access

Once you turn on and connect the ZyXEL Device to a telephone jack, it automatically detects the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and makes the necessary configuration changes. In cases where additional account information (such as an Internet account user name and password) is required or the ZyXEL Device cannot connect to the ISP, you will be redirected to web screen(s) for information input or troubleshooting.

Zero configuration for Internet access is disabled when

the ZyXEL Device is in bridge mode
you set the ZyXEL Device to use a static (fixed) WAN IP address.

4.5 Internet Connection

To change your ZyXEL Device's WAN remote node settings, click Network > WAN. The screen differs by the encapsulation.

See Section 4.1 on page 77 for more information.

ZYXEL PRESTIGE 661H - Internet Connection - 1
Figure 38 Internet Connection (PPPoE)

The following table describes the labels in this screen.

Table 24 Internet Connection

LABEL	DESCRIPTION
General
Name	Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only.
Mode	Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge.
Encapsulation	Select the method of encapsulation used by your ISP from the drop-down list box. Choices vary depending on the mode you select in the Mode field. If you select Bridge in the Mode field, select either PPPoA or RFC 1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET ENCAP or PPPoE.
User Name	(PPPoA and PPPoE only) Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.
Password	(PPPoA and PPPoE only) Enter the password associated with the user name above.
Service Name	(PPPoE only) Type the name of your PPPoE service here.
Multiplexing	Select the method of multiplexing used by your ISP from the drop-down list. Choices are VC or LLC.

Table 24 Internet Connection

LABEL	DESCRIPTION
Virtual Circuit ID	VPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) define a virtual circuit. Refer to the appendix for more information.
VPI	The valid range for the VPI is 0 to 255. Enter the VPI assigned to you.
VCI	The valid range for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Enter the VCI assigned to you.
IP Address	These fields only appear if the Mode is Routing.A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet.‘
Obtain an IP Address Automatically	(PPPoE, PPPoA, and ENET ENCAP only) Select this if you have a dynamic IP address.
Static IP Address	(PPPoE, PPPoA, and ENET ENCAP only) Select this if you do not have a dynamic IP address.
IP Address	Enter the static IP address provided by your ISP.
Subnet Mask	(ENET ENCAP only) Enter the subnet mask provided by your ISP.
Gateway IP address	(ENET ENCAP only) Enter the gateway IP address provided by your ISP.
Connection	This section only appears if the Encapsulation is PPPoE and PPPoA.
Nailed-Up Connection	Select Nailed-Up Connection when you want your connection up all the time. The ZyXEL Device will try to bring up the connection automatically if it is disconnected.
Connect on Demand	Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field.
Max Idle Timeout	Specify an idle time-out in the Max Idle Timeout field when you select Connect on Demand. The default setting is 0, which means the Internet session will not timeout.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.
Advanced Setup	Click this button to display the Advanced WAN Setup screen and edit more details of your WAN setup.

4.5.1 Configuring Advanced Internet Connection

To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the Internet Connection screen. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring Advanced Internet Connection - 1
Figure 39 Advanced Internet Connection

The following table describes the labels in this screen.

Table 25 Advanced Internet Connection

LABEL	DESCRIPTION
RIP & Multicast Setup
RIP Direction	RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP Version	This field is enabled if RIP Direction is not None. The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicastasting, then all routers on your network must use multicastasting, also.
Multicast	IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP-v2. Select None to disable it.
ATM QoS
ATM QoS Type	Select CBR (Continuous Bit Rate) to specify fixed (always-on) bandwidth for voice or data traffic. Select UBR (Unspecified Bit Rate) for applications that are non-time sensitive, such as e-mail. Select VBR-nRT (Variable Bit Rate-non Real Time) or VBR-RT (Variable Bit Rate-Real Time) for bursty traffic and bandwidth sharing with other applications.

Table 25 Advanced Internet Connection

LABEL	DESCRIPTION
cell/sec	Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This is the maximum rate at which the sender can send cells. Type the PCR here.
Sustain Cell Rate	The Sustain Cell Rate (SCR) sets the average cell rate (long-term) that can be transmitted. Type the SCR, which must be less than the PCR. Note that system default is 0 cells/sec.
Maximum Burst Size	Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535.
Zero Configuration	This feature is not applicable/available when you configure the ZyXEL Device to use a static WAN IP address or in bridge mode. Select Yes to set the ZyXEL Device to automatically detect the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and make the necessary configuration changes. Select No to disable this feature. You must manually configure the ZyXEL Device for Internet access.
PPPoE Passthrough	This feature is available only when you select PPPoE encapsulation. In addition to the ZyXEL Device's built-in PPPoE client, you can enable PPPoE Passthrough to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the ZyXEL Device. Each host can have a separate account and a public WAN IP address. PPPoE pass through is an alternative to NAT for applications where NAT is not appropriate. Disable PPPoE passthrough if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.

4.6 Configuring More Connections

This section describes the protocol-independent parameters for a remote network. They are required for placing calls to a remote gateway and the network behind it across a WAN connection. When you use the WAN > Internet Connection screen to set up Internet access, you are configuring the first WAN connection.

Click Network > WAN > More Connections to display the screen as shown next.

ZYXEL PRESTIGE 661H - Configuring More Connections - 1
Figure 40 More Connections

The following table describes the labels in this screen.

Table 26 More Connections

LABEL	DESCRIPTION
#	This is the index number of a connection.
Active	This display whether this connection is activated. Clear the check box to disable the connection. Select the check box to enable it.
Name	This is the descriptive name for this connection.
VPI/VCI	This is the VPI and VCI values used for this connection.
Encapsulation	This is the method of encapsulation used for this connection.
Modify	The first (ISP) connection is read-only in this screen. Use the WAN > Internet Connection screen to edit it. Click the edit icon to go to the screen where you can edit the connection. Click the delete icon to remove an existing connection. You cannot remove the first connection.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.

4.6.1 More Connections Edit

Click the edit icon in the More Connections screen to configure a connection.

ZYXEL PRESTIGE 661H - More Connections Edit - 1
Figure 41 More Connections Edit

The following table describes the labels in this screen.

Table 27 More Connections Edit

LABEL	DESCRIPTION
Active	Select the check box to activate or clear the check box to deactivate this connection.
Name	Enter a unique, descriptive name of up to 13 ASCII characters for this connection.
Mode	Select Routing from the drop-down list box if your ISP allows multiple computers to share an Internet account. If you select Bridge, the ZyXEL Device will forward any packet that it does not route to this remote node; otherwise, the packets are discarded.
Encapsulation	Select the method of encapsulation used by your ISP from the drop-down list box. Choices are PPPoA, RFC 1483, ENET EncAP or PPPoE.
User Name	(PPPoA and PPPoE encapsulation only) Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.
Password	(PPPoA and PPPoE encapsulation only) Enter the password associated with the user name above.
Service Name	(PPPoE only) Type the name of your PPPoE service here.
Multiplexing	Select the method of multiplexing used by your ISP from the drop-down list. Choices are VC or LLC. By prior agreement, a protocol is assigned a specific virtual circuit, for example, VC1 will carry IP. If you select VC, specify separate VPI and VCI numbers for each protocol. For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. In this case, only one set of VPI and VCI numbers need be specified for all protocols.
VPI	The valid range for the VPI is 0 to 255. Enter the VPI assigned to you.
VCI	The valid range for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Enter the VCI assigned to you.
IP Address	This option is available if you select Routing in the Mode field. A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. If you use the encapsulation type except RFC 1483, select Obtain an IP Address Automatically when you have a dynamic IP address; otherwise select Static IP Address and type your ISP assigned IP address in the IP Address field below. If you use RFC 1483, enter the IP address given by your ISP in the IP Address field.
Subnet Mask	Enter a subnet mask in dotted decimal notation. Refer to the appendices to calculate a subnet mask If you are implementing subnetting.
Gateway IP address	Specify a gateway IP address (supplied by your ISP).
Connection
Nailed-Up Connection	Select Nailed-Up Connection when you want your connection up all the time. The ZyXEL Device will try to bring up the connection automatically if it is disconnected.
Connect on Demand	Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field.
Max Idle Timeout	Specify an idle time-out in the Max Idle Timeout field when you select Connect on Demand. The default setting is 0, which means the Internet session will not timeout.
NAT	SUA only is available only when you select Routing in the Mode field. Select SUA Only if you have one public IP address and want to use NAT. Click Edit to go to the Port Forwarding screen to edit a server mapping set. Otherwise, select None to disable NAT.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.
Advanced Setup	Click this button to display the More Connections Advanced screen and edit more details of your WAN setup.

4.6.2 Configuring More Connections Advanced Setup

To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring More Connections Advanced Setup - 1
Figure 42 More Connections Advanced Setup

The following table describes the labels in this screen.

Table 28 More Connections Advanced Setup

LABEL	DESCRIPTION
RIP & Multicast Setup
RIP Direction	Select the RIP direction from None, Both, In Only and Out Only.
RIP Version	Select the RIP version from RIP-1, RIP-2B and RIP-2M.
Multicast	IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP-v2. Select None to disable it.
ATM QoS
ATM QoS Type	Select CBR (Continuous Bit Rate) to specify fixed (always-on) bandwidth for voice or data traffic. Select UBR (Unspecified Bit Rate) for applications that are non-time sensitive, such as e-mail. Select VBR-nRT (Variable Bit Rate-non Real Time) or VBR-RT (Variable Bit Rate-Real Time) for bursty traffic and bandwidth sharing with other applications.
Peak Cell Rate	Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This is the maximum rate at which the sender can send cells. Type the PCR here.
Sustain Cell Rate	The Sustain Cell Rate (SCR) sets the average cell rate (long-term) that can be transmitted. Type the SCR, which must be less than the PCR. Note that system default is 0 cells/sec.
Maximum Burst Size	Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.

4.7 Traffic Redirect

Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet. An example is shown in the figure below.

ZYXEL PRESTIGE 661H - Traffic Redirect - 1
Figure 43 Traffic Redirect Example

The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN. Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure filters that allow packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2).

ZYXEL PRESTIGE 661H - Traffic Redirect - 2
Figure 44 Traffic Redirect LAN Setup

4.8 Configuring WAN Backup

To change your ZyXEL Device's WAN backup settings, click WAN > WAN Backup Setup. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring WAN Backup - 1
Figure 45 WAN Backup Setup

The following table describes the labels in this screen.

Table 29 WAN Backup Setup

LABEL	DESCRIPTION
Backup Type	Select the method that the ZyXEL Device uses to check the DSL connection. Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up. Select ICMP to have the ZyXEL Device periodically ping the IP addresses configured in the Check WAN IP Address fields.
Check WAN IP Address1-3	Configure this field to test your ZyXEL Device's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address).Note: If you activate either traffic redirect or dial backup, you must configure at least one IP address here.When using a WAN backup connection, the ZyXEL Device periodically pings the addresses configured here and uses the other WAN backup connection (if configured) if there is no response.
Fail Tolerance	Type the number of times (2 recommended) that your ZyXEL Device may ping the IP addresses configured in the Check WAN IP Address field without getting a response before switching to a WAN backup connection (or a different WAN backup connection).
Recovery Interval	When the ZyXEL Device is using a lower priority connection (usually a WAN backup connection), it periodically checks to whether or not it can use a higher priority connection.Type the number of seconds (30 recommended) for the ZyXEL Device to wait between checks. Allow more time if your destination IP address handles lots of traffic.
Timeout	Type the number of seconds (3 recommended) for your ZyXEL Device to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request. The WAN connection is considered "down" after the ZyXEL Device times out the number of times specified in the Fail Tolerance field.Use a higher value in this field if your network is busy or congested.
Traffic Redirect	Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet.
Active Traffic Redirect	Select this check box to have the ZyXEL Device use traffic redirect if the normal WAN connection goes down. Note: If you activate traffic redirect, you must configure at least one Check WAN IP Address.
Metric	This field sets this route's priority among the routes the ZyXEL Device uses. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost".
Backup Gateway	Type the IP address of your backup gateway in dotted decimal notation. The ZyXEL Device automatically forwards traffic to this IP address if the ZyXEL Device's Internet connection terminates.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 5 LAN Setup

This chapter describes how to configure LAN settings.

5.1 LAN Overview

A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses.

See Section 5.3 on page 101 to configure the LAN screens.

5.1.1 LANs, WANs and the ZyXEL Device

The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next.

ZYXEL PRESTIGE 661H - LANs, WANs and the ZyXEL Device - 1
Figure 46 LAN and WAN IP Addresses

5.1.2 DHCP Setup

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured.

5.1.2.1 IP Pool Setup

The ZyXEL Device is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN computers.

5.1.3 DNS Server Address

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask.

There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank.

Some ISP's choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The ZyXEL Device supports the IPCP DNS server extensions through the DNS proxy feature.

If the Primary and Secondary DNS Server fields in the DHCP Setup screen are not specified, for instance, left as 0.0.0.0, the ZyXEL Device tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the ZyXEL Device, the ZyXEL Device forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.

Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses in the DHCP Setup screen. This way, the ZyXEL Device can pass the DNS servers to the computers and the computers can query the DNS server directly without the ZyXEL Device's intervention.

5.1.4 DNS Server Address Assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.

There are two ways that an ISP disseminates the DNS server addresses.

The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen.
The ZyXEL Device acts as a DNS proxy when the Primary and Secondary DNS Server fields are left as 0.0.0.0 in the DHCP Setup screen.

5.2 LAN TCP/IP

The ZyXEL Device has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

5.2.1 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the ZyXEL Device. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyXEL Device, but make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise.

5.2.1.1 Private IP Addresses

Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:

10.0.0.0 10.255.255.255
172.16.0.0 — 172.31.255.255
192.168.0.0—192.168.255.255

You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.

5.2.2 RIP Setup

RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to:

Both - the ZyXEL Device will broadcast its routing table periodically and incorporate the RIP information that it receives.
In Only - the ZyXEL Device will not send any RIP packets but will accept all RIP packets received.
Out Only - the ZyXEL Device will send out RIP packets but will not accept any RIP packets received.
None - the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received.

The Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicast.

5.2.3 Multicast

Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.

IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.

The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the ZyXEL Device queries all directly connected networks to gather group membership. After that, the ZyXEL Device periodically updates this information. IP multicasting can be enabled/disabled on the ZyXEL Device LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces.

5.2.4 Any IP

Traditionally, you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device to be in the same subnet to allow the computer to access the Internet (through the ZyXEL Device). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the ZyXEL Device.

With the Any IP feature and NAT enabled, the ZyXEL Device allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, when the IP addresses of the computer and the ZyXEL Device are not in the same subnet. Whether a computer is set to use a dynamic or static (fixed) IP address, you can simply connect the computer to the ZyXEL Device and access the Internet.

The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment. In a residential house where a ZyXEL Device is installed, you can still use the computer to access the Internet without changing the network settings, even when the IP addresses of the computer and the ZyXEL Device are not in the same subnet.

ZYXEL PRESTIGE 661H - Any IP - 1
Figure 47 Any IP Example

The Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the ZyXEL Device's IP address.

Note: You must enable NAT/SUA to use the Any IP feature on the ZyXEL Device.

5.2.4.1 How Any IP Works

Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. IP routing table is defined on IP Ethernet devices (the ZyXEL Device) to decide which hop to use, to help forward data along to its specified destination.

The following lists out the steps taken, when a computer tries to access the Internet for the first time through the ZyXEL Device.

1 When a computer (which is in a different subnet) first attempts to access the Internet, it sends packets to its default gateway (which is not the ZyXEL Device) by looking at the MAC address in its ARP table.
2 When the computer cannot locate the default gateway, an ARP request is broadcast on the LAN.
3 The ZyXEL Device receives the ARP request and replies to the computer with its own MAC address.
4 The computer updates the MAC address for the default gateway to the ARP table. Once the ARP table is updated, the computer is able to access the Internet through the ZyXEL Device.
5 When the ZyXEL Device receives packets from the computer, it creates an entry in the IP routing table so it can properly forward packets intended for the computer.

After all the routing information is updated, the computer can access the ZyXEL Device and the Internet as if it is in the same subnet as the ZyXEL Device.

5.3 Configuring LAN IP

Click LAN to open the IP screen. See Section 5.1 on page 95 for background information.

ZYXEL PRESTIGE 661H - Configuring LAN IP - 1
Figure 48 LAN IP

The following table describes the fields in this screen.

Table 30 LAN IP

LABEL	DESCRIPTION
TCP/IP
IP Address	Enter the IP address of your ZyXEL Device in dotted decimal notation, for example, 192.168.1.1 (factory default).
IP Subnet Mask	Type the subnet mask assigned to you by your ISP (if given).
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.
Advanced Setup	Click this button to display the Advanced LAN Setup screen and edit more details of your LAN setup.

5.3.1 Configuring Advanced LAN Setup

To edit your ZyXEL Device's advanced LAN settings, click the Advanced Setup button in the LAN IP screen. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring Advanced LAN Setup - 1
Figure 49 Advanced LAN Setup

The following table describes the labels in this screen.

Table 31 Advanced LAN Setup

LABEL	DESCRIPTION
RIP & Multicast Setup
RIP Direction	RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP Version	This field is enabled if RIP Direction is not None. The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicastasting, then all routers on your network must use multicastasting, also.
Multicast	IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP-v2. Select None to disable it.
Any IP Setup	Select the Active check box to enable the Any IP feature. This allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the ZyXEL Device are not in the same subnet.When you disable the Any IP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the ZyXEL Device's LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device.
Windows Networking (NetBIOS over TCP/IP)	NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.
Allow between LAN and WAN	Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save the changes.
Cancel	Click Cancel to begin configuring this screen afresh.

5.4 DHCP Setup

Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN.

ZYXEL PRESTIGE 661H - DHCP Setup - 1
Figure 50 DHCP Setup

The following table describes the labels in this screen.

Table 32 DHCP Setup

LABEL	DESCRIPTION
DHCP Setup
DHCP	Select what type of DHCP services the ZyXEL Device provides to the network. Choices are: None - the ZyXEL Device does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the ZyXEL Device routes DHCP requests to the DHCP server. There may be a DHCP server on another network. DHCP Server - the ZyXEL Device assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The ZyXEL Device is the DHCP server for the network.
IP Pool Starting Address	This field is enabled if the ZyXEL Device is a DHCP Server. Enter the first of the contiguous addresses in the IP address pool.
Pool Size	This field is enabled if the ZyXEL Device is a DHCP Server. Enter the size of, or the number of addresses in, the IP address pool.
Remote DHCP Server	This field is enabled if the ZyXEL Device is a DHCP Relay. Enter the IP address of the DHCP server to which the ZyXEL Device should route requests.
DNS Server
DNS Servers Assigned by DHCP Server	The ZyXEL Device passes a DNS (Domain Name System) server IP address to the DHCP clients.
Primary DNS Server Secondary DNS Server	This field is not available when you set DHCP to Relay. Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP clients along with the IP address and the subnet mask. If the fields are left as 0.0.0.0, the ZyXEL Device acts as a DNS proxy and forwards the DHCP client's DNS query to the real DNS server learned through IPCP and relays the response back to the computer.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Reset	Click Reset to begin configuring this screen afresh.

5.5 LAN Client List

This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

To change your ZyXEL Device's static DHCP settings, click Network > LAN > Client List. The screen appears as shown.

ZYXEL PRESTIGE 661H - LAN Client List - 1
Figure 51 LAN Client List

The following table describes the labels in this screen.

Table 33 LAN Client List

LABEL	DESCRIPTION
IP Address	Enter the IP address that you want to assign to the computer on your LAN with the MAC address specified below.The IP address should be within the range of IP addresses you specified in the DHCP Setup for the DHCP client.
MAC Address	Enter the MAC address of a computer on your LAN.
Add	Click Add to add a static DHCP entry.
#	This is the index number of the static IP table entry (row).
Status	This field displays whether the client is connected to the ZyXEL Device.
Host Name	This field displays the computer host name.
IP Address	This field displays the IP address relative to the # field listed above.
MAC Address	The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation).A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.
Reserve	Select the check box(es) in each entry to have the ZyXEL Device always assign the selected entry(ies)'s IP address(es) to the corresponding MAC address(es) (and host name(s)). You can select up to 32 entries in this table.
Modify	Click the modify icon to have the IP address field editable and change it.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.
Refresh	Click Refresh to reload the DHCP table.

5.6 LAN IP Alias

IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.

When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets).

Note: Make sure that the subnets of the logical networks do not overlap.

The following figure shows a LAN divided into subnets A, B, and C.

ZYXEL PRESTIGE 661H - LAN IP Alias - 1
Figure 52 Physical Network & Partitioned Logical Networks

To change your ZyXEL Device's IP alias settings, click Network > LAN > IP Alias. The screen appears as shown.

ZYXEL PRESTIGE 661H - LAN IP Alias - 2
Figure 53 LAN IP Alias

The following table describes the labels in this screen.

Table 34 LAN IP Alias

LABEL	DESCRIPTION
IP Alias 1, 2	Select the check box to configure another LAN network for the ZyXEL Device.
IP Address	Enter the IP address of your ZyXEL Device in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
IP Subnet Mask	Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.
RIP Direction	RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP Version	This field is enabled if RIP Direction is not None. The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicast can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicastasting, then all routers on your network must use multicastasting, also.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 6 Wireless LAN

This chapter discusses how to configure the wireless network settings in your device (wireless devices only). See the appendices for more detailed information about wireless networks.

6.1 Wireless Network Overview

The following figure provides an example of a wireless network.

Example of a Wireless Network

ZYXEL PRESTIGE 661H - Wireless Network Overview - 1

The wireless network is the part in the blue circle. In this wireless network, devices A and B use the access point (AP) to interact with the other devices (such as the printer) or with the Internet. Your ZyXEL Device is the AP.

Every wireless network must follow these basic guidelines.

Every device in the same wireless network must use the same SSID.

The SSID is the name of the wireless network. It stands for Service Set IDentity.

If two wireless networks overlap, they should use a different channel.

Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information.

Every device in the same wireless network must use security compatible with the ZyXEL Device.

Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network.

6.2 Wireless Security Overview

The following sections introduce different types of wireless security you can set up in the wireless network.

6.2.1 SSD

Normally, the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the ZyXEL Device does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess.

This type of security is fairly weak, however, because there are ways for unauthorized wireless devices to get the SSID. In addition, unauthorized wireless devices can still see the information that is sent in the wireless network.

6.2.2 MAC Address Filter

Every device that can use a wireless network has a unique identification number, called a MAC address. A MAC address is usually written using twelve hexadecimal characters; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each device in the wireless network, see the device's User's Guide or other documentation.

You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or not allowed to use the wireless network. If a device is allowed to use the wireless network, it still has to have the correct information (SSID, channel, and security). If a device is not allowed to use the wireless network, it does not matter if it has the correct information.

This type of security does not protect the information that is sent in the wireless network. Furthermore, there are ways for unauthorized wireless devices to get the MAC address of an authorized device. Then, they can use that MAC address to use the wireless network.

6.2.3 User Authentication

You can make every user log in to the wireless network before they can use it. This is called user authentication. However, every device in the wireless network has to support IEEE 802.1x to do this.

Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses.
Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F.

For wireless networks, user names and passwords can be stored in a RADIUS server. This is a server used in businesses more than in homes. If you do not have a RADIUS server, you cannot set up user names and passwords for your users.

Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.

Local user databases also have an additional limitation that is explained in the next section.

6.2.4 Encryption

Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message.

The types of encryption you can choose depend on the type of authentication. (See Section 6.2.3 on page 110 for information about this.)

Table 35 Types of Encryption for Each Type of Authentication

Weakest Strongest	No Authentication	RADIUS Server
	No Security	WPA
	Static WEP
	WPA-PSK
	WPA2-PSK	WPA2

For example, if the wireless network has a RADIUS server, you can choose WPA or WPA2. If users do not log in to the wireless network, you can choose no encryption, Static WEP, WPA-PSK, or WPA2-PSK.

Usually, you should set up the strongest encryption that every device in the wireless network supports. For example, suppose you have a wireless network with the ZyXEL Device. The ZyXEL Device does not have a local user database, and you do not have a RADIUS server. Therefore, there is no authentication. Suppose the wireless network has two devices. Device A only supports WEP, and device B supports WEP and WPA. Therefore, you should set up Static WEP in the wireless network.

Note: It is recommended that wireless networks use WPA-PSK, WPA, or stronger encryption. IEEE 802.1x and WEP encryption are better than none at all, but it is still possible for unauthorized wireless devices to figure out the original information pretty quickly.

It is not possible to use WPA-PSK, WPA or stronger encryption with a local user database. In this case, it is better to set up stronger encryption with no authentication than to set up weaker encryption with the local user database.

When you select WPA2 or WPA2-PSK in your ZyXEL Device, you can also select an option (WPA compatible) to support WPA as well. In this case, if some of the devices support WPA and some support WPA2, you should set up WPA2-PSK or WPA2 (depending on the type of wireless network login) and select the WPA compatible option in the ZyXEL Device.

Many types of encryption use a key to protect the information in the wireless network. The longer the key, the stronger the encryption. Every device in the wireless network must have the same key.

6.2.5 One-Touch Intelligent Security Technology (OTIST)

With ZyXEL's OTIST, you set up the SSID and WPA-PSK on the ZyXEL Device. Then, the ZyXEL Device transfers them to the devices in the wireless networks. As a result, you do not have to set up the SSID and encryption on every device in the wireless network.

The devices in the wireless network have to support OTIST, and they have to be in range of the ZyXEL Device when you activate it. See Section 6.5 on page 120 for more details.

6.3 Wireless Performance Overview

The following sections introduce different ways to improve the performance of the wireless network.

6.3.1 Quality of Service (QoS)

You can turn on Wi-Fi MultiMedia (WMM) QoS to improve the performance of voice and video applications in the wireless network. QoS gives high priority to voice and video, which makes them run more smoothly. Similarly, it gives low priority to many file downloads so that they do not reduce the quality of other applications.

6.4 General Wireless LAN Screen

Note: If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device's SSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device's new settings.

Click Network > Wireless LAN to open the General screen.

ZYXEL PRESTIGE 661H - General Wireless LAN Screen - 1
Figure 54 Wireless LAN: General

The following table describes the general wireless LAN labels in this screen.

Table 36 Wireless LAN: General

LABEL	DESCRIPTION
Active Wireless LAN	Click the check box to activate wireless LAN.
Network Name (SSID)	(Service Set IDentity) TheSSID identifies the Service Set with which a wireless client is associated. Wireless clients associating to the access point (AP) must have the sameSSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.Note: If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device'sSSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device's new settings.
HideSSID	Select this check box to hide theSSID in the outgoing beacon frame so a station cannot obtain theSSID through scanning using a site survey tool.
Channel Selection	Set the operating frequency/channel depending on your particular region. Select a channel from the drop-down list box.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.
Advanced Setup	Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup.

See the rest of this chapter for information on the other labels in this screen.

6.4.1 No Security

Select No Security to allow wireless clients to communicate with the access points without any data encryption.

Note: If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range.

ZYXEL PRESTIGE 661H - No Security - 1
Figure 55 Wireless: No Security

The following table describes the labels in this screen.

Table 37 Wireless: No Security

LABEL	DESCRIPTION
Security Mode	Choose No Security from the drop-down list box.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.
Advanced Setup	Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup.

6.4.2 WEP Encryption

WEP encryption scrambles the data transmitted between the wireless clients and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless clients and the access points must use the same WEP key.

Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 256-bit WEP keys but only one key can be enabled at any one time.

In order to configure and enable WEP encryption; click Network > Wireless LAN to display the General screen. Select Static WEP from the Security Mode list.

ZYXEL PRESTIGE 661H - WEP Encryption - 1
Figure 56 Wireless: Static WEP Encryption

The following table describes the wireless LAN security labels in this screen.

Table 38 Wireless: Static WEP Encryption

LABEL	DESCRIPTION
Security Mode	Choose Static WEP from the drop-down list box.
Passphrase	Enter a Passphrase (up to 32 printable characters) and clicking Generate. The ZyXEL Device automatically generates a WEP key.
WEP Key	The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless clients must use the same WEP key for data transmission. If you want to manually set the WEP key, enter any 5, 13 or 29 characters (ASCII string) or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or 256-bit WEP key respectively.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.
Advanced Setup	Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup.

6.4.3 WPA-PSK/WPA2-PSK

In order to configure and enable WPA(2)-PSK authentication; click Network > Wireless LAN to display the General screen. Select WPA-PSK or WPA2-PSK from the Security Mode list.

ZYXEL PRESTIGE 661H - WPA-PSK/WPA2-PSK - 1
Figure 57 Wireless: WPA-PSK/WPA2-PSK

The following table describes the wireless LAN security labels in this screen.

Table 39 Wireless: WPA-PSK/WPA2-PSK

LABEL	DESCRIPTION
Security Mode	Choose WPA-PSK or WPA2-PSK from the drop-down list box.
WPA Compatible	This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2.
Pre-Shared Key	The encryption mechanisms used for WPA/WPA2 and WPA-PSK/WPA2-PSK are the same. The only difference between the two is that WPA-PSK/WPA2-PSK uses a simple common password, instead of user-specific credentials. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
ReAuthentication Timer (In Seconds)	Specify how often wireless clients have to resend usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes). Note: If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout (In Seconds)	The ZyXEL Device automatically disconnects a wireless client from the wired network after a period of inactivity. The wireless client needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).

Table 39 Wireless: WPA-PSK/WPA2-PSK

LABEL	DESCRIPTION
Group Key Update Timer (In Seconds)	The Group Key Update Timer is the rate at which the AP (if using WPA-PSK/WPA2-PSK key management) or RADIUS server (if using WPA(2) key management) sends a new group key out to all clients. The re-keying process is the WPA(2) equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK/WPA2-PSK mode. The default is 1800 seconds (30 minutes).
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.
Advanced Setup	Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup.

6.4.4 WPA/WPA2

In order to configure and enable WPA/WPA2; click the Wireless LAN link under Network to display the General screen. Select WPA or WPA2 from the Security Mode list.

ZYXEL PRESTIGE 661H - WPA/WPA2 - 1
Figure 58 Wireless: WPA/WPA2

The following table describes the wireless LAN security labels in this screen.

Table 40 Wireless: WPA/WPA2

LABEL	DESCRIPTION
WPA Compatible	This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2.
ReAuthentication Timer (In Seconds)	Specify how often wireless clients have to resend usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).Note: If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout (In Seconds)	The ZyXEL Device automatically disconnects a wireless client from the wired network after a period of inactivity. The wireless client needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).
Group Key Update Timer (In Seconds)	The Group Key Update Timer is the rate at which the AP (if using WPA-PSK/WPA2-PSK key management) or RADIUS server (if using WPA(2) key management) sends a new group key out to all clients. The re-keying process is the WPA(2) equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK/WPA2-PSK mode. The default is 1800 seconds (30 minutes).
Authentication Server
IP Address	Enter the IP address of the external authentication server in dotted decimal notation.
Port Number	Enter the port number of the external authentication server. The default port number is 1812.You need not change this value unless your network administrator instructs you to do so with additional information.
Shared Secret	Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyXEL Device.The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network.
Accounting Server (optional)
Active	Select Yes from the drop down list box to enable user accounting through an external authentication server.
IP Address	Enter the IP address of the external accounting server in dotted decimal notation.
Port Number	Enter the port number of the external accounting server. The default port number is 1813.You need not change this value unless your network administrator instructs you to do so with additional information.
Shared Secret	Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyXEL DeviceZyXEL Device. The key must be the same on the external accounting server and your ZyXEL Device. The key is not sent over the network.
Apply	Click Apply to save your changes back to the ZyXEL Device.

Table 40 Wireless: WPA/WPA2

LABEL	DESCRIPTION
Cancel	Click Cancel to reload the previous configuration for this screen.
Advanced Setup	Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup.

6.4.5 Wireless LAN Advanced Setup

To configure advanced wireless settings, click the Advanced Setup button in the General screen. The screen appears as shown.

ZYXEL PRESTIGE 661H - Wireless LAN Advanced Setup - 1
Figure 59 Wireless LAN: Advanced

The following table describes the labels in this screen.

Table 41 Wireless LAN: Advanced

LABEL	DESCRIPTION
Wireless Advanced Setup
RTS/CTS Threshold	Enter a value between 0 and 2432. If you select the Enable 802.11g+ mode checkbox, this field is grayed out and the ZyXEL Device uses 4096 automatically.
Fragmentation Threshold	It is the maximum data fragment size that can be sent. Enter a value between 256 and 2432. If you select the Enable 802.11g+ mode checkbox, this field is grayed out and the ZyXEL Device uses 4096 automatically.
Output Power	Set the output power of the ZyXEL Device in this field. This control changes the strength of the ZyXEL Device's antenna gain or transmission power. Antenna gain is the increase in coverage. Higher antenna gain improves the range of the signal for better communications. If there is a high density of APs within an area, decrease the output power of the ZyXEL Device to reduce interference with other APs. The options are Maximum, Middle and Minimum.

Table 41 Wireless LAN: Advanced

LABEL	DESCRIPTION
Preamble	Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks. Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications. Select Dynamic to have the ZyXEL Device automatically use short preamble when wireless adapters support it, otherwise the ZyXEL Device uses long preamble.
802.11 Mode	Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyXEL Device. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyXEL Device. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced.
Enable 802.11g+mode	Select the Enable 802.11g+ mode checkbox to allow any ZyXEL WLAN devices that support this feature to associate with the ZyXEL Device at higher transmission speeds. This permits the ZyXEL Device to transmit at a higher speed than the 802.11g Only mode.
Max. Frame Burst	Enable Maximum Frame Burst to help eliminate collisions in mixed-mode networks (networks with both IEEE 802.11g and IEEE 802.11b traffic) and enhance the performance of both pure IEEE 802.11g and mixed IEEE 802.11b/g networks. Maximum Frame Burst sets the maximum time, in micro-seconds, that the ZyXEL Device transmits IEEE 802.11g wireless traffic only. Type the maximum frame burst between 0 and 1800 (650, 1000 or 1800 recommended). Enter 0 to disable this feature.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.

6.5 OTIST

In a wireless network, the wireless clients must have the same SSID and security settings as the access point (AP) or wireless router (we will refer to both as "AP" here) in order to associate with it. Traditionally this meant that you had to configure the settings on the AP and then manually configure the exact same settings on each wireless client.

OTIST (One-Touch Intelligent Security Technology) allows you to transfer your AP's SSID and WPA-PSK security settings to wireless clients that support OTIST and are within transmission range. You can also choose to have OTIST generate a WPA-PSK key for you if you didn't configure one manually.

Note: OTIST replaces the pre-configured wireless settings on the wireless clients.

6.5.1 Enabling OTIST

You must enable OTIST on both the AP and wireless client before you start transferring settings.

Note: The AP and wireless client(s) MUST use the same Setup key.

6.5.1.1 AP

You can enable OTIST using the RESET button or the web configurator.

6.5.1.1.1 Reset button

If you use the RESET button, the default (01234567) or previous saved (through the web configurator) Setup key is used to encrypt the settings that you want to transfer.

Hold in the RESET button for one to five seconds.

Note: If you hold in the RESET button too long, the device will reset to the factory defaults!

6.5.1.1.2 Web Configurator

Click the Network > Wireless LAN > OTIST. The following screen displays.

ZYXEL PRESTIGE 661H - Web Configurator - 1
Figure 60 Wireless LAN: OTIST

The following table describes the labels in this screen.

Table 42 OTIST

LABEL	DESCRIPTION
Setup Key	Type an OTIST Setup Key of exactly eight ASCII characters in length. The default OTIST setup key is "01234567". Note: If you change the OTIST setup key here, you must also make the same change on the wireless client(s).
Yes!	If you want OTIST to automatically generate a WPA-PSK, you must: Change your security to any security other than WPA-PSK in the Wireless LAN > General screen. Select the Yes! checkbox in the OTIST screen and click Start. The wireless screen displays an auto generated WPA-PSK and is now in WPA-PSK security mode. The WPA-PSK security settings are assigned to the wireless client when you start OTIST. If you already have a WPA-PSK configured in the Wireless LAN > General screen, and you run OTIST with Yes! selected, OTIST will use the existing WPA-PSK.
Start	Click Start to encrypt the wireless security data using the setup key and have the ZyXEL Device set the wireless client to use the same wireless settings as the ZyXEL Device. You must also activate and start OTIST on the wireless client at the same time. The process takes three minutes to complete.

6.5.1.2 Wireless Client

On your wireless client, start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP's and click Save.

ZYXEL PRESTIGE 661H - Wireless Client - 1
Figure 61 Example Wireless Client OTIST Screen

6.5.2 Starting OTIST

Note: You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of writing). You can start OTIST in the wireless clients and AP in any order but they must all be within range and have OTIST enabled.

1 In the AP, a web configurator screen pops up showing you the security settings to transfer. You can use the key in this screen to set up WPA-PSK encryption manually for non-OTIST devices in the wireless network. After reviewing the settings, click OK.

ZYXEL PRESTIGE 661H - Starting OTIST - 1
Figure 62 Security Key

2 This screen appears while OTIST settings are being transferred. It closes when the transfer is complete.

ZYXEL PRESTIGE 661H - Starting OTIST - 2
Figure 63 OTIST in Progress (AP)

ZYXEL PRESTIGE 661H - Starting OTIST - 3
Figure 64 OTIST in Progress (Client)

3 In the wireless client, you see this screen if it can't find an OTIST-enabled AP (with the same Setup key). Click OK to go back to the ZyXEL utility main screen.

ZYXEL PRESTIGE 661H - Starting OTIST - 4
Figure 65 No AP with OTIST Found

If there is more than one OTIST-enabled AP within range, you see a screen asking you to select one AP to get settings from.

6.5.3 Notes on OTIST

1 If you enabled OTIST in the wireless client, you see this screen each time you start the utility. Click Yes for it to search for an OTIST-enabled AP.

ZYXEL PRESTIGE 661H - Notes on OTIST - 1
Figure 66 Start OTIST?

2 If an OTIST-enabled wireless client loses its wireless connection for more than ten seconds, it will search for an OTIST-enabled AP for up to one minute. (If you manually have the wireless client search for an OTIST-enabled AP, there is no timeout; click Cancel in the OTIST progress screen to stop the search.)
3 When the wireless client finds an OTIST-enabled AP, you must still click Start in the AP OTIST web configurator screen or hold in the RESET button (for one to five seconds) for the AP to transfer settings.
4 If you change the SSID or the keys on the AP after using OTIST, you need to run OTIST again or enter them manually in the wireless client(s).
5 If you configure OTIST to generate a WPA-PSK key, this key changes each time you run OTIST. Therefore, if a new wireless client joins your wireless network, you need to run OTIST on the AP and ALL wireless clients again.

6.6 MAC Filter

The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to 32 devices (Allow) or exclude up to 32 devices from accessing the ZyXEL Device (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure this screen.

To change your ZyXEL Device's MAC filter settings, click Network > Wireless LAN > MAC Filter. The screen appears as shown.

ZYXEL PRESTIGE 661H - MAC Filter - 1
Figure 67 MAC Address Filter

The following table describes the labels in this menu.

Table 43 MAC Address Filter

LABEL	DESCRIPTION
Active MAC Filter	Select the check box to enable MAC address filtering.
Filter Action	Define the filter action for the list of MAC addresses in the MAC Address table. Select Deny to block access to the ZyxEL Device, MAC addresses not listed will be allowed to access the ZyxEL Device Select Allow to permit access to the ZyxEL Device, MAC addresses not listed will be denied access to the ZyxEL Device.
Set	This is the index number of the MAC address.
MAC Address	Enter the MAC addresses of the wireless client that are allowed or denied access to the ZyxEL Device in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
Apply	Click Apply to save your changes back to the ZyxEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.

6.7 WMM QoS

WMM (Wi-Fi MultiMedia) QoS (Quality of Service) allows you to prioritize wireless traffic according to the delivery requirements of individual services.

WMM is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks.

6.7.1 WMM QoS Example

When WMM QoS is not enabled, all traffic streams are given the same access throughput to the wireless network. If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity, then the new traffic stream reduces the throughput of the other traffic streams.

When WMM QoS is enabled, the streams are prioritized according to the needs of the application. You can assign different priorities to different applications. This prevents reductions in data transmission for applications that are sensitive.

6.7.2 WMM QoS Priorities

The following table describes the priorities that you can apply to traffic that the ZyXEL Device sends to the wireless network.

Table 44 WMM QoS Priorities

PRIORITY LEVELS:
Highest	Typically used for voice traffic or video that is especially sensitive to jitter (variations in delay). Use the highest priority to reduce latency for improved voice quality.
High	Typically used for video traffic which has some tolerance for jitter but needs to be prioritized over other data traffic.
Mid	Typically used for traffic from applications or devices that lack QoS capabilities. Use mid priority for traffic that is less sensitive to latency, but is affected by long delays, such as Internet surfing.
Low	This is typically used for non-critical “background” traffic such as bulk transfers and print jobs that are allowed but that should not affect other applications and users. Use low priority for applications that do not have strict latency and throughput requirements.

6.7.3 Services

The commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the DNS service. (UDP/TCP:53) means UDP port 53 and TCP port 53.

Table 45 Commonly Used Services

SERVICE	DESCRIPTION
AIM/New-ICQ(TCP:5190)	AOL's Internet Messenger service, used as a listening port by ICQ.
AUTH(TCP:113)	Authentication protocol used by some servers.
BGP(TCP:179)	Border Gateway Protocol.
BOOTPCLIENT(UDP:68)	DHCP Client.
BOOTP_SERVER(UDP:67)	DHCP Server.
CU-SEEME(TCP/UDP:7648,24032)	A popular videoconferencing solution from White Pines Software.
DNS(UDP/TCP:53)	Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
FINGER(TCP:79)	Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
FTP(TCP:20.21)	File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
H.323(TCP:1720)	NetMeeting uses this protocol.
HTTP(TCP:80)	Hyper Text Transfer Protocol - a client/server protocol for the world wide web.
HTTPS(TCP:443)	HTTPS is a secured http session often used in e-commerce.
ICQ(UDP:4000)	This is a popular Internet chat program.
IKE(UDP:500)	The Internet Key Exchange algorithm is used for key distribution and management.
IPSEC_TUNNEL(AH:0)	The IPSEC AH (Authentication Header) tunneling protocol uses this service.
IPSEC_TUNNEL(ESP:0)	The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.
IRC(TCP/UDP:6667)	This is another popular Internet chat program.
MSN Messenger(TCP:1863)	Microsoft Networks' messenger service uses this protocol.
MULTICAST(IGMP:0)	Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.
NEW-ICQ(TCP:5190)	An Internet chat program.
NEWS(TCP:144)	A protocol for news groups.
NFS(UDP:2049)	Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.
NNTP(TCP:119)	Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.

Table 45 Commonly Used Services

SERVICE	DESCRIPTION
PING(ICMP:0)	Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
POP3(TCP:110)	Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
PPTP(TCP:1723)	Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.
PPTP_TUNNEL(GRE:0)	Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the data channel.
RCMD(TCP:512)	Remote Command Service.
REAL_AUDIO(TCP:7070)	A streaming audio service that enables real time sound over the web.
REXEC(TCP:514)	Remote Execution Daemon.
RLOGIN(TCP:513)	Remote Login.
RTELNET(TCP:107)	Remote Telnet.
RTSP(TCP/UDP:554)	The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
SFTP(TCP:115)	Simple File Transfer Protocol.
SMTP(TCP:25)	Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
SNMP(TCP/UDP:161)	Simple Network Management Program.
SNMP-TRAPS(TCP/UDP:162)	Traps for use with the SNMP (RFC:1215).
SQL-NET(TCP:1521)	Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.
SSH(TCP/UDP:22)	Secure Shell Remote Login Program.
STRM_WORKS(UDP:1558)	Stream Works Protocol.
SYSLOG(UDP:514)	Syslog allows you to send system logs to a UNIX server.
TACACS(UDP:49)	Login Host Protocol used for (Terminal Access Controller Access Control System).
TELNET(TCP:23)	Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
TFTP(UDP:69)	Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).
VDOLIVE(TCP:7000)	Another videoconferencing solution.

6.8 QoS Screen

The QoS screen by default allows you to automatically give a service a priority level according to the ToS value in the IP header of the packets it sends.

6.8.1 ToS (Type of Service) and WMM QoS

ToS defines the DS (Differentiated Service) field in the IP packet header. The ToS value of outgoing packets is between 0 and 255. 0 is the lowest priority.

WMM QoS checks the ToS in the header of transmitted data packets. It gives the application a priority according to this number. If the ToS is not specified, then transmitted data is treated as normal or best-effort traffic.

Click Network > Wireless LAN > QoS. The following screen displays.

ZYXEL PRESTIGE 661H - ToS (Type of Service) and WMM QoS - 1
Figure 68 Wireless LAN: QoS

The following table describes the fields in this screen.

Table 46 Wireless LAN: QoS

LABEL	DESCRIPTION
QoS
Enable WMM QoS	Select the check box to enable WMM QoS on the ZyXEL Device.
WMM QoS Policy	Select Default to have the ZyXEL Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends. Select Application Priority from the drop-down list box to display a table of application names, services, ports and priorities to which you want to apply WMM QoS.
#	This is the number of an individual application entry.
Name	This field displays a description given to an application entry.
Service	This field displays either FTP, WWW, E-mail or a User Defined service to which you want to apply WMM QoS.

Table 46 Wireless LAN: QoS

LABEL	DESCRIPTION
Dest Port	This field displays the destination port number to which the application sends traffic.
Priority	This field displays the WMM QoS priority for traffic bandwidth.
Modify	Click the Edit icon to open the Application Priority Configuration screen.Modify an existing application entry or create a application entry in the Application Priority Configuration screen.Click the Remove icon to delete an application entry.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.

6.8.2 Application Priority Configuration

To edit a WMM QoS application entry, click the edit icon under Modify. The following screen displays.

ZYXEL PRESTIGE 661H - Application Priority Configuration - 1
Figure 69 Application Priority Configuration

The following table describes the fields in this screen.

Table 47 Application Priority Configuration

LABEL	DESCRIPTION
Application Priority Configuration
Name	Type a description of the application priority.

Table 47 Application Priority Configuration

LABEL	DESCRIPTION
Service	The following is a description of the applications you can prioritize with WMM QoS. Select a service from the drop-down list box.FTPFile Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail. FTP uses port number 21.E-MailElectronic mail consists of messages sent through a computer network to specific groups or individuals. Here are some default ports for e-mail:POP3 - port 110IMAP - port 143SMTP - port 25HTTP - port 80.WWWThe World Wide Web is an Internet system to distribute graphical, hyper-linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server protocol for the World Wide Web. The Web is not synonymous with the Internet; rather, it is just one service on the Internet. Other services on the Internet include Internet Relay Chat and Newsgroups. The Web is accessed through use of a browser.User-DefinedUser-defined services are user specific services configured using known ports and applications.
Dest Port	This displays the port the selected service uses. Type a port number in the field provided if you want to use a different port to the default port. See table Table 45 on page 127 for information on port numbers.
Priority	Select a priority from the drop-down list box.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to return to the previous screen without saving your changes.

CHAPTER 7 Network Address Translation (NAT) Screens

This chapter discusses how to configure NAT on the ZyXEL Device.

7.1 NAT Overview

7.1.1 NAT Definitions

Inside/outside denotes where a host is located relative to the ZyXEL Device, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

Global/local denotes the IP address of a host in a packet as the packet traverses a router, for example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side.

Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information.

Table 48 NAT Definitions

ITEM	DESCRIPTION
Inside	This refers to the host on the LAN.
Outside	This refers to the host on the WAN.
Local	This refers to the packet address (source or destination) as the packet travels on the LAN.
Global	This refers to the packet address (source or destination) as the packet travels on the WAN.

NAT never changes the IP address (either local or global) of an outside host.

7.1.2 What NAT Does

In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.

The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the outside world. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping – see Table 49 on page 136), NAT offers the additional benefit of firewall protection. With no servers defined, your ZyXEL Device filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).

7.1.3 How NAT Works

Each packet has two addresses - a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.

ZYXEL PRESTIGE 661H - How NAT Works - 1
Figure 70 How NAT Works

7.1.4 NAT Application

The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyXEL Device can communicate with three distinct WAN networks. More examples follow at the end of this chapter.

ZYXEL PRESTIGE 661H - NAT Application - 1
Figure 71 NAT Application With IP Alias

NAT supports five types of IP/port mapping. They are:

One to One: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP address.
Many to One: In Many-to-One mode, the ZyXEL Device maps multiple local IP addresses to one global IP address. This is equivalent to SUA (for instance, PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today's routers).
Many to Many Overload: In Many-to-Many Overload mode, the ZyXEL Device maps the multiple local IP addresses to shared global IP addresses.
Many-to-Many No Overload: In Many-to-Many No Overload mode, the ZyXEL Device maps each local IP address to a unique global IP address.
Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.

Port numbers do NOT change for One-to-One and Many-to-Many No Overload NAT mapping types.

The following table summarizes these types.

Table 49 NAT Mapping Types

TYPE	IP MAPPING
One-to-One	ILA1←→ IGA1
Many-to-One (SUA/PAT)	ILA1←→ IGA1
	ILA2←→ IGA1
	...
Many-to-Many Overload	ILA1←→ IGA1
	ILA2←→ IGA2
	ILA3←→ IGA1
	ILA4←→ IGA2
	...
Many-to-Many No Overload	ILA1←→ IGA1
	ILA2←→ IGA2
	ILA3←→ IGA3
	...
Server	Server 1 IP←→ IGA1
	Server 2 IP←→ IGA1
	Server 3 IP←→ IGA1

7.2 SUA (Single User Account) Versus NAT

SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyXEL Device also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 49 on page 136.

Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device.
Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device.

7.3 NAT General Setup

You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyXEL Device. Click Network > NAT to open the following screen.

ZYXEL PRESTIGE 661H - NAT General Setup - 1
Figure 72 NAT General

The following table describes the labels in this screen.

Table 50 NAT General

LABEL	DESCRIPTION
Active Network Address Translation (NAT)	Select this check box to enable NAT.
SUA Only	Select this radio button if you have just one public WAN IP address for your ZyXEL Device.
Full Feature	Select this radio button if you have multiple public WAN IP addresses for your ZyXEL Device.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to reload the previous configuration for this screen.

7.4 Port Forwarding

A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.

You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. You can allocate a server IP address that corresponds to a port or a range of ports.

Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.

7.4.1 Default Server IP Address

In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen.

Note: If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

7.4.2 Port Forwarding: Services and Port Numbers

Use the Port Forwarding screen to forward incoming service requests to the server(s) on your local network.

The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Please also refer to the Supporting CD for more examples and details on port forwarding and NAT.

Table 51 Services and Port Numbers

SERVICES	PORT NUMBER
ECHO	7
FTP (File Transfer Protocol)	21
SMTP (Simple Mail Transfer Protocol)	25
DNS (Domain Name System)	53
Finger	79
HTTP (Hyper Text Transfer protocol or WWW, Web)	80
POP3 (Post Office Protocol)	110
NNTP (Network News Transport Protocol)	119
SNMP (Simple Network Management Protocol)	161
SNMP trap	162
PPTP (Point-to-Point Tunneling Protocol)	1723

7.4.3 Configuring Servers Behind Port Forwarding (Example)

Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet.

ZYXEL PRESTIGE 661H - Configuring Servers Behind Port Forwarding (Example) - 1
Figure 73 Multiple Servers Behind NAT Example

7.5 Configuring Port Forwarding

Note: The Port Forwarding screen is available only when you select SUA Only in the NAT > General screen.

If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

Click Network > NAT > Port Forwarding to open the following screen.

See Table 51 on page 138 for port numbers commonly used for particular services.

ZYXEL PRESTIGE 661H - Configuring Port Forwarding - 1
Figure 74 Port Forwarding

The following table describes the fields in this screen.

Table 52 Port Forwarding

LABEL	DESCRIPTION
Default Server Setup
Default Server	In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Port Forwarding
Service Name	Select a service from the drop-down list box.
Server IP Address	Enter the IP address of the server for the specified service.
Add	Click this button to add a rule to the table below.
#	This is the rule index number (read-only).
Active	Click this check box to enable the rule.
Service Name	This is a service's name.
Start Port	This is the first port number that identifies a service.
End Port	This is the last port number that identifies a service.
Server IP Address	This is the server's IP address.
Modify	Click the edit icon to go to the screen where you can edit the port forwarding rule. Click the delete icon to delete an existing port forwarding rule. Note that subsequent rules move up by one when you take this action.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to return to the previous configuration.

7.5.1 Port Forwarding Rule Edit

To edit a port forwarding rule, click the rule's edit icon in the Port Forwarding screen to display the screen shown next.

ZYXEL PRESTIGE 661H - Port Forwarding Rule Edit - 1
Figure 75 Port Forwarding Rule Setup

The following table describes the fields in this screen.

Table 53 Port Forwarding Rule Setup

LABEL	DESCRIPTION
Active	Click this check box to enable the rule.
Service Name	Enter a name to identify this port-forwarding rule.
Start Port	Enter a port number in this field. To forward only one port, enter the port number again in the End Port field. To forward a series of ports, enter the start port number here and the end port number in the End Port field.
End Port	Enter a port number in this field. To forward only one port, enter the port number again in the Start Port field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port field above.
Server IP Address	Enter the inside IP address of the server here.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

7.6 Address Mapping

Note: The Address Mapping screen is available only when you select Full Feature in the NAT > General screen.

Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6.

To change your ZyXEL Device's address mapping settings, click Network > NAT > Address Mapping to open the following screen.

ZYXEL PRESTIGE 661H - Address Mapping - 1
Figure 76 Address Mapping Rules

The following table describes the fields in this screen.

Table 54 Address Mapping Rules

LABEL	DESCRIPTION
#	This is the rule index number.
Local Start IP	This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping.
Local End IP	This is the end Inside Local IP Address (ILA). If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address. This field is N/A for One-to-one and Server mapping types.
Global Start IP	This is the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP. You can only do this for Many-to-One and Server mapping types.
Global End IP	This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-one, Many-to-One and Server mapping types.
Type	1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type.M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.M-M Ov (Overload): Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.MM No (No Overload): Many-to-Many No Overload mode maps each local IP address to unique global IP addressesSERVER: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.
Modify	Click the edit icon to go to the screen where you can edit the address mapping rule. Click the delete icon to delete an existing address mapping rule. Note that subsequent rules move up by one when you take this action.

7.6.1 Address Mapping Rule Edit

To edit an address mapping rule, click the rule's edit icon in the Address Mapping screen to display the screen shown next.

ZYXEL PRESTIGE 661H - Address Mapping Rule Edit - 1
Figure 77 Edit Address Mapping Rule

The following table describes the fields in this screen.

Table 55 Edit Address Mapping Rule

LABEL	DESCRIPTION
Type	Choose the port mapping type from one of the following.One-to-One: One-to-One mode maps one local IP address to one global IP address.Note that port numbers do not change for One-to-one NAT mapping type.Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.Many-to-Many No Overload: Many-to-Many No Overload mode maps each local IP address to unique global IP addressesSERVER: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.
Local Start IP	This is the starting local IP address (ILA). Local IP addresses are N/A for Server port mapping.
Local End IP	This is the end local IP address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address.This field is N/A for One-to-One and Server mapping types.
Global Start IP	This is the starting global IP address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP.
Global End IP	This is the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.
Server Mapping Set	Only available when Type is set to Server.Select a number from the drop-down menu to choose a server mapping set.
Edit Details	Click this link to go to the Port Forwarding screen to edit a server mapping set that you have selected in the Server Mapping Set field.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 8 Firewalls

This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall.

8.1 Firewall Overview

Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself.

Refer to Section 9.6 on page 162 to configure default firewall settings.

Refer to Section 9.7 on page 163 to view firewall rules.

Refer to Section 9.7.1 on page 164 to configure firewall rules.

Refer to Section 9.7.2 on page 167 to configure a custom service.

Refer to Section 9.11.3 on page 177 to configure firewall thresholds.

8.2 Types of Firewalls

There are three main types of firewalls:

Packet Filtering Firewalls
Application-level Firewalls
Stateful Inspection Firewalls

8.2.1 Packet Filtering Firewalls

Packet filtering firewalls restrict access based on the source/destination computer network address of a packet and the type of application.

8.2.2 Application-level Firewalls

Application-level firewalls restrict access by serving as proxies for external servers. Since they use programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data. Application-level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts:

Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems.

Robust authentication and logging pre-authENTICates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging. Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest.

8.2.3 Stateful Inspection Firewalls

Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. See Section 8.5 on page 151 for more information on stateful inspection.

Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.

8.3 Introduction to ZyXEL's Firewall

The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyXEL Device also has packet filtering capabilities.

The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.

The ZyXEL Device has one DSL/ISDN port and one Ethernet LAN port, which physically separate the network into two areas.

The DSL/ISDN port connects to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web. However, "inbound access" will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service.

8.3.1 Denial of Service Attacks

ZYXEL PRESTIGE 661H - Denial of Service Attacks - 1
Figure 78 ZyXEL Device Firewall Application

8.4 Denial of Service

Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyXEL Device is pre-configured to automatically detect and thwart all known DoS attacks.

8.4.1 Basics

Computers share information over the Internet using a common language called TCP/IP. TCP/IP, in turn, is a set of application protocols that perform specific functions. An "extension number", called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web), FTP (File Transfer Protocol), POP3 (E-mail), etc. For example, Web traffic by default uses TCP port 80.

When computers communicate on the Internet, they are using the client/server model, where the server "listens" on a specific TCP/UDP port for information requests from remote client computers on the network. For example, a Web server typically listens on port 80. Please note that while a computer may be intended for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port.

Some of the most common IP ports are:

Table 56 Common IP Ports

21	FTP	53	DNS
23	Telnet	80	HTTP
25	SMTP	110	POP3

8.4.2 Types of DoS Attacks

There are four types of DoS attacks:

1 Those that exploit bugs in a TCP/IP implementation.

2 Those that exploit weaknesses in the TCP/IP specification.

3 Brute-force attacks that flood a network with useless data.

4 IP Spoofing.

5 "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.

Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang or reboot.
Teardrop attack exploits weaknesses in the re-assembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

6 Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. These attacks are executed during the handshake that initiates a communication session between two applications.

ZYXEL PRESTIGE 661H - Types of DoS Attacks - 1
Figure 79 Three-Way Handshake

Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established.

SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

ZYXEL PRESTIGE 661H - Types of DoS Attacks - 2
Figure 80 SYN Flood

In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

7 A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the "intermediary" network, but will also congest the network of the spoofed source IP address, known as the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible.

Figure 81 Smurf Attack
ZYXEL PRESTIGE 661H - Types of DoS Attacks - 3
Attacker broadcasts "ping" packets with a spoofed source address to every host on the intermediary network.
Every host on the intermediary network responds by sending responses to every host on the victim network.

8.4.2.1 ICMP Vulnerability

ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert:

Table 57 ICMP Commands That Trigger Alerts

5	REDIRECT
13	TIMESTAMP_REQUEST
14	TIMESTAMPReply
17	ADDRESS_MASK_REQUEST
18	ADDRESS_MASKReply

8.4.2.2 Illegal Commands (NetBIOS and SMTP)

The only legal NetBIOS commands are the following - all others are illegal.

Table 58 Legal NetBIOS Commands

MESSAGE:

REQUEST:

POSITIVE:

VE:

RETARGET:

KEEPALIVE:

All SMTP commands are illegal except for those displayed in the following tables.

Table 59 Legal SMTP Commands

AUTH	DATA	EHLO	ETRN	EXPN	HELO	HELP	MAIL	NOOP
QUIT	RCPT	RSET	SAML	SEND	SOML	TURN	VRFY

8.4.2.3 Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.

Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts.

8.5 Stateful Inspection

With stateful inspection, fields of the packets are compared to packets that are already known to be trusted. For example, if you access some outside service, the proxy server remembers things about your original request, like the port number and source and destination addresses. This "remembering" is called saving the state. When the outside system responds to your request, the firewall compares the received packets with the saved state to determine if they are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and scandals on the Internet. By default, the ZyXEL Device's stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection:

Allows all sessions originating from the LAN (local network) to the WAN (Internet).
Denies all sessions originating from the WAN to the LAN.

ZYXEL PRESTIGE 661H - Stateful Inspection - 1
Figure 82 Stateful Inspection

The previous figure shows the ZyXEL Device's default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.

8.5.1 Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application layer protocol is configured for a firewall rule inspection:

1 The packet travels from the firewall's LAN to the WAN.
2 The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point).
3 The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection. If there is not a firewall rule for this packet and it is not an attack, then the settings in the Firewall General screen determine the action for this packet.
4 Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected.
5 The outbound packet is forwarded out through the interface.
6 Later, an inbound packet reaches the interface. This packet is part of the connection previously established with the outbound packet. The inbound packet is evaluated against the inbound access list, and is permitted because of the temporary access list entry previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is updated as necessary. Based on the updated state information, the inbound extended access list temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted and the connection's temporary inbound access list entries are deleted.

8.5.2 Stateful Inspection and the ZyXEL Device

Additional rules may be defined to extend or override the default rules. For example, a rule may be created which will:

Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the Internet.
Allow certain types of traffic from the Internet to specific hosts on the LAN.
Allow access to a Web server to everyone but competitors.
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by evaluating the network traffic's Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator.

Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.

Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyXEL Device itself (as with the "virtual connections" created for UDP and ICMP).

8.5.3 TCP Security

The ZyXEL Device uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.

If an initiation packet originates on the WAN, this means that someone is trying to make a connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown next), these packets are dropped and logged.

If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.

When the ZyXEL Device receives any subsequent packet (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).

8.5.4 UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair (source and destination). UDP also contains port pairs, and ICMP has type and code information. All of this data can be analyzed in order to build "virtual connections" in the cache.

For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP information will be allowed back in through the firewall.

A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines.

8.5.5 Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information.

Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected.

In order to achieve this, the ZyXEL Device inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data connection. This can be done safely, since the PORT command contains address and port information, which can be used to uniquely identify the connection.

Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator's Custom Ports feature to do this.

8.6 Guidelines for Enhancing Security with Your Firewall

Change the default password.
Limit who can telnet into your router.
Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.
Protect against IP spoofing by making sure the firewall is active.
Keep the firewall in a secured (locked) room.

8.6.1 Security In General

You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them.

Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk. Produce lists like this one!
DSL or cable modem connections are "always-on" connections and are particularly vulnerable because they provide more opportunities for hackers to crack your system. Turn your computer off when not in use.
Never give out a password or any sensitive information to an unsolicited telephone call or e-mail.
Never e-mail sensitive information such as passwords, credit card information, etc., without encrypting the information first.
Never submit sensitive information via a web page unless the web site uses secure connections. You can identify a secure connection by looking for a small "key" icon on the bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a web site uses a secure connection, it is safe to submit information. Secure web transactions are quite difficult to crack.
Never reveal your IP address or other system networking information to people outside your company. Be careful of files e-mailed to you from strangers. One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files.
Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult passwords to crack are those with upper and lower case letters, numbers and a symbol such as% or #.
Upgrade your software regularly. Many older versions of software, especially web browsers, have well known security deficiencies. When you upgrade to the latest versions, you get the latest patches and fixes.
If you use "chat rooms" or IRC sessions, be careful with any information you reveal to strangers.
If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that cause your system to slowly become unstable or unusable.
Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of companies or individuals for information that might help them in an attack.

8.7 Packet Filtering Vs Firewall

Below are some comparisons between the ZyXEL Device's filtering and firewall functions.

8.7.1 Packet Filtering:

The router filters packets as they pass through the router's interface according to the filter rules you designed.
Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
Packet filtering only checks the header portion of an IP packet.

8.7.1.1 When To Use Filtering

To block/allow LAN packets by their MAC addresses.
To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A. Filters can not distinguish traffic originating from an inside host or an outside host by IP address.
To block/allow IP trace route.

8.7.2 Firewall

The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer.
The firewall performs stateful inspection. It takes into account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.
The firewall uses session filtering, i.e.,smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session.
The firewall provides e-mail service to notify you of routine reports and when alerts occur.

8.7.2.1 When To Use The Firewall

To prevent DoS attacks and prevent hackers cracking your network.
A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required.
To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address.
The firewall performs better than filtering if you need to check many rules.
Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur.
The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.

CHAPTER 9 Firewall Configuration

This chapter shows you how to enable and configure the ZyXEL Device firewall.

9.1 Access Methods

The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. CLI (Command Line Interpreter) commands provide limited configuration options and are only recommended for advanced users.

9.2 Firewall Policies Overview

Firewall rules are grouped based on the direction of travel of packets to which they apply:

LAN to LAN/ Router

WAN to LAN

LAN to WAN
WAN to WAN/ Router

Note: The LAN includes both the LAN port and the WLAN.

By default, the ZyXEL Device's stateful packet inspection allows packets traveling in the following directions:

LAN to LAN/ Router

This allows computers on the LAN to manage the ZyXEL Device and communicate between networks or subnets connected to the LAN interface.

LAN to WAN

By default, the ZyXEL Device's stateful packet inspection drops packets traveling in the following directions:

WAN to LAN
WAN to WAN/Router

This prevents computers on the WAN from using the ZyXEL Device as a gateway to communicate with other computers on the WAN and/or managing the ZyXEL Device.

You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.

Note: If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them.

For example, you may create rules to:

Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet
Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.
Allow everyone except your competitors to access a Web server.
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the ZyXEL Device's default rules.

9.3 Rule Logic Overview

Note: Study these points carefully before configuring rules.

9.3.1 Rule Checklist

State the intent of the rule. For example, "This restricts all IRC access from the LAN to the Internet." Or, "This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server."

1 Is the intent of the rule to forward or block traffic?
2 What direction of traffic does the rule apply to?
3 What IP services will be affected?
4 What computers on the LAN are to be affected (if any)?
5 What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.

9.3.2 Security Ramifications

1 Once the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule:
2 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
3 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?

4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.
5 Does this rule conflict with any existing rules?
6 Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.

9.3.3 Key Fields For Configuring Rules

9.3.3.1 Action

Should the action be to Drop, Reject or Permit?

Note: "Drop" means the firewall silently discards the packet. "Reject" means thefirewall discards packets and sends an ICMP destination-unreachablemessage to the sender.

9.3.3.2 Service

Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Section 9.9 on page 172 for more information on predefined services.

9.3.3.3 Source Address

What is the connection's source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet?

9.3.3.4 Destination Address

What is the connection's destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet?

9.4 Connection Direction

This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN.

LAN to LAN/ Router and WAN to WAN/Router rules apply to packets coming in on the associated interface (LAN or WAN, respectively). LAN to LAN/Router means policies for LAN-to-ZyXEL Device (the policies for managing the ZyXEL Device through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to WAN/Router polices apply in the same way to the WAN port.

9.4.1 LAN to WAN Rules

The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN. WAN to LAN Rules

The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.

9.4.2 Alerts

Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when a rule is matched in the Edit Rule screen (see Figure 88 on page 165). When an event generates an alert, a message can be immediately sent to an email account that you specify in the Log Settings screen. Refer to the chapter on logs for details.

9.5 Triangle Route

When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks.

ZYXEL PRESTIGE 661H - Triangle Route - 1

9.5.1 The "Triangle Route" Problem

You may have more than one connection to the Internet (through one or more ISPs). If the alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL Device's LAN IP address), the "triangle route" (also called asymmetrical route) problem may occur. The steps below describe the "triangle route" problem.

1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.
2 The ZyXEL Device reroutes the SYN packet through Gateway A on the LAN to the WAN.
3 The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL Device.

As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged.

ZYXEL PRESTIGE 661H - The "Triangle Route" Problem - 1
Figure 84 "Triangle Route" Problem

9.5.2 Solving the "Triangle Route" Problem

You can have the ZyXEL Device allow triangle route sessions. However this can allow traffic from the WAN to go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection.

Another way to solve the triangle route problem is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.

1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.
2 The ZyXEL Device reroutes the packet to Gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the ZyXEL Device.
4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.

ZYXEL PRESTIGE 661H - Solving the "Triangle Route" Problem - 1
Figure 85 IP Alias

9.6 General Firewall Policy

Click Security > Firewall to display the following screen. Activate the firewall by selecting the Active Firewall check box as seen in the following screen.

Refer to Section 8.1 on page 145 for more information.

ZYXEL PRESTIGE 661H - General Firewall Policy - 1
Figure 86 Firewall: General

The following table describes the labels in this screen.

Table 60 Firewall: General

LABEL	DESCRIPTION
Active Firewall	Select this check box to activate the firewall. TheZyXEL Device performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Bypass Triangle Route	Select this check box to have theZyXEL Device firewall permit the use of triangle route topology on the network. See the appendix for more on triangle route topology.Note:Allowing asymmetrical routes may let traffic from the WAN go directly to a LAN computer without passing through the router. See Appendix M on page 366 for more on triangle route topology and how to deal with this problem.
Packet Direction	This is the direction of travel of packets (LAN to LAN / Router, LAN to WAN, WAN to WAN /Router, and WAN to LAN).Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, LAN to LAN /Router means packets traveling from a computer/subnet on the LAN to either another computer/subnet on the LAN interface of theZyXEL Device or theZyXEL Device itself.
Default Action	Use the drop-down list boxes to select the default action that the firewall is take on packets that are traveling in the selected direction and do not match any of the firewall rules.Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.Select Permit to allow the passage of the packets.
Log	Select the check box to create a log (when the above action is taken) for packets that are traveling in the selected direction and do not match any of your customized rules.
Expand...	Click this button to display more information.
Basic...	Click this button to display less information.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

9.7 Firewall Rules Summary

Note: The ordering of your rules is very important as rules are applied in turn.

Refer to Section 8.1 on page 145 for more information.

Click Security > Firewall > Rules to bring up the following screen. This screen displays a list of the configured firewall rules. Note the order in which the rules are listed.

ZYXEL PRESTIGE 661H - Firewall Rules Summary - 1
Figure 87 Firewall Rules

The following table describes the labels in this screen.

Table 61 Firewall Rules

LABEL	DESCRIPTION
Firewall Rules Storage Space in Use	This read-only bar shows how much of the ZyXEL Device's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
Packet Direction	Use the drop-down list box to select a direction of travel of packets for which you want to configure firewall rules.
Create a new rule after rule number	Select an index number and click Add to add a new firewall rule after the selectedindex number. For example, if you select "6", your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.
	The following read-only fields summarize the rules you have created that apply totraffic traveling in the selected packet direction. The firewall rules that you configure( summarized below) take priority over the default actions in the General screen.
#	This is your firewall rule number. The ordering of your rules is important as rules are applied in turn.
Active	This field displays whether a firewall is turned on or not. Select the check box to enable the rule. Clear the check box to disable the rule.
Source IP	This drop-down list box displays the source addresses or ranges of addresses towhich this firewall rule applies. Please note that a blank source or destinationaddress is equivalent to Any.
Destination IP	This drop-down list box displays the destination addresses or ranges of addresses towhich this firewall rule applies. Please note that a blank source or destinationaddress is equivalent to Any.
Service	This drop-down list box displays the services to which this firewall rule applies. SeeSection 9.9 on page 172 for more information.
Action	This field displays whether the firewall silently discards packets (Drop), discardspackets and sends a TCP reset packet or an ICMP destination-unreachable messageto the sender (Reject) or allows the passage of packets (Permit).
Schedule	This field tells you whether a schedule is specified (Yes) or not (No).
Log	This field shows you whether a log is created when packets match this rule (Yes) ornot (No).
Modify	Click the Edit icon to go to the screen where you can edit the rule.Click the Remove icon to delete an existing firewall rule. A window displays askingyou to confirm that you want to delete the firewall rule. Note that subsequent firewall rules move up by one when you take this action.
Order	Click the Move icon to display the Move the rule to field. Type a number in theMove the rule to field and click the Move button to move the rule to the number that youtyped. The ordering of your rules is important as they are applied in order of theirnumbering.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

9.7.1 Configuring Firewall Rules

Refer to Section 8.1 on page 145 for more information.

In the Rules screen, select an index number and click Add or click a rule's Edit icon to display this screen and refer to the following table for information on the labels.

ZYXEL PRESTIGE 661H - Configuring Firewall Rules - 1
Figure 88 Firewall: Edit Rule

The following table describes the labels in this screen.

Table 62 Firewall: Edit Rule

LABEL	DESCRIPTION
Active	Select this option to enable this firewall rule.
Action for Matched Packet	Use the drop-down list box to select what the firewall is to do with packets that match this rule-select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.Select Permit to allow the passage of the packets.
Source/Destination Address
Address Type	Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address?Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Start IP Address	Enter the single IP address or the starting IP address in a range here.
End IP Address	Enter the ending IP address in a range here.
Subnet Mask	Enter the subnet mask here, if applicable.
Add >>	Click Add >> to add a new address to the Source or Destination Address box.You can add multiple addresses, ranges of addresses, and/or subnets.
Edit <<	To edit an existing source or destination address, select it from the box and click Edit <<.
Delete	Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it.
Services
Available/ Selected Services	Please see Section 9.9 on page 172 for more information on services available.Highlight a service from the Available Services box on the left, then click Add >> to add it to the Selected Services box on the right. To remove a service, highlight it in the Selected Services box on the right, then click Remove.
Edit Customized Service	Click the Edit Customized Services link to bring up the screen that you use to configure a new custom service that is not in the predefined list of services.
Schedule
Day to Apply	Select everyday or the day(s) of the week to apply the rule.
Time of Day to Apply (24-Hour Format)	Select All Day or enter the start and end times in the hour-minute format to apply the rule.
Log
Log Packet Detail Information	This field determines if a log for packets that match the rule is created or not. Go to the Log Settings page and select the Access Control logs category to have the ZyXEL Device record these logs.
Alert
Send Alert Message to Administrator When Matched	Select the check box to have the ZyXEL Device generate an alert when the rule is matched.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to exit this screen without saving.

9.7.2 Customized Services

Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site. For further information on these services, please read Section 9.9 on page 172. Click the Edit Customized Services link while editing a firewall rule to configure a custom service port. This displays the following screen.

Refer to Section 8.1 on page 145 for more information.

ZYXEL PRESTIGE 661H - Customized Services - 1
Figure 89 Firewall: Customized Services

The following table describes the labels in this screen.

Table 63 Customized Services

LABEL	DESCRIPTION
No.	This is the number of your customized port. Click a rule's number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service. See Section 9.7.3 on page 168 for more information.
Name	This is the name of your customized service.
Protocol	This shows the IP protocol (TCP, UDP or TCP/UDP) that defines your customized service.
Port	This is the port number or range that defines your customized service.
Back	Click Back to return the Firewall Edit Rule screen.

9.7.3 Configuring A Customized Service

Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen.

Refer to Section 8.1 on page 145 for more information.

ZYXEL PRESTIGE 661H - Configuring A Customized Service - 1
Figure 90 Firewall: Configure Customized Services

The following table describes the labels in this screen.

Table 64 Firewall: Configure Customized Services

LABEL	DESCRIPTION
Service Name	Type a unique name for your custom port.
Service Type	Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box.
Port Configuration
Type	Click Single to specify one port only or Range to specify a span of ports that define your customized service.
Port Number	Type a single port number or the range of port numbers that define your customized service.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to return to the previous screen.
Delete	Click Delete to delete the current rule and return to the previous screen.

9.8 Example Firewall Rule

The following Internet firewall rule example allows a hypothetical "MyService" connection from the Internet.

1 Click Security > Firewall > Rules.
2 Select WAN to LAN in the Packet Direction field.

ZYXEL PRESTIGE 661H - Example Firewall Rule - 1
Figure 91 Firewall Example: Rules

3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select "6", your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.
4 Click Add to display the firewall rule configuration screen.
5 In the Edit Rule screen, click the Edit Customized Services link to open the Customized Service screen.
6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply.

ZYXEL PRESTIGE 661H - Example Firewall Rule - 2
Figure 92 Edit Custom Port Example

7 Select Any in the Destination Address box and then click Delete.
8 Configure the destination address screen as follows and click Add.

ZYXEL PRESTIGE 661H - Example Firewall Rule - 3
Figure 93 Firewall Example: Edit Rule: Destination Address

9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done.

Note: Custom services show up with an “*” before their names in the Services list box and the Rules list box.

ZYXEL PRESTIGE 661H - Example Firewall Rule - 4
Figure 94 Firewall Example: Edit Rule: Select Customized Services

On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following.

Rule 1 allows a "MyService" connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.

ZYXEL PRESTIGE 661H - Example Firewall Rule - 5
Figure 95 Firewall Example: Rules: MyService

9.9 Predefined Services

The Available Services list box in the Edit Rule screen (see Section 9.7.1 on page 164) displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the default configuration labeled “(DNS)”. (UDP/TCP:53) means UDP port 53 and TCP port 53. Up to 128 entries are supported. Custom service ports may also be configured using the Edit Customized Services function discussed previously.

Table 65 Predefined Services

SERVICE	DESCRIPTION
AIM/NEW_ICQ(TCP:5190)	AOL's Internet Messenger service, used as a listening port by ICQ.
AUTH(TCP:113)	Authentication protocol used by some servers.
BGP(TCP:179)	Border Gateway Protocol.
BOOTP_CLIENT(UDP:68)	DHCP Client.
BOOTP_SERVER(UDP:67)	DHCP Server.
CU-SEEME(TCP/UDP:7648, 24032)	A popular videoconferencing solution from White Pines Software.
DNS(UDP/TCP:53)	Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.
FINGER(TCP:79)	Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
FTP(TCP:20.21)	File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
H.323(TCP:1720)	Net Meeting uses this protocol.
HTTP(TCP:80)	Hyper Text Transfer Protocol - a client/server protocol for the world wide web.
HTTPS	HTTPS is a secured http session often used in e-commerce.
ICQ(UDP:4000)	This is a popular Internet chat program.
IPSEC_TRANSPORT/TUNNEL(AH:0)	The IPSEC AH (Authentication Header) tunneling protocol uses this service.
IPSEC_TUNNEL(ESP:0)	The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.
IRC(TCP/UDP:6667)	This is another popular Internet chat program.
MSN Messenger(TCP:1863)	Microsoft Networks' messenger service uses this protocol.
MULTICAST(IGMP:0)	Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.
NEWS(TCP:144)	A protocol for news groups.
NFS(UDP:2049)	Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments.
NNTP(TCP:119)	Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
PING(ICMP:0)	Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
POP3(TCP:110)	Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
PPTP(TCP:1723)	Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.
PPTP_TUNNEL(GRE:0)	Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the data channel.
RCMD(TCP:512)	Remote Command Service.
REAL=AUDIO(TCP:7070)	A streaming audio service that enables real time sound over the web.
REXEC(TCP:514)	Remote Execution Daemon.
RLOGIN(TCP:513)	Remote Login.
RTELNET(TCP:107)	Remote Telnet.
RTSP(TCP/UDP:554)	The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
SFTP(TCP:115)	Simple File Transfer Protocol.
SMTP(TCP:25)	Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
SNMP(TCP/UDP:161)	Simple Network Management Program.
SNMP-TRAPS (TCP/UDP:162)	Traps for use with the SNMP (RFC:1215).
SQL-NET(TCP:1521)	Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.
SSDP(UDP:1900)	Simole Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using DUDP port 1900.
SSH(TCP/UDP:22)	Secure Shell Remote Login Program.
STRMWORKS(UDP:1558)	Stream Works Protocol.
SYSLOG(UDP:514)	Syslog allows you to send system logs to a UNIX server.
TACACS(UDP:49)	Login Host Protocol used for (Terminal Access Controller Access Control System).
TELNET(TCP:23)	Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
TFTP(UDP:69)	Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).
VDOLIVE(TCP:7000)	Another videoconferencing solution.

9.10 Anti-Probing

If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. The ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed.

Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user.

Refer to Section 8.1 on page 145 for more information.

Click Security > Firewall > Anti Probing to display the screen as shown.

ZYXEL PRESTIGE 661H - Anti-Probing - 1
Figure 96 Firewall: Anti Probing

The following table describes the labels in this screen.

Table 66 Firewall: Anti Probing

LABEL	DESCRIPTION
Respond to PING on	The ZyXEL Device does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests.
Do Not Respond to Requests for Unauthorized Services.	Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports. If you select this option, the ZyXEL Device will not respond to port request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device unseen. By default this option is not selected and the ZyXEL Device will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a TCP Reset packet for a port probe on its unused TCP ports. Note that the probing packets must first traverse the ZyXEL Device's firewall mechanism before reaching this anti-probing mechanism. Therefore if the firewall mechanism blocks a probing packet, the ZyXEL Device reacts based on the corresponding firewall policy to send a TCP reset packet for a blocked TCP packet or an ICMP port-unreachable packet for a blocked UDP packets or just drop the packets without sending a response packet.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

9.11 DoS Thresholds

For DoS attacks, the ZyXEL Device uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions.

You can use the default threshold values, or you can change them to values more suitable to your security requirements.

Refer to Section 9.11.3 on page 177 to configure thresholds.

Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for most small offices. Factors influencing choices for threshold values are:

The maximum number of opened sessions.
The minimum capacity of server backlog in your LAN network.
The CPU power of servers in your LAN network.
Network bandwidth.
Type of traffic for certain servers.

If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced.

You should make any changes to the threshold values before you continue configuring firewall rules.

9.11.2 Half-Open Sessions

An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 79 on page 148). For UDP, "half-open" means that the firewall has detected no return traffic.

The ZyXEL Device measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (max-incomplete high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new connection requests. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max-incomplete low).

When the rate of new connection attempts rises above a threshold (one-minute high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new connection requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period.

9.11.2.1 TCP Maximum Incomplete and Blocking Time

An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.

Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyXEL Device starts deleting half-open sessions according to one of the following methods:

If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
If the Blocking Time timeout is greater than 0, then the ZyXEL Device blocks all new connection requests to the host giving the server time to handle the present connections. The ZyXEL Device continues to block all new connection requests until the Blocking Time expires.

9.11.3 Configuring Firewall Thresholds

The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections.

Click Firewall, and Threshold to bring up the next screen.

ZYXEL PRESTIGE 661H - Configuring Firewall Thresholds - 1
Figure 97 Firewall: Threshold

The following table describes the labels in this screen.

Table 67 Firewall: Threshold

LABEL	DESCRIPTION	DEFAULT VALUES
Denial of Service Thresholds
One Minute Low	This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.	80 existing half-open sessions.
One Minute High	This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyXEL Device deletes half-open sessions as required to accommodate new connection attempts.	100 half-open sessions per minute. The above numbers cause the ZyXEL Device to start deleting half-open sessions when more than 100 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 80 session establishment attempts have been detected in the last minute.
Maximum Incomplete Low	This is the number of existing half-open sessions that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.	80 existing half-open sessions.
Maximum Incomplete High	This is the number of existing half-open sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyXEL Device deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number.	100 existing half-open sessions. The above values causes the ZyXEL Device to start deleting half-open sessions when the number of existing half-open sessions rises above 100, and to stop deleting half-open sessions with the number of existing half-open sessions drops below 80.
TCP Maximum Incomplete	This is the number of existing half-open TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address. Enter a number between 1 and 256. As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth.	30 existing half-open TCP sessions.
Action taken when the TCP Maximum Incomplete threshold is reached.
Delete the oldest half open session when new connection request comes	Select this radio button to clear the oldest half open session when a new connection request comes.
Deny new connection request for	Select this radio button and specify for how long the ZyXEL Device should block new connection requests when TCP Maximum Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256).
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 10 Trend Micro Security Services

This chapter contains information about configuring Trend Micro Security Services (TMSS).

10.1 Trend Micro Security Services Overview

TMSS helps protect computers on a network that access the Internet through the ZyXEL Device.

TMSS scans computers behind the ZyXEL Device for potential vulnerabilities such as spyware, missing security patches, trojans, etc. and then tells you how to update the computer so as to fix the vulnerability.

The ZyXEL Device includes TMSS "parental controls" that allows you to block web pages based on pre-defined web site categories such as pornography, gambling etc.

10.1.1 TMSS Web Page

TMSS is enabled by default on the ZyXEL Device, so you should see the following screen after you launch your web browser to connect to the Internet via the ZyXEL Device for the first time. You might not see this screen if you have a web pop-up blocker enabled, so disable it or manually enter http://tmss.trendmicro.com as the URL. Click Continue to go to the ActiveX control installation page.

ZYXEL PRESTIGE 661H - TMSS Web Page - 1
Figure 98 TMSS First Time Access

1 Download the ActiveX control to view the TMSS web page ("dashboard").

Note: Make sure that you have not restricted access to ActiveX, Cookies or Web Proxy features in the ZyXEL Device or web browser or you will not be able to access the TMSS web page. See Section 10.5 on page 189 for more details.

ZYXEL PRESTIGE 661H - TMSS Web Page - 2
Figure 99 Download ActiveX to View TMSS Web Page

2 In the TMSS web page, click Service Summary.

ZYXEL PRESTIGE 661H - TMSS Web Page - 3
Figure 100 TMSS Web Page ( Dashboard)

3 Click Activate My Services to begin a 3-step process to activate TMSS.

ZYXEL PRESTIGE 661H - TMSS Web Page - 4
Figure 101 TMSS Service Summary

4 Click Next to begin the process as outlined in the screen.

ZYXEL PRESTIGE 661H - TMSS Web Page - 5
Figure 102 TMSS 3 Steps

5 Fill in the registration form and submit it.

ZYXEL PRESTIGE 661H - TMSS Web Page - 6
Figure 103 TMSS Registration Form

6 After you submit the registration form, you will receive an e-mail with instructions for validating your e-mail address. Follow the instructions.
7 Download TMSS to each computer (behind the ZyXEL Device) that you want TMSS to monitor.

TMSS is now active and can now monitor ZyXEL Device LAN computers with TMSS installed (TMSS clients) for security updates. The following screen is an example of the Service Summary screen with TMSS activated.

ZYXEL PRESTIGE 661H - TMSS Web Page - 7
Figure 104 Example TMSS Activated Service Summary Screen

You need a Parental Control license to activate configure Parental Control categories on the ZyXEL Device (see Figure 110 on page 187). The following screen is an example of the Parental Control screen with TMSS activated.

ZYXEL PRESTIGE 661H - TMSS Web Page - 8
Figure 105 Example TMSS Activated Parental Controls Screen

After the free trial expires, you can buy the Trend micro Internet Security (TIS)¹ package. This package contains anti-virus software and a license for Parental Control (to forbid access to undesirable web site content based on pre-defined web site categories).

Note: See the TM User's Guide for details on all features.

10.2 Configuring TMSS on the ZyXEL Device

10.2.1 General TMSS Settings

Use this screen to enable or disable TMSS and parental controls, to configure how often the TMSS web page displays (Figure 100 on page 180), and to configure if and how often updates are checked. Click Security > TMSS > General to display the screen.

ZYXEL PRESTIGE 661H - General TMSS Settings - 1
Figure 106 General TMSS Settings

The following table describes the labels in this screen.

Table 68 General TMSS Settings

LABEL	DESCRIPTION
TMSS & Parental Control Setup
Enable Trend Micro Security Services	Select the check box to enable Trend Micro Security Services on your ZyXEL Device.
Enable Parental Controls	Select the check box to enable this feature on your ZyXEL Device.
Security Services Display Interval
Automatically display TMSS Web page every:	Select from the drop-down list box how often the TMSS web page appears in your web browser.
Check for Trend Micro Internet Security
Automatically check for update components	Select the check box to have the ZyXEL Device download the latest scan engine and virus pattern version numbers (not the actual software) from the Trend Micro web site. The ZyXEL Device can then compare version numbers currently on ZyXEL Device LAN computers with its latest downloaded version numbers and display the status in the table below.
Check for update components every	Select how often the ZyXEL Device should automatically check the Trend Micro Active Update server for updated components. Choose more frequent checking if there are many current virus threats or less frequent checking if there aren't and you have a lot of Internet traffic.
Scan engine	This field displays the latest TMSS anti-virus scan engine version number that the ZyXEL Device has downloaded.
Virus pattern	This field displays the latest TMSS anti-virus pattern version number that the ZyXEL Device has downloaded. N/A displays if there has been no reply for an update request.

Table 68 General TMSS Settings

LABEL	DESCRIPTION
Apply	Click Apply to save your customized settings.
Reset	Click Reset to begin configuring this screen afresh.

10.2.2 TMSS Exception List

Use this screen to exempt computers from TMSS monitoring. Click Security > TMSS > Exception List to display the screen.

Note: At the time of writing, TMSS may monitor up to 10 ZyXEL Device LAN computers with TMSS installed.

The ZyXEL Device must have an Internet connection for TMSS clients to display in this screen.

ZYXEL PRESTIGE 661H - TMSS Exception List - 1
Figure 107 TMSS Exception List

The following table describes the labels in this screen.

Table 69 TMSS Exception List

LABEL	DESCRIPTION
Exception List
Computer(s) that will display Trend Micro Home Network Security Services:	This box displays the ZyXEL Device LAN computers with TMSS installed (TMSS clients) that can be monitored by TMSS.
Computer(s) to exclude:	This box displays the ZyXEL Device LAN computers that are exempted from TMSS monitoring. Select a computer IP address from the previous list box and then click Add>> to omit it from TMSS monitoring. Select a computer IP address from this list box and then click <<Remove to have TMSS monitor it.

Table 69 TMSS Exception List

LABEL	DESCRIPTION
Apply	Click Apply to save your customized settings.
Cancel	Click Cancel to begin configuring this screen afresh.

10.3 TMSS Virus Protection

Use this screen to look at the status of computers under TMSS monitoring. Click Security > TMSS > Virus Protection to display the screen.

ZYXEL PRESTIGE 661H - TMSS Virus Protection - 1
Figure 108 Virus Protection

The following table describes the labels in this screen.

Table 70 Virus Protection

LABEL	DESCRIPTION
Client Antivirus Protection Status	This table provides information on all TMSS client computers and the ZyxEL Device itself.
#	This field displays the index number of a TMSS client computer or the ZyxEL Device.
IP Address	This field displays the IP address of a TMSS client computer or ZyxEL Device.
Computer Name	This field displays the host name of a TMSS client computer or the ZyxEL Device system name.
Antivirus Software	This field displays Internet Security if TIS is installed on the TMSS client computer. It displays N/A if you don’t have TM anti-virus software installed.
Virus Pattern	This field displays the current TMSS anti-virus pattern version number on a TMSS client.
Scan Engine	This field displays the current TMSS anti-virus scan engine version number of a TMSS client.
Status	This field displays whether you have (the latest) Trend Micro anti-virus software installed on a TMSS client computer.Potential Threat displays if:- The ZyXEL Device had no response after an update request.- There is currently no Trend Micro anti-virus installed on the TMSS client.- The LAN computer is using a UNIX or Macintosh operating system. This message displayed for computers with these operating systems does not mean they may be a “potential threat” but rather that TMSS cannot monitor them.Needs Update displays if:- The Trend Micro anti-virus version numbers on the TMSS client is older than the version numbers downloaded to the ZyXEL Device.- In both of these cases, you should either buy TM anti-virus software (TIS) if the free trial has expired and you have no other anti-virus software installed or update the TIS package.Up to date displays if:- The Trend Micro anti-virus version numbers on the TMSS client computer are the same as the numbers downloaded to the ZyXEL Device. You don’t have to do anything in this case.
Refresh	Click Refresh to update the screen.

10.4 Parental Controls

Use this screen to schedule and block web pages based on pre-defined web site categories such as pornography, gambling, etc.

Note: You need a Trend Micro Parental Control license in order to configure this screen. If you don't have one or it has expired, you will see the following message when you access the Parental Controls screen.

ZYXEL PRESTIGE 661H - Parental Controls - 1
Figure 109 No Parental Controls License

If you have completed the TMSS registration process and your license is valid, you can configure the Parental Controls configuration screen as shown in the following figure.

ZYXEL PRESTIGE 661H - Parental Controls - 2
Figure 110 Parental Controls

The following table describes the labels in this screen.

Table 71 Parental Controls

LABEL	DESCRIPTION
Restrict Web Features	Select the web features you want to disable. If a user downloads a page with a restricted feature, that part of the web page appears blank or grayed out. ActiveX - This is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. Java - This is used to build downloadable Web components or Internet and intranet business applications of all kinds. Cookies - This is used by Web servers to track usage and to provide service based on ID. Web Proxy - This is a server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN, it is possible for LAN users to avoid content filtering restrictions.
Blocking Schedule	The blocking schedule for TMSS is the same as that used for content filtering (web site blocking by keyword). If blocking schedule configuration changes are made here, then the same changes apply to the CONTENT FILTER screen and vice versa.
Day to Block	Select Everyday or the day(s) of the week to activate web page blocking
Time of Day to Block (24-Hour Format)	Select the time of day you want web page blocking to take effect. Configure blocking to take effect all day by selecting the All day check box. You can also configure specific times by entering the start time in the Start (hr) and Start (min) fields and the end time in the End (hr) and End (min) fields. Enter times in 24-hour format; for example, "3:00pm" should be entered as "15:00".

Table 71 Parental Controls

LABEL	DESCRIPTION
Select Categories
Pornography	Selecting this category excludes pages that contain sexually explicit material for the purpose of arousing a sexual or prurient interest.
Illegal/Questionable	Selecting this category excludes pages that advocate or give advice on performing illegal acts such as service theft, evading law enforcement, fraud, burglary techniques and plagiarism. It also includes pages that provide or sell questionable educational materials, such as term papers. This category includes sites identified as being malicious in any way, such as web pages that may contain viruses, spyware etc.
Violence/Hate/Racism	Selecting this category excludes pages that depict extreme physical harm to people or property, or that advocate or provide instructions on how to cause such harm. It also includes pages that advocate or depict hostility or aggression toward, or otherwise denigrate an individual or group on the basis of race, religion, gender, nationality, ethnic origin, or other characteristics.
Illegal Drugs	Selecting this category excludes pages that promote, offer, sell, supply, encourage or otherwise advocate the illegal use, cultivation, manufacture, or distribution of drugs, pharmaceuticals, intoxicating plants or chemicals and their related paraphernalia.
Alcohol/Tobacco	Selecting this category excludes pages that promote or offer the sale of alcohol or tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products.
Gambling	Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide information, assistance, recommendations, or training on placing bets or participating in games of chance. It does not include pages that sell gambling related products or machines. It also does not include pages for offline casinos and hotels (as long as those pages do not meet one of the above requirements).
Abortion	Selecting this category excludes pages that provide information or arguments in favor of or against abortion, describe abortion procedures, offer help in obtaining or avoiding abortion, or provide information on the effects, or lack thereof, of abortion.
Apply	Click Apply to save the settings.
Statistics	Click Statistics to view a record of access attempts and successes to web pages belonging to each category.
Reset	Click Reset to begin configuring this screen afresh.

10.4.1 Parental Controls Statistics

This screen displays a record of attempted entries to web pages or actual entries to web pages from a list of categories. Click Statistics in the Parental Controls screen to open it.

ZYXEL PRESTIGE 661H - Parental Controls Statistics - 1
Figure 111 Parental Controls Statistics

The following table describes the labels in this screen.

Table 72 Parental Controls Statistics

LABEL	DESCRIPTION
Category	All Parental Control categories are displayed as shown.
Access Attempts	This field displays the number of attempts that have been made to access web page(s) from a category of web pages that you have selected in the Parental Controls screen.
Actual Accesses	This field displays the number of times access has been made to web page(s) from a category of web pages that you have not selected in the Parental Controls screen or that have been accesses by exempted computers.
Cancel	Click Cancel to clear all of the fields in this screen.
Refresh	Click Refresh to renew the statistics screen.

10.5 ActiveX Controls in Internet Explorer

If ActiveX is disabled, you will not be able to download ActiveX controls or to use Trend Micro Security Services. Make sure that ActiveX controls are allowed in Internet Explorer.

Screen shots for Internet Explorer 6 are shown. Steps may vary depending on your version of Internet Explorer.

1 In Internet Explorer, click Tools, Internet Options and then the Security tab.
2 In the Internet Options window, click Custom Level.

ZYXEL PRESTIGE 661H - ActiveX Controls in Internet Explorer - 1
Figure 112 Internet Options Security

3 Scroll down to ActiveX controls and plug-ins.
4 Under Download signed ActiveX controls select the Prompt radio button.
5 Under Run ActiveX controls and plug-ins make sure the Enable radio button is selected.
6 Then click the OK button.

ZYXEL PRESTIGE 661H - ActiveX Controls in Internet Explorer - 2
Figure 113 Security Setting ActiveX Controls

CHAPTER 11 Content Filtering

This chapter covers how to configure content filtering.

11.1 Content Filtering Overview

Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the ZyXEL Device performs content filtering. You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering.

11.2 Configuring Keyword Blocking

Use this screen to block sites containing certain keywords in the URL. For example, if you enable the keyword "bad", the ZyXEL Device blocks all sites containing this keyword including the URL http://www.websites.com/bad.html, even if it is not included in the Filter List.

To have your ZyXEL Device block Web sites containing keywords in their URLs, click Security > Content Filter. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring Keyword Blocking - 1
Figure 114 Content Filter: Keyword

The following table describes the labels in this screen.

Table 73 Content Filter: Keyword

LABEL	DESCRIPTION
Active Keyword Blocking	Select this check box to enable this feature.
Block Websites that contain these keywords in the URL:	This box contains the list of all the keywords that you have configured the ZyXEL Device to block.
Delete	Highlight a keyword in the box and click Delete to remove it.
Clear All	Click Clear All to remove all of the keywords from the list.
Keyword	Type a keyword in this field. You may use any character (up to 127 characters). Wildcards are not allowed.
Add Keyword	Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed. When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to return to the previously saved settings.

11.3 Configuring the Schedule

To set the days and times for the ZyXEL Device to perform content filtering, click Security > Content Filter > Schedule. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring the Schedule - 1
Figure 115 Content Filter: Schedule

The following table describes the labels in this screen.

Table 74 Content Filter: Schedule

LABEL	DESCRIPTION
Schedule	Select Active Everyday to Block to make the content filtering active everyday. Otherwise, select Edit Daily to Block and configure which days of the week (or everyday) and which time of the day you want the content filtering to be active.
Active	Select the check box to have the content filtering to be active on the selected day.
Start TIme	Enter the start time when you want the content filtering to take effect in hour-minute format.
End Time	Enter the end time when you want the content filtering to stop in hour-minute format.
Apply	Click Apply to save your changes.
Cancel	Click Cancel to return to the previously saved settings.

11.4 Configuring Trusted Computers

To exclude a range of users on the LAN from content filtering on your ZyXEL Device, click Security > Content Filter > Trusted. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring Trusted Computers - 1
Figure 116 Content Filter: Trusted

The following table describes the labels in this screen.

Table 75 Content Filter: Trusted

LABEL	DESCRIPTION
Trusted User IP Range
From	Type the IP address of a computer (or the beginning IP address of a specific range of computers) on the LAN that you want to exclude from content filtering.
To	Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to return to the previously saved settings.

CHAPTER 12 Introduction to IPSec

This chapter introduces the basics of IPSec VPNs.

12.1 VPN Overview

A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

12.1.1 IPSec

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data communications across a public network like the Internet. IPSec is built around a number of standardized cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.

12.1.2 Security Association

A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use.

12.1.3 Other Terminology

12.1.3.1 Encryption

Encryption is a mathematical operation that transforms data from " plaintext" (readable) to "ciphertext" (scrambled text) using a "key". The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms "ciphertext" to plaintext. Decryption also requires a key.

ZYXEL PRESTIGE 661H - Encryption - 1
Figure 117 Encryption and Decryption

12.1.3.2 Data Confidentiality

The IPSec sender can encrypt packets before transmitting them across a network.

12.1.3.3 Data Integrity

The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

12.1.3.4 Data Origin Authentication

The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service.

12.1.4 VPN Applications

The ZyXEL Device supports the following VPN applications.

Linking Two or More Private Networks Together

Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites.

Accessing Network Resources When NAT Is Enabled

When NAT is enabled, remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protocol. Since the VPN tunnel terminates inside the LAN, remote users will be able to access all computers that use private IP addresses on the LAN.

-Unsupported IP Applications

A VPN tunnel may be created to add support for unsupported emerging IP applications. See the chapter on Getting to Know Your ZyXEL Device for an example of a VPN application.

12.2 IPSec Architecture

The overall IPSec architecture is shown as follows.

ZYXEL PRESTIGE 661H - IPSec Architecture - 1
Figure 118 IPSec Architecture

12.2.1 IPSec Algorithms

The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).

The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.

The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an authentication mechanism for the AH and ESP protocols. Please seeSection 13.2 on page 203for more information.

12.2.2 Key Management

Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to set up a VPN.

12.3 Encapsulation

The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode.

ZYXEL PRESTIGE 661H - Encapsulation - 1
Figure 119 Transport and Tunnel Mode IPSec Encapsulation

12.3.1 Transport Mode

Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).

With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP header information and options are not used in the authentication process. Therefore, the originating IP address cannot be verified for integrity against the data.

With the use of AH as the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process.

12.3.2 Tunnel Mode

Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. This is the most common mode of operation. Tunnel mode is required for gateway to gateway and host to gateway communications. Tunnel mode communications have two sets of IP headers:

Outside header: The outside IP header contains the destination IP address of the VPN gateway.
Inside header: The inside IP header contains the destination IP address of the final system behind the VPN gateway. The security protocol appears after the outer IP header and before the inside IP header.

12.4 IPSec and NAT

Read this section if you are running IPSec on a host computer behind the ZyXEL Device.

NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.

A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered.

IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet.

Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device.

Transport mode ESP with authentication is not compatible with NAT.

Table 76 VPN and NAT

SECURITY PROTOCOL	MODE	NAT
AH	Transport	N
AH	Tunnel	N
ESP	Transport	N
ESP	Tunnel	Y

CHAPTER 13 VPN Screens

This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions.

13.1 VPN/IPSec Overview

Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.

13.2 IPSec Algorithms

The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function of key management is to establish and maintain the SA between systems. Once the SA is established, the transport of data may commence.

13.2.1 AH (Authentication Header) Protocol

AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.

In applications where confidentiality is not required or not sanctioned by government encryption restrictions, an AH can be employed to ensure integrity. This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator.

13.2.2 ESP (Encapsulating Security Payload) Protocol

The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be authenticated.

An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted.

Table 77 AH and ESP

	ESP	AH
ENCRYPTION
	DES (default)Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.	MD5 (default)MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
	3DESTriple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.	SHA1SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
	AESAdvanced Encryption Standard is a newer method of data encryption that also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES.
	Select NULL to set up a phase 2 tunnel without encryption.
AUTHENTICATION	MD5 (default)MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.	MD5 (default)MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
	SHA1SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.	SHA1SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
	Select MD5 for minimal security and SHA1 for maximum security.

13.3 My IP Address

My IP Address is the WAN IP address of the ZyXEL Device. The ZyXEL Device has to rebuild the VPN tunnel if the My IP Address changes after setup.

The following applies if this field is configured as 0.0.0.0 :

The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel.
If the WAN connection goes down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. See the chapter on WAN for details on dial backup and traffic redirect.

13.4 Secure Gateway Address

Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router (secure gateway).

If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway Address field. You may alternatively enter the remote secure gateway's domain name (if it has one) in the Secure Gateway Address field.

You can also enter a remote secure gateway's domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway's WAN IP address changes (there may be a delay until the DDNS servers are updated with the remote gateway's new WAN IP address).

13.4.1 Dynamic Secure Gateway Address

If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the secure gateway's address. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network (see Section 13.18 on page 226 for configuration examples).

The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management.

13.5 VPN Setup Screen

The following figure helps explain the main fields in the web configurator.

ZYXEL PRESTIGE 661H - VPN Setup Screen - 1
Figure 120 IPSec Summary Fields

Local and remote IP addresses must be static.

Click Security and VPN to open the VPN Setup screen. This is a read-only menu of your IPSec rules (tunnels). The IPSec summary menu is read-only. Edit a VPN by selecting an index number and then configuring its associated submenus.

ZYXEL PRESTIGE 661H - VPN Setup Screen - 2
Figure 121 VPN Setup

The following table describes the fields in this screen.

Table 78 VPN Setup

LABEL	DESCRIPTION
No.	This is the VPN policy index number. Click a number to edit VPN policies.
Active	This field displays whether the VPN policy is active or not. A Yes signifies that this VPN policy is active. No signifies that this VPN policy is not active.
Name	This field displays the identification name for this VPN policy.
Local Address	This is the IP address(es) of computer(s) on your local network behind your ZyXEL Device.The same (static) IP address is displayed twice when the Local Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Single.The beginning and ending (static) IP addresses, in a range of computers are displayed when the Local Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Range.A (static) IP address and a subnet mask are displayed when the Local Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Subnet.
Remote Address	This is the IP address(es) of computer(s) on the remote network behind the remote IPSec router.This field displays N/A when the Secure Gateway Address field displays 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.The same (static) IP address is displayed twice when the Remote Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Single.The beginning and ending (static) IP addresses, in a range of computers are displayed when the Remote Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Range.A (static) IP address and a subnet mask are displayed when the Remote Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Subnet.
Encap.	This field displays Tunnel or Transport mode (Tunnel is the default selection).
IPSec Algorithm	This field displays the security protocols used for an SA.Both AH and ESP increase ZyXEL Device processing requirements and communications latency (delay).
Secure Gateway IP	This is the static WAN IP address or URL of the remote IPSec router. This field displays 0.0.0.0 when you configure the Secure Gateway Address field in the VPN-IKE screen to 0.0.0.0.

Table 78 VPN Setup

LABEL	DESCRIPTION
Modify	Click the Edit icon to go to the screen where you can edit the VPN configuration. Click the Remove icon to remove an existing VPN configuration.
Back	Click Back to return to the previous screen.

13.6 Keep Alive

When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see Section 13.12 on page 216 for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an "always on" connection after you initiate it. Both IPSec routers must have a ZyXEL Device-compatible keep alive feature enabled in order for this feature to work.

If the ZyXEL Device has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected.

When there is outbound traffic with no inbound traffic, the ZyXEL Device automatically drops the tunnel after two minutes.

13.7 VPN, NAT, and NAT Traversal

NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address. As a result, the VPN device at the receiving end finds a mismatch between the hash value and the data and assumes that the data has been maliciously altered.

NAT is not normally compatible with ESP in transport mode either, but the ZyXEL Device's NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers.

ZYXEL PRESTIGE 661H - VPN, NAT, and NAT Traversal - 1
Figure 122 NAT Router Between IPSec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. In Figure 122 on page 208, when IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA.

For NAT traversal to work, you must:

Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
Set the NAT router to forward UDP port 500 to IPSec router A.

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table.

Table 79 VPN and NAT

SECURITY PROTOCOL	MODE	NAT
AH	Transport	N
AH	Tunnel	N
ESP	Transport	Y*
ESP	Tunnel	Y

Y* - This is supported in the ZyXEL Device if you enable NAT traversal.

13.8 Remote DNS Server

In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the remote network

The following figure depicts an example where three VPN tunnels are created from ZyXEL Device A; one to branch office 2, one to branch office 3 and another to headquarters. In order to access computers that use private domain names on the headquarters (HQ) network, the ZyXEL Device at branch office 1 uses the Intranet DNS server in headquarters. The DNS server feature for VPN does not work with Windows 2000 or Windows XP.

ZYXEL PRESTIGE 661H - Remote DNS Server - 1
Figure 123 VPN Host using Intranet DNS Server Example

If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote network.

13.9 ID Type and Content

With aggressive negotiation mode (seeSection 13.12.1 on page 217), the ZyXEL Device identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the ZyXEL Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers with dynamic IP addresses (seeSection 13.18 on page 226 for a telecommuter configuration example).

Regardless of the ID type and content configuration, the ZyXEL Device does not allow you to save multiple active rules with overlapping local and remote IP addresses.

With main mode (seeSection 13.12.1 on page 217), the ID type and content are encrypted to provide identity protection. In this case the ZyXEL Device can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The ZyXEL Device can distinguish up to 12 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (seeSection 13.13 on page 218). The ID type and content act as an extra level of identification for incoming SAs.

The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address.

Table 80 Local ID Type and Content Fields

LOCAL ID TYPE=	CONTENT=
IP	Type the IP address of your computer or leave the field blank to have the ZyXEL Device automatically use its own IP address.
DNS	Type a domain name (up to 31 characters) by which to identify this ZyXEL Device.
E-mail	Type an e-mail address (up to 31 characters) by which to identify this ZyXEL Device.
	The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address.

Table 81 Peer ID Type and Content Fields

PEER ID TYPE=	CONTENT=
IP	Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyXEL Device automatically use the address in the Secure Gateway field.
DNS	Type a domain name (up to 31 characters) by which to identify the remote IPSec router.
E-mail	Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router.
	The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address. The domain name also does not have to match the remote router's IP address or what you configure in the Secure Gateway Addr field below.

13.9.1 ID Type and Content Examples

Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel.

The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel.

Table 82 Matching ID Type and Content Configuration Example

ZYXEL DEVICE A	ZYXEL DEVICE B
Local ID type: E-mail	Local ID type: IP
Local ID content: tom@yourcompany.com	Local ID content: 1.1.1.2

Table 82 Matching ID Type and Content Configuration Example

ZYXEL DEVICE A	ZYXEL DEVICE B
Peer ID type: IP	Peer ID type: E-mail
Peer ID content: 1.1.1.2	Peer ID content: tom@yourcompany.com

The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B's Local ID type is IP, but ZyXEL Device A's Peer ID type is set to E-mail. An "ID mismatched" message displays in the IPSEC LOG.

Table 83 Mismatching ID Type and Content Configuration Example

ZYXEL DEVICE A	ZYXEL DEVICE B
Local ID type: IP	Local ID type: IP
Local ID content: 1.1.1.10	Local ID content: 1.1.1.10
Peer ID type: E-mail	Peer ID type: IP
Peer ID content: aa@yahoo.com	Peer ID content: N/A

13.10 Pre-Shared Key

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (seeSection 13.12 on page 216for more on IKE phases). It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.

13.11 Editing VPN Policies

Click an Edit icon in the VPN Setup Screen to edit VPN policies.

ZYXEL PRESTIGE 661H - Editing VPN Policies - 1
Figure 124 Edit VPN Policies

The following table describes the fields in this screen.

Table 84 Edit VPN Policies

LABEL	DESCRIPTION
IPSec Setup
Active	Select this check box to activate this VPN policy. This option determines whether a VPN rule is applied before a packet leaves the firewall.
Keep Alive	Select either Yes or No from the drop-down list box. Select Yes to have the ZyXEL Device automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.

Table 84 Edit VPN Policies

LABEL	DESCRIPTION
NAT Traversal	This function is available if the VPN protocol is ESP. Select this check box if you want to set up a VPN tunnel when there are NAT routers between the ZyXEL Device and remote IPSec router. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward UDP port 500 packets to the remote IPSec router behind the NAT router.
Name	Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces.
IPSec Key Mode	Select IKE or Manual from the drop-down list box. IKE provides more protection so it is generally recommended. Manual is a useful option for troubleshooting if you have problems using IKE key management.
Negotiation Mode	Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encapsulation Mode	Select Tunnel mode or Transport mode from the drop-down list box.
DNS Server (for IPSec VPN)	If there is a private DNS server that services the VPN, type its IP address here. The ZyXEL Device assigns this additional DNS server to the ZyXEL Device's DHCP clients that have IP addresses in this IPSec rule's range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names.
Local	Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configured local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. In order to have more than one active rule with the Secure Gateway Address field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules. If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field and the LAN's full IP address range as the local IP address, then you cannot configure any other active rules with the Secure Gateway Address field set to 0.0.0.0.
Local Address Type	Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
IP Address Start	When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your ZyXEL Device. When the Local Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your ZyXEL Device. When the Local Address Type field is configured to Subnet, this is a (static) IP address on the LAN behind your ZyXEL Device.
End / Subnet Mask	When the Local Address Type field is configured to Single, this field is N/A. When the Local Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your ZyXEL Device. When the Local Address Type field is configured to Subnet, this is a subnet mask on the LAN behind your ZyXEL Device.

Table 84 Edit VPN Policies

LABEL	DESCRIPTION
Remote	Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.Two active SAs cannot have the local and remote IP address(es) both the same.Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Remote Address Type	Use the drop-down menu to choose Single, Range, or Subnet. Select Single with a single IP address. Select Range for a specific range of IP addresses SELECT Subnet to specify IP addresses on a network by their subnet mask.
IP Address Start	When the Remote Address Type field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.When the Remote Address Type field is configured to Subnet, enter a (static) IP address on the network behind the remote IPSec router.
End / Subnet Mask	When the Remote Address Type field is configured to Single, this field is N/A. When the Remote Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Address Type field is configured to Subnet, enter a subnet mask on the network behind the remote IPSec router.
Address Information
Local ID Type	Select IP to identify this ZyXEL Device by its IP address.Select DNS to identify this ZyXEL Device by a domain name.Select E-mail to identify this ZyXEL Device by an e-mail address.
Content	When you select IP in the Local ID Type field, type the IP address of your computer in the local Content field. The ZyXEL Device automatically uses the IP address in the My IP Address field (refer to the My IP Address field description) if you configure the local Content field to 0.0.0.0 or leave it blank.It is recommended that you type an IP address other than 0.0.0.0 in the local Content field or use the DNS or E-mail ID type in the following situations.When there is a NAT router between the two IPSec routers.When you want the remote IPSec router to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses.When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this ZyXEL Device in the local Content field.Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string.
My IP Address	Enter the WAN IP address of your ZyXEL Device. The VPN tunnel has to be rebuilt if this IP address changes.The following applies if this field is configured as 0.0.0.0:The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel.If the WAN connection goes down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. See the chapter on WAN for details on dial backup and traffic redirect.

Table 84 Edit VPN Policies

LABEL	DESCRIPTION
Peer ID Type	Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address.
Content	The configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the ZyXEL Device will use the address in the Secure Gateway Address field (refer to the Secure Gateway Address field description). For DNS or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string. It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-mail ID type in the following situations: When there is a NAT router between the two IPSec routers. When you want the ZyXEL Device to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses.
Secure Gateway Address	Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the Key Management field must be set to IKE). In order to have more than one active rule with the Secure Gateway Address field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules. If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field and the LAN's full IP address range as the local IP address, then you cannot configure any other active rules with the Secure Gateway Address field set to 0.0.0.0.
Security Protocol
VPN Protocol	Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below).
Pre-Shared Key	Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x" (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", "0x" denotes that the key is hexadecimal and "0123456789ABCDEF" is the key itself. Both ends of the VPN tunnel must use the same pre-shared key. You will receive a "PYLD_MALFORMED" (payload malformed) packet if the same pre-shared key is not used on both ends.

Table 84 Edit VPN Policies

LABEL	DESCRIPTION
Encryption Algorithm	Select DES, 3DES, AES or NULL from the drop-down list box. When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
Authentication Algorithm	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA1 for maximum security.
Advanced	Click Advanced to configure more detailed settings of your IKE key management.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

13.12 IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.

ZYXEL PRESTIGE 661H - IKE Phases - 1
Figure 125 Two Phases to Set Up the IPSec SA

In phase 1 you must:

Choose a negotiation mode.
Invalidate the connection by entering a pre-shared key.
Choose an encryption algorithm.
Choose an authentication algorithm.
Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.

In phase 2 you must:

Choose which protocol to use (ESP or AH) for the IKE key exchange.
Choose an encryption algorithm.
Choose an authentication algorithm
Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman publickey cryptography – seeSection 13.12.3 on page 218. Select None (the default) to disable PFS.
Choose Tunnel mode or Transport mode.
Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The ZyXEL Device automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The ZyXEL Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic.

13.12.1 Negotiation Mode

The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection through IKE negotiations.

Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).
Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not known by the responder and both parties want to use pre-shared key authentication.

13.12.2 Diffie-Hellman (DH) Key Groups

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 - DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.

13.12.3 Perfect Forward Secrecy (PFS)

Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-Hellman exchange is the trade-off for this extra security.

This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the ZyXEL Device. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

13.13 Configuring Advanced IKE Settings

Click Advanced in the Edit VPN Policies screen to open this screen.

ZYXEL PRESTIGE 661H - Configuring Advanced IKE Settings - 1
Figure 126 Advanced VPN Policies

The following table describes the fields in this screen.

Table 85 Advanced VPN Policies

LABEL	DESCRIPTION
VPN - IKE
Protocol	Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Enable Replay Detection	As a VPN setup is processing intensive, the system is vulnerable to Denial of Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Select YES from the drop-down menu to enable replay detection, or select NO to disable it.
Local Start Port	0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
End	Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. If Local Start Port is left at 0, End will also remain at 0.
Remote Start Port	0 is the default and signifies any port. Type a port number from 0 to 65535. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3.
End	Enter a port number in this field to define a port range. This port number must be greater then that specified in the previous field. If Remote Start Port is left at 0, End will also remain at 0.
Phase 1
Negotiation Mode	Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Pre-Shared Key	Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x" (zero x), which is not counted as part of the 16 to 62-character range for the key. For example, in "0x0123456789ABCDEF", "0x" denotes that the key is hexadecimal and "0123456789ABCDEF" is the key itself. Both ends of the VPN tunnel must use the same pre-shared key. You will receive a "PYLD_MALFORMED" (payload malformed) packet if the same pre-shared key is not used on both ends.
Encryption Algorithm	Select DES, 3DES or AES from the drop-down list box. When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES.
Authentication Algorithm	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA1 for maximum security.
SA Life Time (Seconds)	Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Key Group	You must choose a key group for phase 1 IKE setup. DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
Phase 2
Active Protocol	Use the drop-down list box to choose from ESP or AH.
Encryption Algorithm	This field is available when you select ESP in the Active Protocol field. Select DES, 3DES, AES or NULL from the drop-down list box. When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES, It also requires more processing power, resulting in increased latency and decreased throughput. This implementation of AES uses a 128-bit key. AES is faster than 3DES. Select NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
Authentication Algorithm	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA1 for maximum security.
SA Life Time (Seconds)	Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Encapsulation	Select Tunnel mode or Transport mode from the drop-down list box.
Perfect Forward Secrecy (PFS)	Perfect Forward Secrecy (PFS) is disabled (NONE) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure. Choose DH1 or DH2 from the drop-down list box to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).
Apply	Click Apply to save your changes back to the ZyXEL Device and return to the VPN-IKE screen.
Cancel	Click Cancel to return to the VPN-IKE screen without saving your changes.

13.14 Manual Key Setup

Manual key management is useful if you have problems with IKE key management.

13.14.1 Security Parameter Index (SPI)

An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI (Security Parameter Index) along with a destination IP address uniquely identify a particular Security Association (SA). The SPI is transmitted from the remote VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption and key values that the administrator associated with the SPI to establish the tunnel.

Current ZyXEL implementation assumes identical outgoing and incoming SPIs.

13.15 Configuring Manual Key

You only configure VPN Manual Key when you select Manual in the IPSec Key Mode field on the VPN IKE screen. This is the VPN Manual Key screen as shown next.

ZYXEL PRESTIGE 661H - Configuring Manual Key - 1
Figure 127 VPN: Manual Key

The following table describes the fields in this screen.

Table 86 VPN: Manual Key

LABEL	DESCRIPTION
IPSec Setup
Active	Select this check box to activate this VPN policy.
Name	Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces.
IPSec Key Mode	Select IKE or Manual from the drop-down list box. Manual is a useful option for troubleshooting if you have problems using IKE key management.
SPI	Type a number (base 10) from 1 to 999999 for the Security Parameter Index.
Encapsulation Mode	Select Tunnel mode or Transport mode from the drop-down list box.
DNS Server (for IPSec VPN)	If there is a private DNS server that services the VPN, type its IP address here. The ZyXEL Device assigns this additional DNS server to the ZyXEL Device's DHCP clients that have IP addresses in this IPSec rule's range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names.
Local	Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Local Address Type	Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
IP Address Start	When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your ZyXEL Device. When the Local Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your ZyXEL Device. When the Local Address Type field is configured to Subnet, this is a (static) IP address on the LAN behind your ZyXEL Device.
End / Subnet Mask	When the Local Address Type field is configured to Single, this field is N/A. When the Local Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your ZyXEL Device. When the Local Address Type field is configured to Subnet, this is a subnet mask on the LAN behind your ZyXEL Device.
Remote	Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Remote Address Type	Use the drop-down menu to choose Single, Range, or Subnet. Select Single with a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
IP Address Start	When the Remote Address Type field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Address Type field is configured to Subnet, enter a (static) IP address on the network behind the remote IPSec router.
End / Subnet Mask	When the Remote Address Type field is configured to Single, this field is N/A. When the Remote Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Address Type field is configured to Subnet, enter a subnet mask on the network behind the remote IPSec router.
Address Information
My IP Address	Enter the WAN IP address of your ZyXEL Device. The VPN tunnel has to be rebuilt if this IP address changes.The following applies if this field is configured as 0.0.0.0:The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel.If the WAN connection goes down, the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect. See the chapter on WAN for details on dial backup and traffic redirect.
Secure Gateway Address	Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with which you're making the VPN connection.
Security Protocol
IPSec Protocol	Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next).
Encryption Algorithm	Select DES, 3DES or NULL from the drop-down list box.When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput SELECT NULL to set up a tunnel without encryption. When you select NULL, you do not enter an encryption key.
Encapsulation Key (only with ESP)	With DES, type a unique key 8 characters long. With 3DES, type a unique key 24 characters long. Any characters may be used, including spaces, but trailing spaces are truncated.
Authentication Algorithm	Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA1 for maximum security.
Authentication Key	Type a unique authentication key to be used by IPSec if applicable. Enter 16 characters for MD5 authentication or 20 characters for SHA1 authentication. Any characters may be used, including spaces, but trailing spaces are truncated.
Back	Click Back to return to the previous screen.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Reset	Click Reset to begin configuring this screen afresh.

13.16 Viewing SA Monitor

Click Security, VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and manage active VPN connections.

A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections. Use Refresh to display active VPN connections. This screen is read-only. The following table describes the fields in this tab.

When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See Section 13.6 on page 207 on keep alive to have the ZyXEL Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic.

ZYXEL PRESTIGE 661H - Viewing SA Monitor - 1
Figure 128 VPN: SA Monitor

The following table describes the fields in this screen.

Table 87 VPN: SA Monitor

LABEL	DESCRIPTION
No	This is the security association index number.
Name	This field displays the identification name for this VPN policy.
Encapsulation	This field displays Tunnel or Transport mode.
IPSec Algorithm	This field displays the security protocol, encryption algorithm, and authentication algorithm used in each VPN tunnel.
Disconnect	Select one of the security associations, and then click Disconnect to stop that security association.
Refresh	Click Refresh to display the current active VPN connection(s).

13.17 Configuring Global Setting

To change your ZyXEL Device's global settings, click VPN and then Global Setting. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring Global Setting - 1
Figure 129 VPN: Global Setting

The following table describes the fields in this screen.

Table 88 VPN: Global Setting

LABEL	DESCRIPTION
Windows Networking (NetBIOS over TCP/IP)	NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to find other computers. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
Allow NetBIOS Traffic Through All IPSec Tunnels	Select this check box to send NetBIOS packets through the VPN connection.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

13.18 Telecommuter VPN/IPSec Examples

The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyXEL Device at headquarters has a static public IP address.

See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyXEL Device at headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers. The telecommuters must all use the same IPSec parameters but the local IP addresses (or ranges of addresses) should not overlap.

ZYXEL PRESTIGE 661H - Telecommuters Sharing One VPN Rule Example - 1
Figure 130 Telecommuters Sharing One VPN Rule Example

Table 89 Telecommuters Sharing One VPN Rule Example

FIELDS	TELECOMMUTERS	HEADQUARTERS
My IP Address:	0.0.0.0 (dynamic IP address assigned by the ISP)	Public static IP address
Secure Gateway IP Address:	Public static IP address	0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel.
Local IP Address:	Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15	192.168.1.10
Remote IP Address:	192.168.1.10	0.0.0.0 (N/A)

13.18.2 Telecommuters Using Unique VPN Rules Example

In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this).

With aggressive negotiation mode (seeSection 13.12.1 on page 217), the ZyXEL Device can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyXEL Device at headquarters. They can use different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules configured on the ZyXEL Device at headquarters can overlap. The local IP addresses of the rules configured on the telecommuters' IPSec routers should not overlap.

See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located at headquarters. The ZyXEL Device at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection.

The ZyXEL Device at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names.

ZYXEL PRESTIGE 661H - Telecommuters Using Unique VPN Rules Example - 1
Figure 131 Telecommuters Using Unique VPN Rules Example

Table 90 Telecommuters Using Unique VPN Rules Example

TELECOMMUTERS	HEADQUARTERS
All Telecommuter Rules:	All Headquarters Rules:
My IP Address 0.0.0.0	My IP Address: bigcompanyhq.com
Secure Gateway Address: bigcompanyhq.com	Local IP Address: 192.168.1.10
Remote IP Address: 192.168.1.10	Local ID Type: E-mail
Peer ID Type: E-mail	Local ID Content: bob@bigcompanyhq.com
Peer ID Content: bob@bigcompanyhq.com

Telecommuter A (telecommutera.dydns.org)	Headquarters ZyXEL Device Rule 1:
Local ID Type: IP	Peer ID Type: IP
Local ID Content: 192.168.2.12	Peer ID Content: 192.168.2.12
Local IP Address: 192.168.2.12	Secure Gateway Address: telecommuter1.com
	Remote Address 192.168.2.12

Telecommuter B (telecommuterb.dydns.org)	Headquarters ZyXEL Device Rule 2:
Local ID Type: DNS	Peer ID Type: DNS
Local ID Content: telecommuterb.com	Peer ID Content: telecommuterb.com
Local IP Address: 192.168.3.2	Secure Gateway Address: telecommuterb.com
	Remote Address 192.168.3.2

Telecommuter C (telecommuterc.dydns.org)	Headquarters ZyXEL Device Rule 3:
Local ID Type: E-mail	Peer ID Type: E-mail
Local ID Content: myVPN@myplace.com	Peer ID Content: myVPN@myplace.com
Local IP Address: 192.168.4.15	Secure Gateway Address: telecommuterc.com
	Remote Address 192.168.4.15

13.19 VPN and Remote Management

If a VPN tunnel uses Telnet, FTP, WWW, then you should configure remote management (Remote Management) to allow access for that service.

CHAPTER 14 Static Route

This chapter shows you how to configure static routes for your ZyXEL Device.

14.1 Static Route

Each remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node Router 1. However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes.

ZYXEL PRESTIGE 661H - Static Route - 1
Figure 132 Example of Static Routing Topology

14.2 Configuring Static Route

Click Advanced > Static Route to open the Static Route screen.

ZYXEL PRESTIGE 661H - Configuring Static Route - 1
Figure 133 Static Route

The following table describes the labels in this screen.

Table 91 Static Route

LABEL	DESCRIPTION
#	This is the number of an individual static route.
Active	This field shows whether this static route is active (Yes) or not (No).
Name	This is the name that describes or identifies this route.
Destination	This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Gateway	This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
Subnet Mask	This is the subnet mask of the static route.
Modify	Click the edit icon to go to the screen where you can set up a static route on the ZyXEL Device. Click the delete icon to remove a static route from the ZyXEL Device. A window displays asking you to confirm that you want to delete the route.

14.2.1 Static Route Edit

Select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route.

ZYXEL PRESTIGE 661H - Static Route Edit - 1
Figure 134 Static Route Edit

The following table describes the labels in this screen.

Table 92 Static Route Edit

LABEL	DESCRIPTION
Active	This field allows you to activate/deactivate this static route.
Route Name	Enter the name of the IP static route. Leave this field blank to delete this static route.
Destination IP Address	This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
IP Subnet Mask	Enter the IP subnet mask here.
Gateway IP Address	Enter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
Back	Click Back to return to the previous screen without saving.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 15 Bandwidth Management

This chapter contains information about configuring bandwidth management, editing rules and viewing the ZyXEL Device's bandwidth management logs.

15.1 Bandwidth Management Overview

ZyXEL's Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules.

The ZyXEL Device applies bandwidth management to traffic that it forwards out through an interface. The ZyXEL Device does not control the bandwidth of traffic that comes into an interface.

Bandwidth management applies to all traffic flowing out of the router, regardless of the traffic's source.

Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management.

The sum of the bandwidth allotments that apply to any interface must be less than or equal to the speed allocated to that interface in the Bandwidth Management Summary screen.

15.2 Application-based Bandwidth Management

You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E-mail and Video for example).

15.3 Subnet-based Bandwidth Management

You can create bandwidth classes based on subnets.

The following figure shows LAN subnets. You could configure one bandwidth class for subnet A and another for subnet B.

ZYXEL PRESTIGE 661H - Subnet-based Bandwidth Management - 1
Figure 135 Subnet-based Bandwidth Management Example

15.4 Application and Subnet-based Bandwidth Management

You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.

Table 93 Application and Subnet-based Bandwidth Management Example

TRAFFIC TYPE	FROM SUBNET A	FROM SUBNET B
VoIP	64 Kbps	64 Kbps
Web	64 Kbps	64 Kbps
FTP	64 Kbps	64 Kbps
E-mail	64 Kbps	64 Kbps
Video	64 Kbps	64 Kbps

15.5 Scheduler

The scheduler divides up an interface's bandwidth among the bandwidth classes. The ZyXEL Device has two types of scheduler: fairness-based and priority-based.

15.5.1 Priority-based Scheduler

With the priority-based scheduler, the ZyXEL Device forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class's priority number is, the higher the priority. Assign real-time applications (like those using audio or video) a higher priority number to provide smoother operation.

15.5.2 Fairness-based Scheduler

The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface's bandwidth.

15.6 Maximize Bandwidth Usage

The maximize bandwidth usage option (see Figure 136 on page 240) allows the ZyXEL Device to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a class is not using) among the bandwidth classes that require more bandwidth.

When you enable maximize bandwidth usage, the ZyXEL Device first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyXEL Device divides up an interface's available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels. When only one class requires more bandwidth, the ZyXEL Device gives extra bandwidth to that class.

When multiple classes require more bandwidth, the ZyXEL Device gives the highest priority classes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority classes if there is still bandwidth available. The ZyXEL Device distributes the available bandwidth equally among classes with the same priority level.

15.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic

Do the following three steps to configure the ZyXEL Device to allow bandwidth for traffic that is not defined in a bandwidth filter.

1 Leave some of the interface's bandwidth unbudgeted.
2 Do not enable the interface's Maximize Bandwidth Usage option.
3 Do not enable bandwidth borrowing on the child-classes that have the root class as their parent (see Section 15.8 on page 241).

15.6.2 Maximize Bandwidth Usage Example

Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class's bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.

Table 94 Maximize Bandwidth Usage Example

BANDWIDTH CLASSES AND ALLOTMENTS
Root Class: 10240 kbps	Administration: 2048 kbps
	Sales: 2048 kbps
	Marketing: 2048 kbps
	Research: 2048 kbps

The ZyXEL Device divides up the unbudgeted 2048 kbps among the classes that require more bandwidth. If the administration department only uses 1024 kbps of the budgeted 2048 kbps, the ZyXEL Device also divides the remaining 1024 kbps among the classes that require more bandwidth. Therefore, the ZyXEL Device divides a total of 3072 kbps of unbudgeted and unused bandwidth among the classes that require more bandwidth.

15.6.2.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth

The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets.

Table 95 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example

BANDWIDTH CLASSES, PRIORITIES AND ALLOTMENTS
Root Class: 10240 kbps	Administration: Priority 4, 1024 kbps
	Sales: Priority 6, 3584 kbps
	Marketing: Priority 6, 3584 kbps
	Research: Priority 5, 2048 kbps

Suppose that all of the classes except for the administration class need more bandwidth.

Each class gets up to its budgeted bandwidth. The administration class only uses 1024 kbps of its budgeted 2048 kbps.
The sales and marketing are first to get extra bandwidth because they have the highest priority (6). If they each require 1536 kbps or more of extra bandwidth, the ZyXEL Device divides the total 3072 kbps total of unbudgeted and unused bandwidth equally between the sales and marketing departments (1536 kbps extra to each for a total of 3584 kbps for each) because they both have the highest priority level.
Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes.

15.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth

The following table shows the amount of bandwidth that each class gets.

Table 96 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example

BANDWIDTH CLASSES AND ALLOTMENTS
Root Class: 10240 kbps	Administration: 1024 kbps
	Sales: 3072 kbps
	Marketing: 3072 kbps
	Research: 3072 kbps

Suppose that all of the classes except for the administration class need more bandwidth.

Each class gets up to its budgeted bandwidth. The administration class only uses 1024 kbps of its budgeted 2048 kbps.
The ZyXEL Device divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes. 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps.

15.6.3 Over Allotment of Bandwidth

You can set the bandwidth management speed for an interface higher than the interface's actual transmission speed. Higher priority traffic gets to use up to its allocated bandwidth, even if it takes up all of the interface's available bandwidth. This could stop lower priority traffic from being sent. The following is an example.

Table 97 Over Allotment of Bandwidth Example

BANDWIDTH CLASSES, ALLOTMENTS		PRIORITY
Actual outgoing bandwidth available on the interface: 1000 kbps
Root Class: 1500 kbps (same as Speed setting)	VoIP traffic (Service = SIP): 500 Kbps	High
	NetMeeting traffic (Service = H.323): 500 kbps	High
	FTP (Service = FTP): 500 Kbps	Medium

If you use VoIP and NetMeeting at the same time, the device allocates up to 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP. As a result, FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth.

Suppose you try to browse the web too. In this case, VoIP, NetMeeting and FTP all have higher priority, so they get to use the bandwidth first. You can only browse the web when VoIP, NetMeeting, and FTP do not use all 1000 Kbps of available bandwidth.

15.6.4 Bandwidth Management Priorities

The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface.

Table 98 Bandwidth Management Priorities

PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.
High	Typically used for voice traffic or video that is especially sensitive to jitter (jitter is the variations in delay).
Mid	Typically used for “excellent effort” or better than best effort and would include important business traffic that can tolerate some delay.
Low	This is typically used for non-critical “background” traffic such as bulk transfers that are allowed but that should not affect other applications and users.

15.7 Configuring Summary

Click Advanced > Bandwidth MGMT to open the screen as shown next.

Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface.

ZYXEL PRESTIGE 661H - Configuring Summary - 1
Figure 136 Bandwidth Management: Summary

The following table describes the labels in this screen.

Table 99 Media Bandwidth Management: Summary

LABEL	DESCRIPTION
Interface	These read-only labels represent the physical interfaces. Select an interface's check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic's source. Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management.
Active	Select an interface's check box to enable bandwidth management on that interface.
Speed (kbps)	Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface's root class. The recommendation is to set this speed to match the interface's actual transmission speed. For example, set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps.If this number is higher than the interface's actual transmission speed, and you configure bandwidth rules for all of the bandwidth, higher priority traffic could use all of the bandwidth so lower priority traffic does not get through.Note: Unless you enable Max Bandwidth Usage, the ZyXEL Device only uses up to the amount of bandwidth that you configure here. The ZyXEL Device does not use any more bandwidth for the interface's connections, even if the interface has more outgoing bandwidth.
Scheduler	Select either Priority-Based or Fairness-Based from the drop-down menu to control the traffic flow. Select Priority-Based to give preference to bandwidth classes with higher priorities. Select Fairness-Based to treat all bandwidth classes equally.
Max Bandwidth Usage	Select this check box to have the ZyXEL Device divide up all of the interface's unallocated and/or unused bandwidth among the bandwidth classes that require bandwidth. Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or you want to limit the speed of this interface (see the Speed field description).
Apply	Click Apply to save your settings back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

15.8 Bandwidth Management Rule Setup

You must use the Bandwidth Management Summary screen to enable bandwidth management on an interface before you can configure rules for that interface.

Click Advanced > Bandwidth MGMT > Rule Setup to open the following screen.

ZYXEL PRESTIGE 661H - Bandwidth Management Rule Setup - 1
Figure 137 Bandwidth Management: Rule Setup

The following table describes the labels in this screen.

Table 100 Bandwidth Management: Rule Setup

LABEL	DESCRIPTION
Direction	Select the direction of traffic to which you want to apply bandwidth management.
Service	Select a service for your rule or you can select User define to go to the screen where you can define your own.
Priority	Select a priority from the drop down list box. Choose High, Mid or Low.
Bandwidth	Specify the maximum bandwidth allowed for the rule in kbps. The recommendation is a setting between 20 kbps and 20000 kbps for an individual rule.
Add	Click this button to add a rule to the following table.
#	This is the number of an individual bandwidth management rule.
Active	This displays whether the rule is enabled. Select this check box to have the ZyXEL Device apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule. Enabling a bandwidth management rule also allows you to control the maximum amounts of bandwidth that can be used by traffic that matches the rule.
Rule Name	This is the name of the rule.
Destination Port	This is the port number of the destination. 0 means any destination port.
Priority	This is the priority of this rule.
Bandwidth (kbps)	This is the maximum bandwidth allowed for the rule in kbps.
Modify	Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing rule.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

15.8.1 Rule Configuration

Click the Edit icon or select User define in the Service field to configure a bandwidth management rule. Use bandwidth rules to allocate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets.

ZYXEL PRESTIGE 661H - Rule Configuration - 1
Figure 138 Bandwidth Management Rule Configuration

The following table describes the labels in this screen.

Table 101 Bandwidth Management Rule Configuration

LABEL	DESCRIPTION
Rule Configuration
Active	Select this check box to have the ZyXEL Device apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule. Enabling a bandwidth management rule also allows you to control the maximum amounts of bandwidth that can be used by traffic that matches the rule.
Rule Name	Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
BW Budget	Specify the maximum bandwidth allowed for the rule in kbps. The recommendation is a setting between 20 kbps and 20000 kbps for an individual rule.
Priority	Select a priority from the drop down list box. Choose High, Mid or Low.
Use All Managed Bandwidth	Select this option to allow a rule to borrow unused bandwidth on the interface. Bandwidth borrowing is governed by the priority of the rules. That is, a rule with the highest priority is the first to borrow bandwidth. Do not select this if you want to leave bandwidth available for other traffic types or if you want to restrict the amount of bandwidth that can be used for the traffic that matches this rule.
Filter Configuration
Service	This field simplifies bandwidth class configuration by allowing you to select a predefined application. When you select a predefined application, you do not configure the rest of the bandwidth filter fields (other than enabling or disabling the filter). SIP (Session Initiation Protocol) is a signaling protocol used in Internet telephony, instant messaging and other VoIP (Voice over IP) applications. Select SIP from the drop-down list box to configure this bandwidth filter for traffic that uses SIP. File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. Select FTP from the drop-down list box to configure this bandwidth filter for FTP traffic. H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. Select H.323 from the drop-down list box to configure this bandwidth filter for traffic that uses H.323. Select User defined from the drop-down list box if you do not want to use a predefined application for the bandwidth class. When you select User defined, you need to configure at least one of the following fields (other than the Subnet Mask fields which you only enter if you also enter a corresponding destination or source IP address).
Destination Address	Enter the destination IP address in dotted decimal notation.
Destination Subnet Netmask	Enter the destination subnet mask. This field is N/A if you do not specify a Destination Address. Refer to the appendices for more information on IP subnetting.
Destination Port	Enter the port number of the destination. See Table 102 on page 245 for some common services and port numbers. A blank destination IP address means any destination IP address.
Source Address	Enter the source IP address in dotted decimal notation. A blank source IP address means any source IP address.
Source Subnet Netmask	Enter the destination subnet mask. This field is N/A if you do not specify a Source Address. Refer to the appendices for more information on IP subnetting. A blank source port means any source port number.
Source Port	Enter the port number of the source. See Table 102 on page 245 for some common services and port numbers.
Protocol	Select the protocol (TCP or UDP) or select User defined and enter the protocol (service type) number. ID 0 means any protocol number.
Back	Click Back to go to the previous screen.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

Table 102 Services and Port Numbers

SERVICES	PORT NUMBER
ECHO	7
FTP (File Transfer Protocol)	21
SMTP (Simple Mail Transfer Protocol)	25
DNS (Domain Name System)	53
Finger	79
HTTP (Hyper Text Transfer protocol or WWW, Web)	80
POP3 (Post Office Protocol)	110
NNTP (Network News Transport Protocol)	119
SNMP (Simple Network Management Protocol)	161
SNMP trap	162
PPTP (Point-to-Point Tunneling Protocol)	1723

15.9 Bandwidth Monitor

To view the ZyXEL Device's bandwidth usage and allotments, click Advanced > Bandwidth MGMT > Monitor. The screen appears as shown. Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth rules.

ZYXEL PRESTIGE 661H - Bandwidth Monitor - 1
Figure 139 Bandwidth Management: Monitor

CHAPTER 16 Dynamic DNS Setup

This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS.

16.1 Dynamic DNS Overview

Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.

First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.

16.1.1 DYNDNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.

If you have a private WAN IP address, then you cannot use Dynamic DNS.

See Section 16.2 on page 247 for configuration instruction.

16.2 Configuring Dynamic DNS

To change your ZyXEL Device's DDNS, click Advanced > Dynamic DNS. The screen appears as shown.

See Section 16.1 on page 247 for more information.

ZYXEL PRESTIGE 661H - Configuring Dynamic DNS - 1
Figure 140 Dynamic DNS

The following table describes the fields in this screen.

Table 103 Dynamic DNS

LABEL	DESCRIPTION
Dynamic DNS Setup
Active Dynamic DNS	Select this check box to use dynamic DNS.
Service Provider	This is the name of your Dynamic DNS service provider.
Dynamic DNS Type	Select the type of service that you are registered for from your Dynamic DNS service provider.
Host Name	Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider. You can specify up to two host names in the field separated by a comma ("",").
User Name	Type your user name.
Password	Type the password assigned to you.
Enable Wildcard Option	Select the check box to enable DynDNS Wildcard.
Enable off line option	This option is available when Custom DNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.
IP Address Update Policy
Use WAN IP Address	Select this option to update the IP address of the host name(s) to the WAN IP address.
Dynamic DNS server auto detect IP Address	Select this option only when there are one or more NAT routers between the ZyXEL Device and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address. Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server.
Use specified IP Address	Type the IP address of the host name(s). Use this if you have a static IP address.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 17 Remote Management Configuration

This chapter provides information on configuring remote management.

17.1 Remote Management Overview

Remote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers.

Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.

You may manage your ZyXEL Device from a remote location via:

Internet (WAN only)
ALL (LAN and WAN)
LAN only,
Neither (Disable).

Note: When you choose WAN only or LAN & WAN, you still need to configure a firewall rule to allow access.

To disable remote management of a service, select Disable in the corresponding Access Status field.

You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.

1 Telnet
2 HTTP

17.1.1 Remote Management Limitations

Remote management over LAN or WAN will not work when:

You have disabled that service in one of the remote management screens.
The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately.
There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.
There is a firewall rule that blocks it.

17.1.2 Remote Management and NAT

When NAT is enabled:

Use the ZyXEL Device's WAN IP address when configuring from the WAN.
Use the ZyXEL Device's LAN IP address when configuring from the LAN.

17.1.3 System Timeout

There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.

17.2 WWW

To change your ZyXEL Device's World Wide Web settings, click Advanced > Remote MGMT to display the WWW screen.

ZYXEL PRESTIGE 661H - WWW - 1
Figure 141 Remote Management: WWW

The following table describes the labels in this screen.

Table 104 Remote Management: WWW

LABEL	DESCRIPTION
Port	You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Access Status	Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Secured Client IP	A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Apply	Click Apply to save your settings back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

17.3 Telnet

You can configure your ZyXEL Device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL Device.

ZYXEL PRESTIGE 661H - Telnet - 1
Figure 142 Telnet Configuration on a TCP/IP Network

17.4 Configuring Telnet

Click Advanced > Remote MGMT > Telnet tab to display the screen as shown.

ZYXEL PRESTIGE 661H - Configuring Telnet - 1
Figure 143 Remote Management: Telnet

The following table describes the labels in this screen.

Table 105 Remote Management: Telnet

LABEL	DESCRIPTION
Port	You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Access Status	Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Secured Client IP	A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to begin configuring this screen afresh.

17.5 Configuring FTP

You can upload and download the ZyXEL Device's firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.

To change your ZyXEL Device's FTP settings, click Advanced > Remote MGMT > FTP tab. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring FTP - 1
Figure 144 Remote Management: FTP

The following table describes the labels in this screen.

Table 106 Remote Management: FTP

LABEL	DESCRIPTION
Port	You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Access Status	Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Secured Client IP	A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to begin configuring this screen afresh.

17.6 SNMP

Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyXEL Device supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyXEL Device through the network. The ZyXEL Device supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation.

Note: SNMP is only available if TCP/IP is configured.

ZYXEL PRESTIGE 661H - SNMP - 1
Figure 145 SNMP Management Model

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

Get - Allows the manager to retrieve an object variable from the agent.
GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Set - Allows the manager to set values for object variables within an agent.
Trap - Used by the agent to inform the manager of some events.

17.6.1 Supported MIBs

The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.

17.6.2 SNMP Traps

The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs:

Table 107 SNMPv1 Traps

TRAP #	TRAP NAME	DESCRIPTION
0	coldStart (defined in RFC-1215)	A trap is sent after booting (power on).
1	warmStart (defined in RFC-1215)	A trap is sent after booting (software reboot).
6	whyReboot (defined in ZYXEL-MIB)	A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
6a	For intentional reboot:	A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, Cl command "sys reboot", etc.).
6b	For fatal error:	A trap is sent with the message of the fatal code if the system reboots because of fatal errors.

Table 108 SNMPv2 Traps

OBJECT LABEL	OBJECT ID	DESCRIPTION
SNMPv2 Traps
Cold Start	1.3.6.1.6.3.1.1.5.1	This trap is sent when the switch is turned on.
WarmStart	1.3.6.1.6.3.1.1.5.2	This trap is sent when the switch restarts.
linkDown	1.3.6.1.6.3.1.1.5.3	This trap is sent when the Ethernet link is down.
linkUp	1.3.6.1.6.3.1.1.5.4	This trap is sent when the Ethernet link is up.
RFC 1493 Traps
newRoot	1.3.6.1.2.1.17.0.1	This trap is sent when the STP topology changes.
topology change	1.3.6.1.2.1.17.0.2	This trap is sent when the STP root switch changes.

17.6.3 Configuring SNMP

To change your ZyXEL Device's SNMP settings, click Advanced > Remote MGMT > SNMP. The screen appears as shown.

ZYXEL PRESTIGE 661H - Configuring SNMP - 1
Figure 146 Remote Management: SNMP

The following table describes the labels in this screen.

Table 109 Remote Management: SNMP

LABEL	DESCRIPTION
SNMP
Port	You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Access Status	Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Secured Client IP	A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
SNMP Configuration
Get Community	Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.
Set Community	Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests.
Trap
Community	Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.
Destination	Type the IP address of the station to send your SNMP traps to.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to begin configuring this screen afresh.

17.7 Configuring DNS

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on LAN for background information.

To change your ZyXEL Device's DNS settings, click Advanced > Remote MGMT > DNS. The screen appears as shown. Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device's DNS settings.

ZYXEL PRESTIGE 661H - Configuring DNS - 1
Figure 147 Remote Management: DNS

The following table describes the labels in this screen.

Table 110 Remote Management: DNS

LABEL	DESCRIPTION
Port	You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Access Status	Select the interface(s) through which a computer may send DNS queries to the ZyXEL Device.
Secured Client IP	A secured client is a “trusted” computer that is allowed to send DNS queries to the ZyXEL Device. Select All to allow any computer to send DNS queries to the ZyXEL Device. Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the ZyXEL Device.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to begin configuring this screen afresh.

17.8 Configuring ICMP

To change your ZyXEL Device's security settings, click Advanced > Remote MGMT > ICMP. The screen appears as shown.

If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed.

ZYXEL PRESTIGE 661H - Configuring ICMP - 1
Figure 148 Remote Management:ICMP

The following table describes the labels in this screen.

Table 111 Remote Management: ICMP

LABEL	DESCRIPTION
ICMP	Internet Control Message Protocol is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user.
Respond to Ping on	The ZyXEL Device will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise, select LAN & WAN to reply to both incoming LAN and WAN Ping requests.
Do not respond to requests for unauthorized services	Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports. If you select this option, the ZyXEL Device will not respond to port request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device unseen. By default this option is not selected and the ZyXEL Device will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a TCP Reset packet for a port probe on its unused TCP ports.Note that the probing packets must first traverse the ZyXEL Device's firewall mechanism before reaching this anti-probing mechanism. Therefore if the firewall mechanism blocks a probing packet, the ZyXEL Device reacts based on the firewall policy, which by default, is to send a TCP reset packet for a blocked TCP packet. You can use the command "sys firewall tcprst rst [on\|off]"to change this policy. When the firewall mechanism blocks a UDP packet, it drops the packet without sending a response packet.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to begin configuring this screen afresh.

17.9 TR-069 (P-661H Only)

TR-069 is a protocol that defines how your ZyXEL Device can be managed via a management server such as ZyXEL's Vantage CNM Access.

An administrator can use CNM Access to remotely set up the ZyXEL Device, modify settings, perform firmware upgrades as well as monitor and diagnose the ZyXEL Device. All you have to do is enable the device to be managed by CNM Access and specify the CNM Access IP address or domain name and username and password.

Follow the procedure below to configure your ZyXEL Device to be managed by CNM Access. See the Command Interpreter appendix for information on the command structure and how to access the CLI (Command Line Interface) on the ZyXEL Device.

Note: In this example a.b.c.d is the IP address of CNM Access. You must change this value to reflect your actual management server IP address or domain name. See Table 112 on page 261 for detailed descriptions of the commands.

Figure 149 Enabling TR-069

ras> wan tr069 load  
ras> wan tr069 acsUrl a.b.c.d  
Auto-Configuration Server URL: http://a.b.c.d  
ras> wan tr069 periodicEnable 1  
ras> wan tr069 informInterval 2400  
TR069 Informinterval 2400  
ras> wan tr069 active 1  
ras> wan tr069 save

The following table gives a description of TR-069 commands.

Table 112 TR-069 Commands

Root	Command or Subdirectory	Command	Description
wan	tr069		All TR-069 related commands must be preceded by wan tr069.
		load	Start configuring TR-069 on your ZyXEL Device.
		active [0:no/1:yes]	Enable/disable TR-069 operation.
		acsUrl <URL>	Set the IP address or domain name of CNM Access.
		username[maxlength:15]	Username used to authenticate the device when making a connection to CNM Access. This username is set up on the server and must be provided by the CNM Access administrator.
		password[maxlength:15]	Password used to authenticate the device when making a connection to CNM Access. This password is set up on the server and must be provided by the CNM Access administrator.

Table 112 TR-069 Commands

Root	Command or Subdirectory	Command	Description
		periodicEnable [0:Disable/1:Enable]	Whether or not the device must periodically send information to CNM Access. It is recommended to set this value to 1 in order for the ZyXEL Device to send information to CNM Access.
		informInterval [sec]	The duration in seconds of the interval for which the device MUST attempt to connect with CNM Access to send information and check for configuration updates. Enter a value between 30 and 2147483647 seconds.
		save	Save the TR-069 settings to your ZyXEL Device.

CHAPTER 18 Universal Plug-and-Play (UPnP)

This chapter introduces the UPnP feature in the web configurator.

18.1 Introducing Universal Plug and Play

Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.

See Section 18.2.1 on page 264 for configuration instructions.

18.1.1 How do I know if I'm using UPnP?

UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device.

18.1.2 NAT Traversal

UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:

Dynamic port mapping
- Learning public IP addresses
- Assigning lease times to mappings

Windows Messenger is an example of an application that supports NAT traversal and UPnP.

See the NAT chapter for more information on NAT.

18.1.3 Cautions with UPnP

The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention.

18.2 UPnP and ZyXEL

ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.

UPnP broadcasts are only allowed on the LAN.

See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows.

18.2.1 Configuring UPnP

Click Advanced > UPnP to display the screen shown next.

See Section 18.1 on page 263 for more information.

ZYXEL PRESTIGE 661H - Configuring UPnP - 1
Figure 150 Configuring UPnP

The following table describes the fields in this screen.

Table 113 Configuring UPnP

LABEL	DESCRIPTION
Active the Universal Plug and Play (UPnP) Feature	Select this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyXEL Device's IP address (although you must still enter the password to access the web configurator).
Allow users to make configuration changes through UPnP	Select this check box to allow UPnP-enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application.
Apply	Click Apply to save the setting to the ZyXEL Device.
Cancel	Click Cancel to return to the previously saved settings.

18.3 Installing UPnP in Windows Example

This section shows how to install UPnP in Windows Me and Windows XP.

Installing UPnP in Windows Me

Follow the steps below to install the UPnP in Windows Me.

1 Click Start and Control Panel. Double-click Add/Remove Programs.
2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details.

ZYXEL PRESTIGE 661H - Installing UPnP in Windows Me - 1
Figure 151 Add/Remove Programs: Windows Setup: Communication

3 In the Communications window, select the Universal Plug and Play check box in the Components selection box.

ZYXEL PRESTIGE 661H - Installing UPnP in Windows Me - 2
Figure 152 Add/Remove Programs: Windows Setup: Communication: Components

4 Click OK to go back to the Add/Remove Programs Properties window and click Next.
5 Restart the computer when prompted.

Installing UPnP in Windows XP

Follow the steps below to install the UPnP in Windows XP.

1 Click Start and Control Panel.
2 Double-click Network Connections.
3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ...

ZYXEL PRESTIGE 661H - Installing UPnP in Windows XP - 1
Figure 153 Network Connections

4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.

ZYXEL PRESTIGE 661H - Installing UPnP in Windows XP - 2
Figure 154 Windows Optional Networking Components Wizard

5 In the Networking Services window, select the Universal Plug and Play check box.

Figure 155 Networking Services
ZYXEL PRESTIGE 661H - Installing UPnP in Windows XP - 3
6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.

18.4 Using UPnP in Windows XP Example

This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device.

Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device.

Auto-discover Your UPnP-enabled Network Device

1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.
2 Right-click the icon and select Properties.

ZYXEL PRESTIGE 661H - Auto-discover Your UPnP-enabled Network Device - 1
Figure 156 Network Connections

3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.

ZYXEL PRESTIGE 661H - Auto-discover Your UPnP-enabled Network Device - 2
Figure 157 Internet Connection Properties

4 You may edit or delete the port mappings or click Add to manually add port mappings.

ZYXEL PRESTIGE 661H - Auto-discover Your UPnP-enabled Network Device - 3
Figure 158 Internet Connection Properties: Advanced Settings

ZYXEL PRESTIGE 661H - Auto-discover Your UPnP-enabled Network Device - 4
Figure 159 Internet Connection Properties: Advanced Settings: Add

5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.
6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.

ZYXEL PRESTIGE 661H - Auto-discover Your UPnP-enabled Network Device - 5
Figure 160 System Tray Icon

7 Double-click on the icon to display your current Internet connection status.

ZYXEL PRESTIGE 661H - Auto-discover Your UPnP-enabled Network Device - 6
Figure 161 Internet Connection Status

Web Configurator Easy Access

With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first. This comes helpful if you do not know the IP address of the ZyXEL Device.

Follow the steps below to access the web configurator.

1 Click Start and then Control Panel.
2 Double-click Network Connections.
3 Select My Network Places under Other Places.

ZYXEL PRESTIGE 661H - Web Configurator Easy Access - 1
Figure 162 Network Connections

4 An icon with the description for each UPnP-enabled device displays under Local Network.
5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays.

ZYXEL PRESTIGE 661H - Web Configurator Easy Access - 2
Figure 163 Network Connections: My Network Places

6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device.

ZYXEL PRESTIGE 661H - Web Configurator Easy Access - 3
Figure 164 Network Connections: My Network Places: Properties: Example

CHAPTER 19 System

Use this screen to configure the ZyXEL Device's time and date settings.

19.1 General Setup

19.1.1 General Setup and System Name

General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".

In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.
In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.
In Windows XP, click start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyXEL Device System Name.

19.1.2 General Setup

The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name), the domain name can be assigned from the ZyXEL Device via DHCP.

Click Maintenance > System to open the General screen.

ZYXEL PRESTIGE 661H - General Setup - 1
Figure 165 System General Setup

The following table describes the labels in this screen.

Table 114 System General Setup

LABEL	DESCRIPTION
General Setup
System Name	Choose a descriptive name for identification purposes. It is recommended you enter your computer's "Computer name" in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores “_” are accepted.
Domain Name	Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name.
Administrator Inactivity Timer	Type how many minutes a management session (either via the web configurator or CLI (Command Line Interpreter)) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
Password
User Password	If you log in with the user password, you can only view the ZyXEL Device status. The default user password is user.
New Password	Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type. After you change the password, use the new password to access the ZyXEL Device.
Retype to Confirm	Type the new password again for confirmation.

Table 114 System General Setup

LABEL	DESCRIPTION
Admin Password	In addition to the wizard setup, a user logs in with the admin password can also view and configure the advanced features on the ZyXEL Device.
Old Password	Type the default administrator password (1234) or the existing password you use to access the system for configuring advanced features in this field.
New Password	Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type. After you change the password, use the new password to access the ZyXEL Device.
Retype to Confirm	Type the new password again for confirmation.
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

19.2 Time Setting

To change your ZyXEL Device's time and date, click Maintenance > System > Time Setting. The screen appears as shown. Use this screen to configure the ZyXEL Device's time based on your local time zone.

ZYXEL PRESTIGE 661H - Time Setting - 1
Figure 166 System Time Setting

The following table describes the fields in this screen.

Table 115 System Time Setting

LABEL	DESCRIPTION
Current Time and Date
Current Time	This field displays the time of your ZyXEL Device.Each time you reload this page, the ZyXEL Device synchronizes the time with the time server.
Current Date	This field displays the date of your ZyXEL Device.Each time you reload this page, the ZyXEL Device synchronizes the date with the time server.
Time and Date Setup
Manual	Select this radio button to enter the time and date manually. If you configure a new time and date, Time Zone and Daylight Saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.
New Time (hh:mm:ss)	This field displays the last updated time from the time server or the last time configured manually.When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply.
New Date (yyyy/mm/dd)	This field displays the last updated date from the time server or the last date configured manually.When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.
Get from Time Server	Select this radio button to have the ZyXEL Device get the time and date from the time server you specified below.
Time Protocol	Select the time service protocol that your time server sends when you turn on the ZyXEL Device. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.The main difference between them is the format.Daytime (RFC 867) format is day/month/year/time zone of the server.Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0.The default, NTP (RFC 1305), is similar to Time (RFC 868).
Time Server Address	Enter the IP address or URL (up to 20 extended ASCII characters in length) of your time server. Check with your ISP/network administrator if you are unsure of this information.
Time Zone Setup
Time Zone	Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT).
Enable Daylight Saving	Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Select this option if you use Daylight Saving Time.
Start Date	Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, April and type 2 in the o'clock field.Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
End Date	Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Last, Sunday, October and type 2 in the o'clock field.Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
Apply	Click Apply to save your changes back to the ZyXEL Device.
Cancel	Click Cancel to begin configuring this screen afresh.

CHAPTER 20 Logs

This chapter contains information about configuring general log settings and viewing the ZyXEL Device's logs. Refer to the appendix for example log message explanations.

20.1 Logs Overview

The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator (as e-mail) or to a syslog server.

20.1.1 Alerts and Logs

An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black.

20.2 Viewing the Logs

Click Maintenance > Logs to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 20.3 on page 282).

Log entries in red indicate alerts. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order.

ZYXEL PRESTIGE 661H - Viewing the Logs - 1
Figure 167 View Log

The following table describes the fields in this screen.

Table 116 View Log

LABEL	DESCRIPTION
Display	The categories that you select in the Log Settings screen display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Time	This field displays the time the log was recorded.
Message	This field states the reason for the log.
Source	This field lists the source IP address and the port number of the incoming packet.
Destination	This field lists the destination IP address and the port number of the incoming packet.
Notes	This field displays additional information about the log entry.
Email Log Now	Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Log Settings).
Refresh	Click Refresh to renew the log screen.
Clear Log	Click Clear Log to delete all the logs.

20.3 Configuring Log Settings

Use the Log Settings screen to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs and/or immediate alerts the ZyXEL Device is to record. See Section 20.1 on page 281 for more information.

To change your ZyXEL Device's log settings, click Maintenance > Logs > Log Settings. The screen appears as shown.

Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full. Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent.

ZYXEL PRESTIGE 661H - Configuring Log Settings - 1
Figure 168 Log Settings

The following table describes the fields in this screen.

Table 117 Log Settings

LABEL	DESCRIPTION
E-mail Log Settings
Mail Server	Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via E-mail.
Mail Subject	Type a title that you want to be in the subject line of the log e-mail message that the ZyXEL Device sends. Not all ZyXEL Device models have this field.
Send Log To	The ZyXEL Device sends logs to the e-mail address specified in this field. If this field is left blank, the ZyXEL Device does not send logs via e-mail.
Send Alerts To	Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs. Enter the E-mail address where the alert messages will be sent. Alerts include system errors, attacks and attempted access to blocked web sites. If this field is left blank, alert messages will not be sent via E-mail.

Table 117 Log Settings

LABEL	DESCRIPTION
Enable SMTPAuthentication	SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs.
UserID	Enter the user name (up to 31 characters) (usually the user name of a mail account).
Password	Enter the password associated with the user name above.
Log Schedule	This drop-down menu is used to configure the frequency of log messages being sent as E-mail: Daily Weekly Hourly When Log is Full None. If you select Weekly or Daily, specify a time of day when the E-mail should be sent. If you select Weekly, then also specify which day of the week the E-mail should be sent. If you select When Log is Full, an alert is sent when the log fills up. If you select None, no log messages are sent.
Day for Sending Log	Use the drop down list box to select which day of the week to send the logs.
Time for Sending Log	Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs.
Clear log after sending mail	Select the check box to delete all the logs after the ZyXEL Device sends an E-mail of the logs.
Syslog Logging	The ZyXEL Device sends a log to an external syslog server.
Active	Click Active to enable syslog logging.
Syslog Server IP Address	Enter the server name or IP address of the syslog server that will log the selected categories of logs.
Log Facility	Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to the syslog server manual for more information.
Active Log and Alert
Log	Select the categories of logs that you want to record.
Send Immediate Alert	Select log categories for which you want the ZyXEL Device to send E-mail alerts immediately.
Apply	Click Apply to save your customized settings and exit this screen.
Cancel	Click Cancel to return to the previously saved settings.

CHAPTER 21 Tools

This chapter covers uploading new firmware, managing configuration and restarting your ZyXEL Device.

21.1 Firmware Upgrade

Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.

Only use firmware for your device's specific model. Refer to the label on the bottom of your device.

Click Maintenance > Tools to open the Firmware screen. Follow the instructions in this screen to upload firmware to your ZyXEL Device.

ZYXEL PRESTIGE 661H - Firmware Upgrade - 1
Figure 169 Firmware Upgrade

The following table describes the labels in this screen.

Table 118 Firmware Upgrade

LABEL	DESCRIPTION
Current Firmware Version	This is the present Firmware version and the date created.
File Path	Type in the location of the file you want to upload in this field or click Browse … to find it.
Browse...	Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
Upload	Click Upload to begin the upload process. This process may take up to two minutes.

Note: Do NOT turn off the ZyXEL Device while firmware upload is in progress!

After you see the Firmware Upload in Progress screen, wait two minutes before logging into the ZyXEL Device again.

ZYXEL PRESTIGE 661H - Firmware Upgrade - 2
Figure 170 Firmware Upload In Progress

The ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

ZYXEL PRESTIGE 661H - Firmware Upgrade - 3
Figure 171 Network Temporarily Disconnected

After two minutes, log in again and check your new firmware version in the Status screen.

If the upload was not successful, the following screen will appear. Click Return to go back to the Firmware screen.

ZYXEL PRESTIGE 661H - Firmware Upgrade - 4
Figure 172 Error Message

21.2 Configuration

Use this screen to back up or restore the configuration of the ZyXEL Device. You can also use this screen to reset the ZyXEL Device to the factory default settings. To access this screen, click Maintenance > Tools > Configuration.

ZYXEL PRESTIGE 661H - Configuration - 1
Figure 173 Configuration

The following table describes the labels in this screen.

Table 119 Configuration

LABEL	DESCRIPTION
Backup Configuration
Backup	Click this to save the ZyXEL Device's current configuration to a file on your computer. Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file is useful if you need to return to your previous settings.
Restore Configuration

Table 119 Configuration

LABEL	DESCRIPTION
File Path	Enter the location of the file you want to upload, or click Browse... to find it.
Browse	Click this to find the file you want to upload.
Upload	Click this to restore the selected configuration file. See below for more information about this. Note: Do not turn off the device while configuration file upload is in progress.
Back to Factory Defaults
Reset	Click this to clear all user-entered configuration information and return the ZyXEL Device to its factory defaults. There is no warning screen. See Section 2.3 on page 47 for more information about resetting the ZyXEL Device.

Note: Do not turn off the device while configuration file upload is in progress.

When the ZyXEL Device has finished restoring the selected configuration file, the following screen appears.

ZYXEL PRESTIGE 661H - Configuration - 2
Figure 174 Configuration Upload Successful

The device now automatically restarts. This causes a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

ZYXEL PRESTIGE 661H - Configuration - 3
Figure 175 Network Temporarily Disconnected

If the ZyXEL Device's IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.168.5.1). See your Quick Start Guide or the appendices for details on how to set up your computer's IP address.

You might have to open a new browser to log in again.

If the upload was not successful, a Configuration Upload Error screen appears.

ZYXEL PRESTIGE 661H - Configuration - 4
Figure 176 Configuration Upload Error

Click Return to go back to the previous screen.

21.3 Restart

System restart allows you to reboot the ZyXEL Device without turning the power off.

Click Maintenance > Tools > Restart. Click Restart to have the ZyXEL Device reboot. This does not affect the ZyXEL Device's configuration.

ZYXEL PRESTIGE 661H - Restart - 1
Figure 177 Restart Screen

CHAPTER 22 Diagnostic

These read-only screens display information to help you identify problems with the ZyXEL Device.

22.1 General Diagnostic

Click Maintenance > Diagnostic to open the screen shown next.

ZYXEL PRESTIGE 661H - General Diagnostic - 1
Figure 178 Diagnostic: General

The following table describes the fields in this screen.

Table 120 Diagnostic: General

LABEL	DESCRIPTION
TCP/IP Address	Type the IP address of a computer that you want to ping in order to test a connection.
Ping	Click this button to ping the IP address that you entered. The results are displayed in the screen.

22.2 DSL Line Diagnostic

Click Maintenance > Diagnostic > DSL Line to open the screen shown next.

ZYXEL PRESTIGE 661H - DSL Line Diagnostic - 1
Figure 179 Diagnostic: DSL Line

The following table describes the fields in this screen.

Table 121 Diagnostic: DSL Line

LABEL	DESCRIPTION
ATM Status	Click this button to view ATM status.
ATM Loopback Test	Click this button to start the ATM loopback test. Make sure you have configured at least one PVC with proper VPIs/VCIs before you begin this test. The ZyXEL Device sends an OAM F5 packet to the DSLAM/ATM switch and then returns it (loops it back) to the ZyXEL Device. The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network.
DSL Line Status	Click this button to view the DSL port's line operating values and line bit allocation.
Reset ADSL Line	Click this button to reinitialize the ADSL line. The large text box above then displays the progress and results of this operation, for example:"Start to reset ADSLLoading ADSL modem F/W...Reset ADSL Line Successfully!"
Capture All Logs	Click this button to display all logs generated by the DSL line.

CHAPTER 23 Troubleshooting

This chapter covers potential problems and the corresponding remedies.

23.1 Problems Starting Up the ZyXEL Device

Table 122 Troubleshooting Starting Up Your ZyXEL Device

PROBLEM	CORRECTIVE ACTION
None of the LEDs turn on when I turn on the ZyXEL Device.	Make sure that the ZyXEL Device's power adaptor is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure that the ZyXEL Device and the power source are both turned on. Turn the ZyXEL Device off and on. If the error persists, you may have a hardware problem. In this case, you should contact your vendor.

23.2 Problems with the LAN

Table 123 Troubleshooting the LAN

PROBLEM	CORRECTIVE ACTION
The LAN LEDs do not turn on.	Check your Ethernet cable connections (refer to the Quick Start Guide for details). Check for faulty Ethernet cables.
The LAN LEDs do not turn on.	Make sure your computer's Ethernet Card is working properly.
I cannot access the ZyXEL Device from the LAN.	If Any IP is disabled, make sure that the IP address and the subnet mask of the ZyXEL Device and your computer(s) are on the same subnet.

23.3 Problems with the WAN

Table 124 Troubleshooting the WAN

PROBLEM	CORRECTIVE ACTION
The DSL LED is off.	Check the telephone wire and connections between the ZyXEL Device DSL port and the wall jack.
	Make sure that the telephone company has checked your phone line and set it up for DSL service.
	Reset your ADSL line to reinitialize your link to the DSLAM. For details, refer to Table 121 on page 292.
I cannot get a WAN IP address from the ISP.	The ISP provides the WAN IP address after authenticating you. Authentication may be through the user name and password, the MAC address or the host name. The username and password apply to PPPoE and PPPoA encapsulation only. Make sure that you have entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN Setup chapter.
I cannot access the Internet.	Make sure the ZyXEL Device is turned on and connected to the network. Verify your WAN settings. Refer to the chapter on WAN setup. Make sure you entered the correct user name and password. If you use PPPoE pass through, make sure that bridge mode is turned on.
The Internet connection disconnects.	Check the schedule rules. If you use PPPoA or PPPoE encapsulation, check the idle time-out setting. Refer to the Chapter 4 on page 77. Contact your ISP.

23.4 Problems Accessing the ZyXEL Device

Table 125 Troubleshooting Accessing the ZyXEL Device

PROBLEM	CORRECTIVE ACTION
I cannot access the ZyXEL Device.	The default user password is “user” and admin password is “1234”. The Password field is case-sensitive. Make sure that you enter the correct password using the proper case. If you have changed the password and have now forgotten it, you will need to upload the default configuration file. This restores all of the factory defaults including the password.
I cannot access the web configurator.	Make sure there is not a telnet session running. Use the ZyXEL Device’s WAN IP address when configuring from the WAN. Refer to the instructions on checking your WAN connection. Use the ZyXEL Device’s LAN IP address when configuring from the LAN. Refer to for instructions on checking your LAN connection. Check that you have enabled web service access. If you have configured a secured client IP address, your computer’s IP address must match it. Refer to the chapter on remote management for details. Your computer’s and the ZyXEL Device’s IP addresses must be on the same subnet for LAN access. If you changed the ZyXEL Device’s LAN IP address, then enter the new one as the URL. Check that pop-up windows, JavaScripts and Java permissions are allowed (See Appendix L on page 369).

Appendix A

Product Specifications

See also the Introduction chapter for a general overview of the key features.

Specification Tables

Table 126 Device

Default IP Address	192.168.1.1
Default Subnet Mask	255.255.255.0 (24 bits)
Default Password	1234
DHCP Pool	192.168.1.33 to 192.168.1.64
Dimensions (W x D x H)	180 x 128 x 36 mm
Power Specification	12V AC 1A
Built-in Switch	Four auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet ports
Operation Temperature	0°C ~ 40°C
Storage Temperature	-20° ~ 60°C
Operation Humidity	20% ~ 85% RH
Storage Humidity	10% ~ 90% RH
Distance between the centers of the holes on the device's back.	108 mm
Screw size for wall-mounting	M3*10

Table 127 Firmware

ADSL Standards	Multi-Mode standard (ANSI T1.413,Issue 2; G.dmt(G.992.1); G.lite(G.992.2)). ADSL2 G.dmt.bis (G.992.3) ADSL2 G.lite.bis (G.992.4) ADSL2+ (G.992.5) Reach-Extended ADSL (RE ADSL) SRA (Seamless Rate Adaptation) Auto-negotiating rate adaptation ADSL physical connection ATM AAL5 (ATM Adaptation Layer type 5) Multi-protocol over AAL5 (RFC2684/1483) PPP over ATM AAL5 (RFC 2364) PPP over Ethernet (RFC 2516) RFC 1483 encapsulation over ATM MAC encapsulated routing (ENET encapsulation) VC-based and LLC-based multiplexing Up to 8 PVCs (Permanent Virtual Circuits) I.610 F4/F5 OAM
Other Protocol Support	PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols. DHCP Server/Client/Relay RIP I/RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support (RFC 1213) IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP
Management	Embedded Web Configurator CLI (Command Line Interpreter) Remote Management via Telnet or Web SNMP manageable FTP/TFTP for firmware downloading, configuration backup and restoration. Syslog Built-in Diagnostic Tools for FLASH memory, ADSL circuitry, RAM and LAN port MAP - "Multimedia Auto Provisioner" (multimedia installation tutorial and automatic configurator) (P-660H/HW)
Wireless	IEEE 802.11g compliance Frequency Range: 2.4 GHz Advanced Orthogonal Frequency Division Multiplexing (OFDM) Data Rates: 54Mbps and Auto Fallback Wired Equivalent Privacy (WEP) Data Encryption 64/128/256 bit WLAN bridge to LAN Up to 32 MAC address filters WPA(2), WPA(2)-PSK IEEE 802.1x External RADIUS server using EAP-MD5, TLS, TTLS
Firewall	Stateful Packet Inspection. Prevent Denial of Service attacks such as Ping of Death, SYN Flood, LAND, Smurf etc. Real time E-mail alerts. Reports and logs.
NAT/SUA	Port Forwarding 1024 NAT sessions Multimedia application PPTP under NAT/SUA IPSec passthrough SIP ALG passthrough VPN passthrough
Content Filtering	Web page blocking by URL keyword.
Static Routes	16 IP and 4 Bridge
Other Features	Any IP Zero Configuration (VC auto-hunting) Traffic Redirect Dynamic DNS IP Alias IP Policy Routing MBM (Multimedia Bandwidth Management) QoS (Quality of Service) TR-069 (P-661H only)

Appendix B About ADSL

Introduction to DSL

DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.

There are actually seven types of DSL service, ranging in speeds from 16 Kbits/sec to 52 Mbits/sec. The services are either symmetrical (traffic flows at the same speed in both directions), or asymmetrical (the downstream capacity is higher than the upstream capacity). Asymmetrical services (ADSL) are suitable for Internet users because more information is usually downloaded than uploaded. For example, a simple button click in a web browser can start an extended download that includes graphics and text.

As data rates increase, the carrying distance decreases. That means that users who are beyond a certain distance from the telephone company's central office may not be able to obtain the higher speeds.

A DSL connection is a point-to-point dedicated circuit, meaning that the link is always up and there is no dialing required.

ADSL Overview

Asynchronous Digital Subscriber Line (ADSL) technology provides high-speed data access across regular telephone or ISDN lines by making use of previously unused high-frequency bandwidth. ADSL is asymmetric in the sense that it provides a higher downstream data rate transfer (up to 8Mbps), than in the upstream transfer (up to 832 Kbps). Asymmetric operation is ideal for typical home and small office use where files and information are downloaded more frequently than uploaded.

Advantages of ADSL

1 ADSL provides a private (unlike cable telephone and modem services where the line is shared), dedicated and secure channel of communications between you and your service provider.
2 Because your line is dedicated (not shared), transmission speeds between you and the device to which you connect at your service provider are not affected by other users. With

cable modems, transmission speeds drop significantly as more users go on-line because the line is shared.

3 ADSL can be "always on" (connected). This means that there is no time wasted dialing up the service several times a day and waiting to be connected; ADSL is on standby, ready for use whenever you need it.

APPENDIX C

Wall-mounting Instructions

Do the following to hang your ZyXEL Device on a wall.

Note: See the product specifications appendix for the size of screws to use and how far apart to place them.

1 Locate a high position on wall that is free of obstructions. Use a sturdy wall.
2 Drill two holes for the screws. Make sure the distance between the centers of the holes matches what is listed in the product specifications appendix.

Note: Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws.

3 Do not screw the screws all the way into the wall. Leave a small gap of about 0.5cm between the heads of the screws and the wall.
4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyXEL Device with the connection cables.
5 Align the holes on the back of the ZyXEL Device with the screws on the wall. Hang the ZyXEL Device on the screws.

ZYXEL PRESTIGE 661H - Wall-mounting Instructions - 1
Figure 180 Wall-mounting Example

Appendix D Setting up Your Computer's IP Address

All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed.

Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.

TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems.

After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network.

Windows 95/98/Me

Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.

ZYXEL PRESTIGE 661H - Windows 95/98/Me - 1
Figure 181 Windows 95/98/Me: Network: Configuration

Installing Components

The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.

If you need the adapter:

1 In the Network window, click Add.
2 Select Adapter and then click Add.
3 Select the manufacturer and model of your network adapter and then click OK.

If you need TCP/IP:

1 In the Network window, click Add.
2 Select Protocol and then click Add.
3 Select Microsoft from the list of manufacturers.
4 Select TCP/IP from the list of network protocols and then click OK.

If you need Client for Microsoft Networks:

1 Click Add.
2 Select Client and then click Add.

3 Select Microsoft from the list of manufacturers.
4 Select Client for Microsoft Networks from the list of network clients and then click OK.
5 Restart your computer so the changes you made take effect.

Configuring

1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties
2 Click the IP Address tab.

If your IP address is dynamic, select Obtain an IP address automatically.
If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.

ZYXEL PRESTIGE 661H - Configuring - 1
Figure 182 Windows 95/98/Me: TCP/IP Properties: IP Address

3 Click the DNS Configuration tab.

If you do not know your DNS information, select Disable DNS.
If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).

ZYXEL PRESTIGE 661H - Configuring - 2
Figure 183 Windows 95/98/Me: TCP/IP Properties: DNS Configuration

4 Click the Gateway tab.

If you do not know your gateway's IP address, remove previously installed gateways.
If you have a gateway IP address, type it in the New gateway field and click Add.

5 Click OK to save and close the TCP/IP Properties window.
6 Click OK to close the Network window. Insert the Windows CD if prompted.
7 Restart your computer when prompted.

Verifying Settings

1 Click Start and then Run.
2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration window.
3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway.

Windows 2000/NT/XP

The following example figures use the default Windows XP GUI theme.

1 Click start (Start in Windows 2000/NT), Settings, Control Panel.

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 1
Figure 184 Windows XP: Start Menu

2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT).

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 2
Figure 185 Windows XP: Control Panel

3 Right-click Local Area Connection and then click Properties.

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 3
Figure 186 Windows XP: Control Panel: Network Connections: Properties

4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties.

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 4
Figure 187 Windows XP: Local Area Connection Properties

5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).

If you have a dynamic IP address click Obtain an IP address automatically.
- If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.

Click Advanced.

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 5
Figure 188 Windows XP: Internet Protocol (TCP/IP) Properties

6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.

Do one or more of the following if you want to configure additional IP addresses:

In the IP Settings tab, in IP addresses, click Add.
In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
Repeat the above two steps for each IP address you want to add.
Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways.
In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric.
Click Add.
Repeat the previous three steps for each default gateway you want to add.
Click OK when finished.

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 6
Figure 189 Windows XP: Advanced TCP/IP Properties

7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP):

Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.

If you have previously configured DNS servers, click Advanced and then the DNS tab to order them.

ZYXEL PRESTIGE 661H - Windows 2000/NT/XP - 7
Figure 190 Windows XP: Internet Protocol (TCP/IP) Properties

8 Click OK to close the Internet Protocol (TCP/IP) Properties window.
9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.
10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
11Restart your computer (if prompted).

Verifying Settings

1 Click Start, All Programs, Accessories and then Command Prompt.
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.

Macintosh OS X

1 Click the Apple menu, and click System Preferences to open the System Preferences window.

ZYXEL PRESTIGE 661H - Macintosh OS X - 1
Figure 191 Macintosh OS X:Apple Menu

2 Click Network in the icon bar.

Select Automatic from the Location list.
Select Built-in Ethernet from the Show list.
Click the TCP/IP tab.

3 For dynamically assigned settings, select Using DHCP from the Configure list.

ZYXEL PRESTIGE 661H - Macintosh OS X - 2
Figure 192 Macintosh OS X: Network

4 For statically assigned settings, do the following:

From the Configure box, select Manually.
- Type your IP address in the IP Address box.
- Type your subnet mask in the Subnet mask box.
- Type the IP address of your gateway in the Router address box.

5 Click Apply Now and close the window.

6 Restart your computer (if prompted).

Verifying Settings

Check your TCP/IP properties in the Network window.

Linux

This section shows you how to configure your computer's TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version.

Note: Make sure you are logged in as the root administrator.

Using the K Desktop Environment (KDE)

Follow the steps below to configure your computer IP address using the KDE.

1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.

ZYXEL PRESTIGE 661H - Using the K Desktop Environment (KDE) - 1
Figure 193 Red Hat 9.0: KDE: Network Configuration: Devices

2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown.

ZYXEL PRESTIGE 661H - Using the K Desktop Environment (KDE) - 2
Figure 194 Red Hat 9.0: KDE: Ethernet Device: General

If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list.
If you have a static IP address, click statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.

3 Click OK to save the changes and close the Ethernet Device General screen.
4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided.

ZYXEL PRESTIGE 661H - Using the K Desktop Environment (KDE) - 3
Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS

5 Click the Devices tab.
6 Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens.

Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate

ZYXEL PRESTIGE 661H - Using the K Desktop Environment (KDE) - 4
Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0

7 After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen.

Using Configuration Files

Follow the steps below to edit the network configuration files and set your computer IP address.

1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor.

If you have a dynamic IP address, enter dhcpp in the BOOTPROTO= field. The following figure shows an example.

DEVICE eth0
ONBOOT yes
BOOTPROTO dhcp
USERCTL no
PEERDNS yes
TYPE Ethernet

If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.

Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0
DEVICE eth0
ONBOOT yes
BOOTPROTO static
IPADDR = 192.168.1.10 NETMASK = 255.255.255.0 USERCTL no
PEERDNS yes
TYPE Ethernet

2 If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified.

Figure 199 Red Hat 9.0: DNS Settings in resolv.conf

nameserver 172.23.5.1  
nameserver 172.23.5.2

3 After you edit and save the configuration files, you must restart the network card. Enter./network restart in the /etc/rc.d/init.d directory. The following figure shows an example.

Figure 200 Red Hat 9.0: Restart Ethernet Card

[root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK]

Verifying Settings

Enter ifconfig in a terminal screen to check your TCP/IP properties.

Figure 201 Red Hat 9.0: Checking TCP/IP Properties

[root@localhost]# ifconfig   
eth0 Link encaps:Ethernet HWaddr 00:50:BA:72:5B:44 inlet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000   
[root@localhost]#

Appendix E IP Subnetting

IP Addressing

Routers "route" based on the network number. The router that delivers the data packet to the correct destination host uses the host ID.

IP Classes

An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet.

Class “A” addresses have a 0 in the left most bit. In a class “A” address the first octet is the network number and the remaining three octets make up the host ID.
Class "B" addresses have a 1 in the left most bit and a 0 in the next left most bit. In a class "B" address the first two octets make up the network number and the two remaining octets make up the host ID.
Class “C” addresses begin (starting from the left) with 1 1 0. In a class “C” address the first three octets make up the network number and the last octet is the host ID.
Class "D" addresses begin with 1 1 1 0. Class "D" addresses are used for multicasting. (There is also a class "E" address. It is reserved for future use.)

Table 128 Classes of IP Addresses

IP ADDRESS:		OCTET 1	OCTET 2	OCTET 3	OCTET 4
Class A	0	Network number	Host ID	Host ID	Host ID
Class B	10	Network number	Network number	Host ID	Host ID
Class C	110	Network number	Network number	Network number	Host ID

Note: Host IDs of all zeros or all ones are not allowed.

Therefore:

A class "C" network (8 host bits) can have 2^8 - 2 or 254 hosts.

A class "B" address (16 host bits) can have 2^16 - 2 or 65534 hosts.

A class "A" address (24 host bits) can have 2^24 - 2 hosts (approximately 16 million hosts).

Since the first octet of a class "A" IP address must contain a "0", the first octet of a class "A" address can have a value of 0 to 127.

Similarly the first octet of a class "B" must begin with "10", therefore the first octet of a class "B" address has a valid range of 128 to 191. The first octet of a class "C" address begins with "110", and therefore has a range of 192 to 223.

Table 129 Allowed IP Address Range By Class

CLASS	ALLOWED RANGE OF FIRST OCTET (BINARY)	ALLOWED RANGE OF FIRST OCTET (DECIMAL)
Class A	00000000 to 01111111	0 to 127
Class B	10000000 to 10111111	128 to 191
Class C	11000000 to 11011111	192 to 223
Class D	11100000 to 11101111	224 to 239

Subnet Masks

A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask has 32 bits. If a bit is a "1" then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is "0" then the corresponding bit in the IP address is part of the host ID.

Subnet masks are expressed in dotted decimal notation just as IP addresses are. The "natural" masks for class A, B and C IP addresses are as follows.

Table 130 "Natural" Masks

CLASS	NATURAL MASK
A	255.0.0.0
B	255.255.0.0
C	255.255.255.0

Subnetting

With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits. By convention, subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.

Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/” followed by the number of bits in the mask after the address.

For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128.

The following table shows all possible subnet masks for a class "C" address using both notations.

Table 131 Alternative Subnet Mask Notation

SUBNET MASK	SUBNET MASK “1” BITS	LAST OCTET BIT VALUE
255.255.255.0	/24	0000 0000
255.255.255.128	/25	1000 0000
255.255.255.192	/26	1100 0000
255.255.255.224	/27	1110 0000
255.255.255.240	/28	1111 0000
255.255.255.248	/29	1111 1000
255.255.255.252	/30	1111 1100

The first mask shown is the class "C" natural mask. Normally if no mask is specified it is understood that the natural mask is being used.

Example: Two Subnets

As an example, you have a class "C" address 192.168.1.0 with subnet mask of 255.255.255.0.

Table 132 Two Subnets Example

IP/SUBNET MASK	NETWORK NUMBER	HOST ID
IP Address	192.168.1.	0
IP Address (Binary)	11000000.10101000.00000001.	00000000
Subnet Mask	255.255.255.	0
Subnet Mask (Binary)	11111111.11111111.11111111.	00000000

The first three octets of the address make up the network number (class "C"). You want to have two separate networks.

Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The "borrowed" host ID bit can be either "0" or "1" thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128.

Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits "borrowed" to form network ID bits. The number of "borrowed" host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after "borrowing") determines the number of hosts you can have on each subnet.

Table 133 Subnet 1

IP/SUBNET MASK	NETWORK NUMBER	LAST OCTET BIT VALUE
IP Address	192.168.1.	0
IP Address (Binary)	11000000.10101000.00000001.	00000000
Subnet Mask	255.255.255.	128
Subnet Mask (Binary)	11111111.11111111.11111111.	10000000
Subnet Address: 192.168.1.0	Lowest Host ID: 192.168.1.1
Broadcast Address: 192.168.1.127	Highest Host ID: 192.168.1.126

Table 134 Subnet 2

IP/SUBNET MASK	NETWORK NUMBER	LAST OCTET BIT VALUE
IP Address	192.168.1.	128
IP Address (Binary)	11000000.10101000.00000001.	10000000
Subnet Mask	255.255.255.	128
Subnet Mask (Binary)	11111111.11111111.11111111.	10000000
Subnet Address: 192.168.1.128	Lowest Host ID: 192.168.1.129
Broadcast Address: 192.168.1.255	Highest Host ID: 192.168.1.254

The remaining 7 bits determine the number of hosts each subnet can have. Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2^7 - 2 or 126 hosts for each subnet.

192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.

Example: Four Subnets

The above example illustrated using a 25-bit subnet mask to divide a class "C" address space into two subnets. Similarly to divide a class "C" address into four subnets, you need to "borrow" two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (1111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 2^6 - 2 or 62 hosts for each subnet (all 0's is the subnet itself, all 1's is the broadcast address on the subnet).

Table 135 Subnet 1

IP/SUBNET MASK	NETWORK NUMBER	LAST OCTET BIT VALUE
IP Address	192.168.1.	0
IP Address (Binary)	11000000.10101000.00000001.	00000000
Subnet Mask (Binary)	11111111.11111111.11111111.	11000000
Subnet Address: 192.168.1.0	Lowest Host ID: 192.168.1.1
Broadcast Address: 192.168.1.63	Highest Host ID: 192.168.1.62

Table 136 Subnet 2

IP/SUBNET MASK	NETWORK NUMBER	LAST OCTET BIT VALUE
IP Address	192.168.1.	64
IP Address (Binary)	11000000.10101000.00000001.	01000000
Subnet Mask (Binary)	11111111.11111111.11111111.	11000000
Subnet Address: 192.168.1.64	Lowest Host ID: 192.168.1.65
Broadcast Address: 192.168.1.127	Highest Host ID: 192.168.1.126

Table 137 Subnet 3

IP/SUBNET MASK	NETWORK NUMBER	LAST OCTET BIT VALUE
IP Address	192.168.1.	128
IP Address (Binary)	11000000.10101000.00000001.	10000000
Subnet Mask (Binary)	11111111.11111111.11111111.	11000000
Subnet Address: 192.168.1.128	Lowest Host ID: 192.168.1.129
Broadcast Address: 192.168.1.191	Highest Host ID: 192.168.1.190

Table 138 Subnet 4

IP/SUBNET MASK	NETWORK NUMBER	LAST OCTET BIT VALUE
IP Address	192.168.1.	192
IP Address (Binary)	11000000.10101000.00000001.	11000000
Subnet Mask (Binary)	11111111.11111111.11111111.	11000000
Subnet Address: 192.168.1.192	Lowest Host ID: 192.168.1.193
Broadcast Address: 192.168.1.255	Highest Host ID: 192.168.1.254

Example Eight Subnets

Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).

The following table shows class C IP address last octet values for each subnet.

Table 139 Eight Subnets

SUBNET	SUBNET ADDRESS	FIRST ADDRESS	LAST ADDRESS	BROADCAST ADDRESS
1	0	1	30	31
2	32	33	62	63
3	64	65	94	95
4	96	97	126	127
5	128	129	158	159
6	160	161	190	191
7	192	193	222	223
8	224	225	254	255

The following table is a summary for class "C" subnet planning.

Table 140 Class C Subnet Planning

NO. “BORROWED” HOST BITS	SUBNET MASK	NO. SUBNETS	NO. HOSTS PER SUBNET
1	255.255.255.128 (/25)	2	126
2	255.255.255.192 (/26)	4	62
3	255.255.255.224 (/27)	8	30
4	255.255.255.240 (/28)	16	14
5	255.255.255.248 (/29)	32	6
6	255.255.255.252 (/30)	64	2
7	255.255.255.254 (/31)	128	1

Subnetting With Class A and Class B Networks.

For class "A" and class "B" addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.

A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see Table 128 on page 319) available for subnetting.

The following table is a summary for class "B" subnet planning.

Table 141 Class B Subnet Planning

NO. “BORROWED” HOST BITS	SUBNET MASK	NO. SUBNETS	NO. HOSTS PER SUBNET
1	255.255.128.0 (/17)	2	32766
2	255.255.192.0 (/18)	4	16382
3	255.255.224.0 (/19)	8	8190
4	255.255.240.0 (/20)	16	4094
5	255.255.248.0 (/21)	32	2046
6	255.255.252.0 (/22)	64	1022
7	255.255.254.0 (/23)	128	510
8	255.255.255.0 (/24)	256	254
9	255.255.255.128 (/25)	512	126
10	255.255.255.192 (/26)	1024	62
11	255.255.255.224 (/27)	2048	30
12	255.255.255.240 (/28)	4096	14
13	255.255.255.248 (/29)	8192	6
14	255.255.255.252 (/30)	16384	2
15	255.255.255.254 (/31)	32768	1

Appendix F Command Interpreter

The following describes how to use the command interpreter. You can use telnet to access the CLI (Command Line Interface) commands. See the included disk or zyxel.com for more detailed information on these commands.

Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.

Command Syntax

The command keywords are in courier new font.
Enter the command keywords exactly as shown, do not abbreviate.
The required fields in a command are enclosed in angle brackets .
The optional fields in a command are enclosed in square brackets [ ] .
The | symbol means or.

For example,

sys filter netbios config

means that you must specify the type of netbios filter and whether to turn it on or off.

Command Usage

A list of valid commands can be found by typing help or? at the command prompt. Always type the full command. Type exit to end the session when finished.

Appendix G

Firewall Commands

The following describes the firewall commands.

Table 142 Firewall Commands

FUNCTION	COMMAND	DESCRIPTION
Firewall SetUp
	config edit firewall activeyes \| no>	This command turns the firewall on or off.

	config retrieve firewall	This command returns the previously saved firewall settings.

	config save firewall	This command saves the current firewall settings.

Display
	config display firewall	This command shows the of all the firewallsettings including e-mail,attack,and the sets/ rules.

	config display firewall set<set #>	This command shows the currentconfiguration of a set;including timeoutvalues,name,default-permit,and etc.If youdon't put use a number(#)after "set",information about all of the sets/rules appears.

	config display firewall set<set #> rule <rule #>	This command shows the currententries of arule in a firewall rule set.

	config display firewall attack	This command shows all of the attackresponse settings.

	config display firewall e-mail	This command shows all of the e-mailsettings.

	config display firewall?	This command shows all of the availablefirewall sub commands.

Edit
E-mail	config edit firewall e-mailmail-server <ip address ofmail server>	This command sets the IP address to whichthe e-mail messages are sent.

	config edit firewall e-mail return-addr <e-mail address>	This command sets the source e-mail address of the firewall e-mails.

	config edit firewall e-mail email-to <e-mail address>	This command sets the e-mail address to which the firewall e-mails are sent.

	config edit firewall e-mail policy <full \| hourly \| daily \| weekly>	This command sets how frequently the firewall log is sent via e-mail.

	config edit firewall e-mail day <sunday \| monday \| tuesday \| wednesday \| thursday \| friday \| saturday>	This command sets the day on which the current firewall log is sent through e-mail if the ZyXEL Device is set to send it on a weekly basis.

	config edit firewall e-mail hour <0-23>	This command sets the hour when the firewall log is sent through e-mail if the ZyXEL Device is set to send it on an hourly, daily or weekly basis.

	config edit firewall e-mail minute <0-59>	This command sets the minute of the hour for the firewall log to be sent via e-mail if the ZyXEL Device is set to send it on a hourly, daily or weekly basis.

Attack	config edit firewall attack send-alert <yes \| no>	This command enables or disables the immediate sending of DOS attack notification e-mail messages.

	config edit firewall attack block <yes \| no>	Set this command to yes to block new traffic after the tcp-max-incomplete threshold is exceeded. Set it to no to delete the oldest half-open session when traffic exceeds the tcp-max-incomplete threshold.

	config edit firewall attack block-minute <0-255>	This command sets the number of minutes for new sessions to be blocked when the tcp-max-incomplete threshold is reached. This command is only valid when block is set to yes.

	config edit firewall attack minute-high <0-255>	This command sets the threshold rate of new half-open sessions per minute where the ZyXEL Device starts deleting old half-opened sessions until it gets them down to the minute-low threshold.
	config edit firewall attack minute-low <0-255>	This command sets the threshold of half-open sessions where the ZyXEL Device stops deleting half-opened sessions.

	config edit firewall attack max-incomplete-high <0-255>	This command sets the threshold of half-open sessions where the ZyXEL Device starts deleting old half-opened sessions until it gets them down to the max incomplete low.

	config edit firewall attack max-incomplete-low <0-255>	This command sets the threshold where the ZyXEL Device stops deleting half-opened sessions.

	config edit firewall attack tcp-max-incomplete <0-255>	This command sets the threshold of half-open TCP sessions with the same destination where the ZyXEL Device starts dropping half-open sessions to that destination.

Sets	config edit firewall set <set #> name <desired name>	This command sets a name to identify a specified set.

	Config edit firewall set <set #> default-permit <forward \| block>	This command sets whether a packet is dropped or allowed through, when it does not meet a rule within the set.

	Config edit firewall set <set #> icmp-timeout <seconds>	This command sets the time period to allow an ICMP session to wait for the ICMP response.

	Config edit firewall set <set #> udp-idle-timeout <seconds>	This command sets how long a UDP connection is allowed to remain inactive before the ZyXEL Device considers the connection closed.

	Config edit firewall set <set #> connection-timeout <seconds>	This command sets how long ZyXEL Device waits for a TCP session to be established before dropping the session.

	Config edit firewall set <set #> fin-wait-timeout <seconds>	This command sets how long the ZyXEL Device leaves a TCP session open after the firewall detects a FIN-exchange (indicating the end of the TCP session).

	Config edit firewall set <set #> tcp-idle-timeout <seconds>	This command sets how long ZyXEL Device lets an inactive TCP connection remain open before considering it closed.

	Config edit firewall set <set #> log <yes \| no>	This command sets whether or not the ZyXEL Device creates logs for packets that match the firewall's default rule set.

Rules	Config edit firewall set <set #> rule <rule #> permit <forward \| block>	This command sets whether packets that match this rule are dropped or allowed through.

	Config edit firewall set <set #> rule <rule #> active <yes \| no>	This command sets whether a rule is enabled or not.

	Config edit firewall set <set #> rule <rule #> protocol <integer protocol value >	This command sets the protocol specification number made in this rule for ICMP.

	Config edit firewall set <set #> rule <rule #> log <none \| match \| not-match \| both>	This command sets the ZyXEL Device to log traffic that matches the rule, doesn't match, both or neither.

	Config edit firewall set <set #> rule <rule #> alert <yes \| no>	This command sets whether or not the ZyXEL Device sends an alert e-mail when a DOS attack or a violation of a particular rule occurs.

	config edit firewall set <set #> rule <rule #> srcaddr-single <ip address>	This command sets the rule to have the ZyXEL Device check for traffic with this individual source address.

	config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address>< subnet mask>	This command sets a rule to have the ZyXEL Device check for traffic from a particular subnet (defined by IP address and subnet mask).

	config edit firewall set <set #> rule <rule #> srcaddr-range <start ip address><end ip address>	This command sets a rule to have the ZyXEL Device check for traffic from this range of addresses.

	config edit firewall set <set #> rule <rule #> destaddr-single <ip address>	This command sets the rule to have the ZyXEL Device check for traffic with this individual destination address.

	config edit firewall set <set>#> rule <rule>#> destaddr-subnet <ip address><subnet mask>	This command sets a rule to have the ZyxEL Device check for traffic with a particular subnet destination (defined by IP address and subnet mask).

	config edit firewall set <set>#> rule <rule>#> destaddr-range <start ip address><end ip address>	This command sets a rule to have the ZyxEL Device check for traffic going to this range of addresses.

	config edit firewall set <set>#> rule <rule>#> TCP destport-single <port>#>	This command sets a rule to have the ZyxEL Device check for TCP traffic with this destination address. You may repeat this command to enter various, non-consecutive port numbers.

	config edit firewall set <set>#> rule <rule>#> TCP destport-range <start port>#><end port>#>	This command sets a rule to have the ZyxEL Device check for TCP traffic with a destination port in this range.

	config edit firewall set <set>#> rule <rule>#> UDP destport-single <port>#>	This command sets a rule to have the ZyxEL Device check for UDP traffic with this destination address. You may repeat this command to enter various, non-consecutive port numbers.

	config edit firewall set <set>#> rule <rule>#> UDP destport-range <start port>#><end port>#>	This command sets a rule to have the ZyxEL Device check for UDP traffic with a destination port in this range.

Delete
	config delete firewall e-mail	This command removes all of the settings for e-mail alert.

	config delete firewall attack	This command resets all of the attack response settings to their defaults.

	config delete firewall set <set>#>	This command removes the specified set from the firewall configuration.

	config delete firewall set <set>#> rule<rule>#>	This command removes the specified rule in a firewall configuration set.

Appendix H NetBIOS Filter Commands

The following describes the NetBIOS packet filter commands.

Introduction

NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.

For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.

You can configure NetBIOS filters to do the following:

Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN.
Allow or disallow the sending of NetBIOS packets through VPN connections.
Allow or disallow NetBIOS packets to initiate calls.

Display NetBIOS Filter Settings

Syntax: sys filter netbios disp

This command gives a read-only list of the current NetBIOS filter modes for The ZyXEL Device.

NetBIOS Display Filter Settings Command Example

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 0 NetBIOS Filter Status Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled

The filter types and their default settings are as follows.

Table 143 NetBIOS Filter Default Settings

NAME	DESCRIPTION	EXAMPLE
Between LAN and WAN	This field displays whether NetBIOS packets are blocked or forwarded between the LAN and the WAN.	Block
IPSec Packets	This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded.	Forward
Trigger dial	This field displays whether NetBIOS packets are allowed to initiate calls. Disabled means that NetBIOS packets are blocked from initiating calls.	Disabled

NetBIOS Filter Configuration

Syntax:sys filter netbios config

where

Identify which NetBIOS filter (numbered 0-3) to configure.

0 = Between LAN and WAN

3 = IPSec packet pass through

4 = Trigger Dial

= For type 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets.

For type 3, use on to block NetBIOS packets from being sent through a VPN connection. Use off to allow NetBIOS packets to be sent through a VPN connection.

For type 4, use on to allow NetBIOS packets to initiate dial backup calls. Use off to block NetBIOS packets from initiating dial backup calls.

Example commands

sys filter netbios This command blocks LAN to WAN and WAN to LAN NetBIOS config 0 on packets.

sys filter netbios This command blocks IPSec NetBIOS packets. config 3 on

sys filter netbios This command stops NetBIOS commands from initiating calls. config 4 off

Appendix I

PPPoE

PPPoE in Action

An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 202 on page 338). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.

Benefits of PPPoE

PPPoE offers the following benefits:

It provides you with a familiar dial-up networking (DUN) user interface.

It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users. For GSTN (PSTN and ISDN), the switching fabric is already in place.

It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services.

Traditional Dial-up Scenario

The following diagram depicts a typical hardware configuration where the computers use traditional dial-up networking.

ZYXEL PRESTIGE 661H - Traditional Dial-up Scenario - 1
Figure 202 Single-Computer per Router Hardware Configuration

How PPPoE Works

The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.

With PPPoE, the VC (Virtual Circuit) is equivalent to the dial-up connection and is between the modem and the AC, as opposed to all the way to the ISP. However, the PPP negotiation is between the computer and the ISP.

ZyXEL Device as a PPPoE Client

When using the ZyXEL Device as a PPPoE client, the computers on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual computers.

ZYXEL PRESTIGE 661H - ZyXEL Device as a PPPoE Client - 1
Figure 203 ZyXEL Device as a PPPoE Client

Appendix J

Log Descriptions

This appendix provides descriptions of example log messages.

Table 144 System Maintenance Logs

LOGMESSAGE	DESCRIPTION
Time calibration is successful	The router has adjusted its time based on information from the time server.
Time calibration failed	The router failed to get information from the time server.
WAN interface gets IP:%s	A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
DHCP client IP expired	A DHCP client's IP address has expired.
DHCP server assigns%s	The DHCP server assigned an IP address to a client.
Successful WEB login	Someone has logged on to the router's web configurator interface.
WEB login failed	Someone has failed to log on to the router's web configurator interface.
Successful TELNET login	Someone has logged on to the router via telnet.
TELNET login failed	Someone has failed to log on to the router via telnet.
Successful FTP login	Someone has logged on to the router via ftp.
FTP login failed	Someone has failed to log on to the router via ftp.
NAT Session Table is Full!	The maximum number of NAT session table entries has been exceeded and the table is full.
Starting Connectivity Monitor	Starting Connectivity Monitor.
Time initialized by Daytime Server	The router got the time and date from the Daytime server.
Time initialized by Time server	The router got the time and date from the Time server.
Time initialized by NTP server	The router got the time and date from the NTP server.
Connect to Daytime server fail	The router was not able to connect to the Daytime server.
Connect to Time server fail	The router was not able to connect to the Time server.
Connect to NTP server fail	The router was not able to connect to the NTP server.
Too large ICMP packet has been dropped	The router dropped an ICMP packet that was too large.
Configuration Change: PC = 0x%x, Task ID = 0x%x	The router is saving configuration changes.
Successful SSH login	Someone has logged on to the router's SSH server.
SSH login failed	Someone has failed to log on to the router's SSH server.
Successful HTTPS login	Someone has logged on to the router's web configurator interface using HTTPS protocol.
HTTPS login failed	Someone has failed to log on to the router's web configurator interface using HTTPS protocol.

Table 145 System Error Logs

LOGMESSAGE	DESCRIPTION
%s exceeds the max. number of session per host!	This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
setNetBIOSFilter:%X	The router failed to allocate memory for the NetBIOS filter settings.
readNetBIOSFilter:%X	The router failed to allocate memory for the NetBIOS filter settings.
WAN connection is down.	A WAN connection is down. You cannot access the network through this interface.

Table 146 Access Control Logs

LOGMESSAGE	DESCRIPTION
Firewall default policy: [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF] <Packet Direction>	Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy's setting.
Firewall rule [NOT] match: [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF] <Packet Direction>, <rule:%d>	Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule.
Triangle route packet forwarded: [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF]	The firewall allowed a triangle route session to pass through.
Packet without a NAT table entry blocked: [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF]	The router blocked a packet that didn't have a corresponding NAT table entry.
Router sent blocked web site message: TCP	The router sent a message to notify a user that the router blocked access to a web site that the user requested.

Table 147 TCP Reset Logs

LOGMESSAGE	DESCRIPTION
Under SYN flood attack, sent TCP RST	The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.)
Exceed TCP MAX incomplete, sent TCP RST	The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen.
Peer TCP state out of order, sent TCP RST	The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.
Firewall session time out, sent TCP RST	The router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout: 3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 seconds
Exceed MAX incomplete, sent TCP RST	The router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > "Maximum Incomplete High", the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < "Maximum Incomplete Low".
Access block, sent TCP RST	The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via Cl command: "sys firewall tcprst").

Table 148 Packet Filter Logs

LOGMESSAGE	DESCRIPTION
[TCP \| UDP \| ICMP \| IGMP \| Generic] packet filter matched (set:%d, rule:%d)	Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.

Table 149 ICMP Logs

LOGMESSAGE	DESCRIPTION
Firewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>	ICMP access matched the default policy and was blocked or forwarded according to the user's setting. For type and code details, see Table 161 on page 351.
Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>	ICMP access matched (or didn't match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. For type and code details, see Table 161 on page 351.
Triangle route packet forwarded: ICMP	The firewall allowed a triangle route session to pass through.
Packet without a NAT table entry blocked: ICMP	The router blocked a packet that didn't have a corresponding NAT table entry.
Unsupported/out-of-order ICMP: ICMP	The firewall does not support this kind of ICMP packets or the ICMP packets are out of order.
Router reply ICMP packet: ICMP	The router sent an ICMP reply packet to the sender.

Table 150 CDR Logs

LOGMESSAGE	DESCRIPTION
board%d line%d channel%d, call%d,%s C01 Outgoing Call dev=%x ch=%s	The router received the setup requirements for a call. "call" is the reference (count) number of the call. "dev" is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or "ch" is the call channel ID. For example, "board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.
board%d line%d channel%d, call%d,%s C02 OutCall Connected%d%s	The PPPoE, PPTP or dial-up call is connected.
board%d line%d channel%d, call%d,%s C02 Call Terminated	The PPPoE, PPTP or dial-up call was disconnected.

Table 151 PPP Logs

LOGMESSAGE	DESCRIPTION
ppp:LCP Starting	The PPP connection's Link Control Protocol stage has started.
ppp:LCP Opening	The PPP connection's Link Control Protocol stage is opening.
ppp:CHAP Opening	The PPP connection's Challenge Handshake Authentication Protocol stage is opening.
ppp:IPCP Starting	The PPP connection's Internet Protocol Control Protocol stage is starting.
ppp:IPCP Opening	The PPP connection's Internet Protocol Control Protocol stage is opening.
ppp:LCP Closing	The PPP connection's Link Control Protocol stage is closing.
ppp:IPCP Closing	The PPP connection's Internet Protocol Control Protocol stage is closing.

Table 152 UPnP Logs

LOGMESSAGE	DESCRIPTION
UPnP pass through Firewall	UPnP packets can pass through the firewall.

Table 153 Content Filtering Logs

LOGMESSAGE	DESCRIPTION
%s: Keyword blocking	The content of a requested web page matched a user defined keyword.
%s: Not in trusted web list	The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.
%s: Forbidden Web site	The web site is in the forbidden web site list.
%s: Contains ActiveX	The web site contains ActiveX.
%s: Contains Java applet	The web site contains a Java applet.
%s: Contains cookie	The web site contains a cookie.
%s: Proxy mode detected	The router detected proxy mode in the packet.
%s	The content filter server responded that the web site is in the blocked category list, but it did not return the category type.
%s:%s	The content filter server responded that the web site is in the blocked category list, and returned the category type.
%s(cache hit)	The system detected that the web site is in the blocked list from the local cache, but does not know the category type.
%s:%s(cache hit)	The system detected that the web site is in blocked list from the local cache, and knows the category type.
%s: Trusted Web site	The web site is in a trusted domain.
%s	When the content filter is not on according to the time schedule or you didn't select the "Block Matched Web Site" check box, the system forwards the web content.
Waiting content filter server timeout	The external content filtering server did not respond within the timeout period.
DNS resolving failed	The ZyXEL Device cannot get the IP address of the external content filtering via DNS query.
Creating socket failed	The ZyXEL Device cannot issue a query because TCP/IP socket creation failed, port:port number.
Connecting to content filter server fail	The connection to the external content filtering server failed.
License key is invalid	The external content filtering license key is invalid.

Table 154 Attack Logs

LOGMESSAGE	DESCRIPTION
attack [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF]	The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.
attack ICMP (type:%d, code:%d)	The firewall detected an ICMP attack. For type and code details, see Table 161 on page 351.
land [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF]	The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.
land ICMP (type:%d, code:%d)	The firewall detected an ICMP land attack. For type and code details, see Table 161 on page 351.
ip spoofing - WAN [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF]	The firewall detected an IP spoofing attack on the WAN port.
ip spoofing - WAN ICMP (type:%d, code:%d)	The firewall detected an ICMP IP spoofing attack on the WAN port. For type and code details, see Table 161 on page 351.
icmp echo: ICMP (type:%d, code:%d)	The firewall detected an ICMP echo attack. For type and code details, see Table 161 on page 351.
syn flood TCP	Thefirewall detected a TCP syn flood attack.
ports scan TCP	Thefirewall detected a TCP port scan attack.
teardrop TCP	Thefirewall detected a TCP teardrop attack.
teardrop UDP	Thefirewall detected an UDP teardrop attack.
teardrop ICMP (type:%d, code:%d)	Thefirewall detected an ICMP teardrop attack. For type and code details, see Table 161 on page 351.
illegal command TCP	Thefirewall detected a TCP illegal command attack.
NetBIOS TCP	Thefirewall detected a TCP NetBIOS attack.
ip spoofing - no routing entry [TCP \| UDP \| IGMP \| ESP \| GRE \| OSPF]	Thefirewall classified a packet with no source routing entry as an IP spoofing attack.
ip spoofing - no routing entry ICMP (type:%d, code:%d)	Thefirewall classified an ICMP packet with no source routing entry as an IP spoofing attack.
vulnerability ICMP (type:%d, code:%d)	Thefirewall detected an ICMP vulnerability attack. For type and code details, see Table 161 on page 351.
traceroute ICMP (type:%d, code:%d)	Thefirewall detected an ICMP traceroute attack. For type and code details, see Table 161 on page 351.

Table 155 IPSec Logs

LOGMESSAGE	DESCRIPTION
Discard REPLAY packet	The router received and discarded a packet with an incorrect sequence number.
Inbound packet authentication failed	The router received a packet that has been altered. A third party may have altered or tampered with the packet.
Receive IPSec packet, but no corresponding tunnel exists	The router dropped an inbound packet for which SPI could not find a corresponding phase 2 SA.
Rule <%d> idle time out, disconnect	The router dropped a connection that had outbound traffic and no inbound traffic for a certain time period. You can use the "ipsec timer chkconn" CI command to set the time period. The default value is 2 minutes.
WAN IP changed to <IP>	The router dropped all connections with the "MyIP" configured as "0.0.0.0" when the WAN IP address changed.

Table 156 IKE Logs

LOGMESSAGE	DESCRIPTION
Active connection allowed exceeded	The IKE process for a new connection failed because the limit of simultaneous phase 2 SAs has been reached.
Start Phase 2: Quick Mode	Phase 2 Quick Mode has started.
Verifying Remote ID failed:	The connection failed during IKE phase 2 because the router and the peer's Local/Remote Addresses don't match.
Verifying Local ID failed:	The connection failed during IKE phase 2 because the router and the peer's Local/Remote Addresses don't match.
IKE Packet Retransmit	The router retransmitted the last packet sent because there was no response from the peer.
Failed to send IKE Packet	An Ethernet error stopped the router from sending IKE packets.
Too many errors! Deleting SA	An SA was deleted because there were too many errors.
Phase 1 IKE SA process done	The phase 1 IKE SA process has been completed.
Duplicate requests with the same cookie	The router received multiple requests from the same peer while still processing the first IKE packet from the peer.
IKE Negotiation is in process	The router has already started negotiating with the peer for the connection, but the IKE process has not finished yet.
No proposal chosen	Phase 1 or phase 2 parameters don't match. Please check all protocols / settings. Ex. One device being configured for 3DES and the other being configured for DES causes the connection to fail.
Local / remote IPs of incoming request conflict with rule <%d>	The security gateway is set to “0.0.0.0” and the router used the peer's “Local Address” as the router's “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed.
Cannot resolve Secure Gateway Addr for rule <%d>	The router couldn't resolve the IP address from the domain name that was used for the secure gateway address.
Peer ID: <peer id> <My remote type> -<My local type>	The displayed ID information did not match between the two ends of the connection.
vs. My Remote <My remote> - <My remote>	The displayed ID information did not match between the two ends of the connection.
vs. My Local <My local>--<My local>	The displayed ID information did not match between the two ends of the connection.
Send <packet>	A packet was sent.
Recv <packet>	IKE uses ISAKMP to transmit data. Each ISAKMP packet contains many different types of payloads. All of them show in the LOG. Refer to RFC2408 - ISAKMP for a list of all ISAKMP payload types.
Recv <Main or Aggressive> Mode request from <IP>	The router received an IKE negotiation request from the peer address specified.
Send <Main or Aggressive> Mode request to <IP>	The router started negotiation with the peer.
Invalid IP <Peer local> / <Peer local>	The peer's "Local IP Address" is invalid.
Remote IP <Remote IP> / <Remote IP> conflicts	The security gateway is set to "0.0.0.0" and the router used the peer's "Local Address" as the router's "Remote Address". This information conflicted with static rule #d; thus the connection is not allowed.
Phase 1 ID type mismatch	This router's "Peer ID Type" is different from the peer IPSec router's "Local ID Type".
Phase 1 ID content mismatch	This router's "Peer ID Content" is different from the peer IPSec router's "Local ID Content".
No known phase 1 ID type found	The router could not find a known phase 1 ID in the connection attempt.
ID type mismatch. Local / Peer: <Local ID type/Peer ID type>	The phase 1 ID types do not match.
ID content mismatch	The phase 1 ID contents do not match.
Configured Peer ID Content: <Configured Peer ID Content>	The phase 1 ID contents do not match and the configured "Peer ID Content" is displayed.
Incoming ID Content: <Incoming Peer ID Content>	The phase 1 ID contents do not match and the incoming packet's ID content is displayed.
Unsupported local ID Type: <%d>	The phase 1 ID type is not supported by the router.
Build Phase 1 ID	The router has started to build the phase 1 ID.
Adjust TCP MSS to%d	The router automatically changed the TCP Maximum Segment Size value after establishing a tunnel.
Rule <%d> input idle time out, disconnect	The tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout period.
XAUTH succeed!Username: <Username>	The router used extended authentication to authenticate the listed username.
XAUTH fail!Username:<Username>	The router was not able to use extended authentication to authenticate the listed username.
Rule[%d] Phase 1 negotiation mode mismatch	The listed rule's IKE phase 1 negotiation mode did not match between the router and the peer.
Rule[%d] Phase 1 encryption algorithm mismatch	The listed rule's IKE phase 1 encryption algorithm did not match between the router and the peer.
Rule[%d] Phase 1 authentication algorithm mismatch	The listed rule's IKE phase 1 authentication algorithm did not match between the router and the peer.
Rule[%d] Phase 1 authentication method mismatch	The listed rule's IKE phase 1 authentication method did not match between the router and the peer.
Rule[%d] Phase 1 key group mismatch	The listed rule's IKE phase 1 key group did not match between the router and the peer.
Rule[%d] Phase 2 protocol mismatch	The listed rule's IKE phase 2 protocol did not match between the router and the peer.
Rule[%d] Phase 2 encryption algorithm mismatch	The listed rule's IKE phase 2 encryption algorithm did not match between the router and the peer.
Rule[%d] Phase 2 authentication algorithm mismatch	The listed rule's IKE phase 2 authentication algorithm did not match between the router and the peer.
Rule[%d] Phase 2 encapsulation mismatch	The listed rule's IKE phase 2 encapsulation did not match between the router and the peer.
Rule[%d]>Phase 2 pfs mismatch	The listed rule's IKE phase 2 perfect forward secret (pfs) setting did not match between the router and the peer.
Rule[%d] Phase 1 ID mismatch	The listed rule's IKE phase 1 ID did not match between the router and the peer.
Rule[%d] Phase 1 hash mismatch	The listed rule's IKE phase 1 hash did not match between the router and the peer.
Rule[%d] Phase 1 preshared key mismatch	The listed rule's IKE phase 1 pre-shared key did not match between the router and the peer.
Rule[%d] Tunnel built successfully	The listed rule's IPSec tunnel has been built successfully.
Rule[%d] Peer's public key not found	The listed rule's IKE phase 1 peer's public key was not found.
Rule[%d] Verify peer's signature failed	The listed rule's IKE phase 1 verification of the peer's signature failed.
Rule[%d] Sending IKE request	IKE sent an IKE request for the listed rule.
Rule[%d] Receiving IKE request	IKE received an IKE request for the listed rule.
Swap rule to rule[%d]	The router changed to using the listed rule.
Rule[%d] Phase 1 key length mismatch	The listed rule's IKE phase 1 key length (with the AES encryption algorithm) did not match between the router and the peer.
Rule[%d] phase 1 mismatch	The listed rule's IKE phase 1 did not match between the router and the peer.
Rule [%d] phase 2 mismatch	The listed rule's IKE phase 2 did not match between the router and the peer.
Rule [%d] Phase 2 key length mismatch	The listed rule's IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer.

Table 157 PKI Logs

LOGMESSAGE	DESCRIPTION
Enrollment successful	The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port.
Enrollment failed	The SCEP online certificate enrollment failed. The Destination field records the certification authority server's IP address and port.
Failed to resolve <SCEP CA server url>	The SCEP online certificate enrollment failed because the certification authority server's address cannot be resolved.
Enrollment successful	The CMP online certificate enrollment was successful. The Destination field records the certification authority server's IP address and port.
Enrollment failed	The CMP online certificate enrollment failed. The Destination field records the certification authority server's IP address and port.
Failed to resolve <CMPCA server url>	The CMP online certificate enrollment failed because the certification authority server's IP address cannot be resolved.
Rcvd ca cert: <subjectname>	The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Rcvd user cert: <subjectname>	The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Rcvd CRL <size>: <issuer name>	The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Rcvd ARL <size>: <issuer name>	The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received ca cert	The router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received user cert	The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received CRL	The router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field.
Failed to decode the received ARL	The router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field.
Rcvd data <size> too large! Max size allowed: <max size>	The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.
Cert trusted: <subject name>	The router has verified the path of the certificate with the listed subject name.
Due to <reason codes>, cert not trusted: <subject name>	Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. Please see Table 158 on page 349 for the corresponding descriptions of the codes.

Table 158 Certificate Path Verification Failure Reason Codes

CODE	DESCRIPTION
1	Algorithm mismatch between the certificate and the search constraints.
2	Key usage mismatch between the certificate and the search constraints.
3	Certificate was not valid in the time interval.
4	(Not used)
5	Certificate is not valid.
6	Certificate signature was not verified correctly.
7	Certificate was revoked by a CRL.
8	Certificate was not added to the cache.
9	Certificate decoding failed.
10	Certificate was not found (anywhere).
11	Certificate chain looped (did not find trusted root).
12	Certificate contains critical extension that was not handled.
13	Certificate issuer was not valid (CA specific information missing).
14	(Not used)
15	CRL is too old.
16	CRL is not valid.
17	CRL signature was not verified correctly.
18	CRL was not found (anywhere).
19	CRL was not added to the cache.
20	CRL decoding failed.
21	CRL is not currently valid, but in the future.
22	CRL contains duplicate serial numbers.
23	Time interval is not continuous.
24	Time information not available.
25	Database method failed due to timeout.
26	Database method failed.
27	Path was not verified.
28	Maximum path length reached.

Table 159 802.1X Logs

LOGMESSAGE	DESCRIPTION
LocalUserDatabaseacceptsuser.	A user was authenticated by the local user database.
LocalUserDatabase reportscusercredential error.	A user was not authenticated by the local user database because of an incorrect user password.
LocalUserDatabase does notfind user‘s credential.	A user was not authenticated by the local user database because the user is not listed in the local user database.
RADIUSaccepts user.	A user was authenticated by the RADIUS Server.
RADIUS rejects user.Pls checkRADIUSServer.	A user was not authenticated by the RADIUS Server.Please check the RADIUS Server.
LocalUserDatabase does notsupport authentication method.	The local user database only supports the EAP-MD5method. A user tried to use another authenticationmethod and was not authenticated.
Userlogoutbecause of sessiontimeout expired.	The router logged out a user whose session expired.
Userlogout because of userdeassociation.	The router logged out a user who ended the session.
Userlogout because of noauthentication response fromuser.	The router logged out a user from which there was noauthentication response.
Userlogout because of idletimeout expired.	The router logged out a user whose idle timeout periodexpired.
Userlogout because of userrequest.	A user logged out.
LocalUserDatabase does notsupport authentication mothed.	A user tried to use an authentication method that the localuser database does not support (it only supports EAP-MD5).
No response from RADIUS.Plscheck RADIUSServer.	There is no response message from the RADIUS server,please check the RADIUS server.
UseLocalUserDatabase to authenticate user.	The local user database is operating as theauthentication server.
UseRADIUS to authenticate user.	The RADIUS server is operating as the authenticationserver.
NoServer to authenticate user.	There is no authentication server to authenticate a user.
LocalUserDatabase does notfind user‘s credential.	A user was not authenticated by the local user databasebecause the user is not listed in the local user database.

Table 160 ACL Setting Notes

PACKET DIRECTION	DIRECTION	DESCRIPTION
(L to W)	LAN to WAN	ACL set for packets traveling from the LAN to the WAN.
(W to L)	WAN to LAN	ACL set for packets traveling from the WAN to the LAN.
(L to L)	LAN to LAN/ZyXEL Device	ACL set for packets traveling from the LAN to the LAN or the ZyXEL Device.
(W to W)	WAN to WAN/ZyXEL Device	ACL set for packets traveling from the WAN to the WAN or the ZyXEL Device.

Table 161 ICMP Notes

TYPE	CODE	DESCRIPTION
0		Echo Reply
	0	Echo reply message
3		Destination Unreachable
	0	Net unreachable
	1	Host unreachable
	2	Protocol unreachable
	3	Port unreachable
	4	A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)
	5	Source route failed
4		Source Quench
	0	A gateway may discard internet histograms if it does not have the buffer space needed to queue the histograms for output to the next network on the route to the destination network.
5		Redirect
	0	Redirect histograms for the Network
	1	Redirect histograms for the Host
	2	Redirect histograms for the Type of Service and Network
	3	Redirect histograms for the Type of Service and Host
8		Echo
	0	Echo message
11		Time Exceeded
	0	Time to live exceeded in transit
	1	Fragment reassembly time exceeded
12		Parameter Problem
	0	Pointer indicates the error
13		Timestamp
	0	Timestamp request message
14		Timestamp Reply
	0	Timestamp reply message
15		Information Request
	0	Information request message
16		Information Reply
	0	Information reply message

Table 162 Syslog Logs

LOGMESSAGE

DESCRIPTION

<Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address last three numbers>" cat="<category>

"This message is sent by the system ("RAS" displays as the system name if you haven't configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU->LOGS->Log Settings page. The severity is the log's syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The "devID" is the last three characters of the MAC address of the router's LAN port. The "cat" is the same as the category in the router's logs.

The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.

Table 163 RFC-2408 ISAKMP Payload Types

LOG DISPLAY	PAYLOAD TYPE
SA	Security Association
PROP	Proposal
TRANS	Transform
KE	Key Exchange
ID	Identification
CER	Certificate
CER_REQ	Certificate Request
HASH	Hash
SIG	Signature
NONCE	Nonce
NOTFY	Notification
DEL	Delete
VID	Vendor ID

Log Commands

Go to the command interpreter interface.

Configuring What You Want the ZyXEL Device to Log

1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record.
2 Use sys logs category to view a list of the log categories.

Figure 204 Displaying Log Categories Example

ras>? Valid commands are: sys exit ether aux ip ipsec bridge bm certificates cnm 8021x radius ras>

3 Use sys logs category followed by a log category to display the parameters that are available for the category.

Figure 205 Displaying Log Parameters Example

ras>sys logs category access Usage:[0:none/1:log/2:alert/3:both]

4 Use sys logs category followed by a log category and a parameter to decide what to record.

Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category. Not every parameter is available with every category.

5 Step 5.Use the sys logs save command to store the settings in the ZyXEL Device (you must do this in order to record logs).

Displaying Logs

Use the sys logs display command to show all of the logs in the ZyXEL Device's log.
Use the sys logs category display command to show the log settings for all of the log categories.
Use the sys logs display [log category] command to show the logs in an individual ZyXEL Device log category.
Use the sys logs clear command to erase all of the ZyXEL Device's logs.

Log Command Example

This example shows how to set the ZyXEL Device to record the access logs and alerts and then view the results.

ras>sys logs load ras>sys logs category access 3 ras>sys logs save ras>sys logs display access #.time source destination notes message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.255.250 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 2|06/08/2004 05:58:20 |172.21.0.2 |239.255.255.254 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 3|06/08/2004 05:58:20 |172.21.3.191 |224.0.1.22 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 4|06/08/2004 05:58:20 |172.21.0.254 |224.0.0.1 ACCESS BLOCK Firewall default policy:IGMP (W to W/ZW) 5|06/08/2004 05:58:20 |172.21.4.187:137 |172.21.255.255:137 ACCESS BLOCK Firewall default policy: UDP (W to W/ZW)

APPENDIX K

Wireless LANs (wireless devices only)

Wireless LAN Topologies

This section discusses ad-hoc and infrastructure wireless LAN topologies.

Ad-hoc Wireless LAN Configuration

The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an Ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an Ad-hoc wireless LAN.

ZYXEL PRESTIGE 661H - Ad-hoc Wireless LAN Configuration - 1
Figure 206 Peer-to-Peer Communication in an Ad-hoc Network

BSS

A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP).

Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other.

ZYXEL PRESTIGE 661H - BSS - 1
Figure 207 Basic Service Set

ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).

This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.

An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.

ZYXEL PRESTIGE 661H - ESS - 1
Figure 208 Infrastructure WLAN

Channel

A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

ZYXEL PRESTIGE 661H - RTS/CTS - 1
Figure 209 RTS/CTS

ZYXEL PRESTIGE 661H - RTS/CTS - 2

When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.

When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.

Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake.

You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake.

If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.

Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.

A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.

If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Preamble Type

Preamble is used to signal that data is coming to the receiver.

Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11b/g compliant wireless adapters support long preamble, but not all support short preamble.

Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.

Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications.

Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble.

Note: The AP and the wireless adapters MUST use the same preamble mode in order to communicate.

IEEE 802.11g Wireless LAN

IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:

Table 164 IEEE 802.11g

DATA RATE (MBPS)	MODULATION
1	DBPSK (Differential Binary Phase Shift Keyed)
2	DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11	CCK (Complementary Code Keying)
6/9/12/18/24/36/48/54	OFDM (Orthogonal Frequency Division Multiplexing)

Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.

Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity.

The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.

Table 165 Wireless Security Levels

Security Level	Security Type
Least Secure Most Secure	Unique SSID (Default)
	Unique SSID with Hide SSID Enabled
	MAC Address Filtering
	WEP Encryption
	IEEE802.1x EAP with RADIUS Server Authentication
	Wi-Fi Protected Access (WPA)
	WPA2

Note: You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it.

IEEE 802.1x

In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:

User based identification that allows for roaming.
Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server.
Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients

RADIUS

RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

Authentication

Determines the identity of the users.

Authorization

Determines the network services available to authenticated users once they are connected to the network.

Accounting

Keeps track of the client's network activity.

RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

Access-Request

Sent by an access point requesting authentication.

Access-Reject

Sent by a RADIUS server rejecting access.

Access-Accept

Sent by a RADIUS server allowing access.

Access-Challenge

Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

Accounting-Request

Sent by the access point requesting accounting.

Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

Types of Authentication

This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP.

The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 166 Comparison of EAP Authentication Types

	EAP-MD5	EAP-TLS	EAP-TTLS	PEAP	LEAP
Mutual Authentication	No	Yes	Yes	Yes	Yes
Certificate – Client	No	Yes	Optional	Optional	No
Certificate – Server	No	Yes	Yes	Yes	No
Dynamic Key Exchange	No	Yes	Yes	Yes	Yes
Credential Integrity	None	Strong	Strong	Strong	Moderate
Deployment Difficulty	Easy	Hard	Moderate	Moderate	Moderate
Client Identity Protection	No	No	Yes	Yes	No

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network.

The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)

User Authentication

WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.

Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.

Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Wireless Client WPA Suppliers

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it.

WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.

1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.

3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

ZYXEL PRESTIGE 661H - WPA(2) with RADIUS Application Example - 1
Figure 210 WPA(2) with RADIUS Application Example

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).
2 The AP checks each wireless client's password and (only) allows it to join the network if the password matches.
3 The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key).
4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them.

ZYXEL PRESTIGE 661H - WPA(2)-PSK Application Example - 1
Figure 211 WPA(2)-PSK Authentication

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.

Table 167 Wireless Security Relational Matrix

AUTHENTICATION METHOD/ KEYMANAGEMENT PROTOCOL	ENCRYPTIONMETHOD	ENTERMANUAL KEY	IEEE 802.1X
Open	None	No	Disable
Open	None	No	Enable without Dynamic WEP Key
Open	WEP	No	Enable with Dynamic WEP Key
		Yes	Enable without Dynamic WEP Key
		Yes	Disable
Shared	WEP	No	Enable with Dynamic WEP Key
		Yes	Enable without Dynamic WEP Key
		Yes	Disable
WPA	TKIP/AES	No	Enable
WPA-PSK	TKIP/AES	Yes	Disable
WPA2	TKIP/AES	No	Enable
WPA2-PSK	TKIP/AES	Yes	Disable

APPENDIX L

Pop-up Windows, JavaScripts and Java Permissions

In order to use the web configurator you need to allow:

Web browser pop-up windows from your device.
JavaScripts (enabled by default).
Java permissions (enabled by default).

Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.

Internet Explorer Pop-up Blockers

You may have to disable pop-up blocking to log into your device.

Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device's IP address.

Disable pop-up Blockers

1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker.

ZYXEL PRESTIGE 661H - Disable pop-up Blockers - 1
Figure 212 Pop-up Blocker

You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.

1 In Internet Explorer, select Tools, Internet Options, Privacy.
2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled.

Figure 213 Internet Options
ZYXEL PRESTIGE 661H - Disable pop-up Blockers - 2
3 Click Apply to save this setting.

Enable pop-up Blockers with Exceptions

Alternatively, if you only want to allow pop-up windows from your device, see the following steps.

1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
2 Select Settings...to open the Pop-up Blocker Settings screen.

ZYXEL PRESTIGE 661H - Enable pop-up Blockers with Exceptions - 1
Figure 214 Internet Options

3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://". For example, http://192.168.1.1.
4 Click Add to move the IP address to the list of Allowed sites.

ZYXEL PRESTIGE 661H - Enable pop-up Blockers with Exceptions - 2
Figure 215 Pop-up Blocker Settings

5 Click Close to return to the Privacy screen.
6 Click Apply to save this setting.

JavaScript

If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.

1 In Internet Explorer, click Tools, Internet Options and then the Security tab.

ZYXEL PRESTIGE 661H - JavaScript - 1
Figure 216 Internet Options

2 Click the Custom Level... button.
3 Scroll down to Scripting.
4 Under Active scripting make sure that Enable is selected (the default).
5 Under Scripting of Java applets make sure that Enable is selected (the default).
6 Click OK to close the window.

ZYXEL PRESTIGE 661H - JavaScript - 2
Figure 217 Security Settings - Java Scripting

Java Permissions

1 From Internet Explorer, click Tools, Internet Options and then the Security tab.
2 Click the Custom Level... button.
3 Scroll down to Microsoft VM.
4 Under Java permissions make sure that a safety level is selected.
5 Click OK to close the window.

ZYXEL PRESTIGE 661H - Java Permissions - 1
Figure 218 Security Settings - Java

JAVA (Sun)

1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab.
2 make sure that Use Java 2 for under Java (Sun) is selected.
3 Click OK to close the window.

ZYXEL PRESTIGE 661H - JAVA (Sun) - 1
Figure 219 Java (Sun)

Index

Numerics

110V AC 6

230V AC 6

Basement 6

Basic wireless security 69

Blocking Time 176

Brute-force Attack, 149

BSS 355

BW Budget 242

A

Abnormal Working Conditions 7

AC 6

Accessories 6

Acts of God 7

Address Assignment 97

Address Resolution Protocol (ARP) 100

ADSL standards 35

Advanced Encryption Standard 364

AH 199

AH Protocol 203

Airflow 6

Alternative Subnet Mask Notation 321

Antenna gain 119

Any IP 36, 99

How it works 100

note 100

Any IP Setup 102

AP (access point) 357

Application-level Firewalls 146

applications

Internet access 39

ATM Adaptation Layer 5 (AAL5) 78

Attack Alert 177

Attack Types 150

Authentication Header 203

Authority 4

B

Backup Type 93

Bandwidth Management 235

Bandwidth Manager Class Configuration 241

Bandwidth Manager Monitor 245

Bandwidth Manager Summary 240

C

CA 362

Cables, Connecting 6

CBR (Continuous Bit Rate) 85, 90

Certificate Authority 362

Certifications 4

change password at login 46

Changes or Modifications 4

Channel 357

Interference 357

Channel ID 113

Charge 7

Circuit 4

Class B 4

Communications 4

compact 38

compact guide 45

Compliance, FCC 4

Components 7

Computer's IP Address 305

Condition 7

Configuration 96

Configuration Upload Successful 288, 289

Connecting Cables 6

Consequential Damages 7

Contact Information 8

Contacting Customer Support 8

Content Filtering 193

Categories 193

Schedule 194

Trusted computers 195

URL keyword blocking 193

Content filtering 193

content filtering 36

Correcting Interference 4

Corrosive Liquids 6

Covers 6

CTS (Clear to Send) 358

Custom Ports

Creating/Editing 168

Customer Support 8

Customized Services 167

Customized services 167

D

Dampness 6

Danger 6

Data Confidentiality 198

Data Integrity 198

Data Origin Authentication 198

Dealer 4

default LAN IP address 45

Defective 7

Denial of Service 146, 147, 176

Denmark, Contact Information 8

Destination Address 159

device model number 285

DH 218

DHCP 37,96,97,247,275

DHCP client 37

DHCP relay 37

DHCP server 37

diagnostic 291

Diffie-Hellman Key Groups 218

Disclaimer 3

Discretion 7

DNS 259

DNS Server

For VPN Host 208

Domain Name 97, 138, 275

Domain Name System 96

DoS 147

Basics 147

Types 148

DoS (Denial of Service) 36

DoS attacks, types of 148

DSL (Digital Subscriber Line) 301

DSL line, reinitialize 292

DSLAM (Digital Subscriber Line Access Multiplexer) 39

Dust 6

DynamicDNS37,247

dynamicDNS37

Dynamic Host Configuration Protocol 37

Dynamic Secure Gateway Address 205

Dynamic WEP Key Exchange 363

DYNDNS Wildcard 247

E

EAP Authentication 362

ECHO 138

Electric Shock 6

Electrical Pipes 6

E-Mail 131

embedded help 48

Encapsulated Routing Link Protocol (ENET ENCAP) 77

Encapsulation 77, 199

ENET ENCAP 77

PPP over Ethernet 77

PPP0A 78

RFC 148378

Encapsulation Security Payload 203

Encryption 197, 364

Equal Value 7

ESP 199

ESP Protocol 203

ESS 356

Ethernet 298

Europe 6

Exposure 6

Extended Service Set 356

Extended Service Set IDentification 113

Extended wireless security 69

F

Failure 7

Fairness-based Scheduler 237

FCC4

Compliance 4

Rules, Part 15 4

FCC Rules 4

Federal Communications Commission 4

Finger 138

Finland, Contact Information 8

Firewall

Access Methods 157

Address Type 166

Alerts 160

Anti-Probing 174

Creating/Editing Rules 164

Custom Ports 167

Enabling 162

Firewall Vs Filters 155

Guidelines For Enhancing Security 154

Introduction 146

LAN to WAN Rules 160

Policies 157

Rule Checklist 158

Rule Logic 158

Rule Security Ramifications 158

Services 172

Types 145

When To Use 156

firmware 285

upgrade 285

upload 285

upload error 286

Fitness 7

Fragmentation Threshold 358

Fragmentation threshold 358

France, Contact Information 8

FTP 137, 138, 251, 254

FTP Restrictions 251

Full Rate 42

Functionally Equivalent 7

G

Gas Pipes 6

General Setup 275

General wireless LAN screen 112

Germany, Contact Information 8

God, act of 7

H

Half-Open Sessions 176

Harmful Interference 4

Hidden node 357

High Voltage Points 6

Host 58, 276, 277

Host IDs 319

HTTP 138, 146, 147, 148

HTTP (Hypertext Transfer Protocol) 285

ZYXEL PRESTIGE 661H - H - 1

IANA 98

IANA (Internet Assigned Number Authority) 167

IBSS 355

ICMP echo 149

ID Type and Content 209

IEEE 802.11g 38, 359

IEEE 802.11i 38

IGMP 99

IKE Phases 216

Independent Basic Service Set 355

Indirect Damages 7

initialization vector (IV) 364

Inside Header 200

Install UPnP 265

Windows Me 265

Windows XP 267

Insurance 7

Integrated Services Digital Network 35

Interference 4

Interference Correction Measures 4

Interference Statement 4

Internet Access 36, 40

Internet access 60

Internet Access Setup 294

Internet access wizard setup 60

Internet Assigned Numbers AuthoritySee IANA 98

Internet Control Message Protocol (ICMP) 149, 174

Internet Key Exchange 216

Internet Protocol Security 197

IP Address 97, 138, 139, 140

IP Address Assignment 79

ENET ENCAP 79

PPPoA or PPPoE 79

RFC 1483 79

IP Addressing 319

IP alias 38

IP Classes 319

IP Pool 104

IP Pool Setup 96

IP protocol type 172

IP Spoofing 148, 151

IPSec 197

IPSec Algorithms 199, 203

IPSec and NAT 200

IPSec Architecture 199

ISDN (Integrated Services Digital Network) 35

K

Keep Alive 207

Key Fields For Configuring Rules 159

L

Labor 7

LAN Setup 77, 95

LAN TCP/IP 97

LAN to WAN Rules 160

LAND 148, 149

Legal Rights 7

Liability 3

License 3

Lightning 6

Liquids, Corrosive 6

Logs 281

M

MAC Address Filter Action 125

MAC Address Filtering 124

MAC Filter 124

Management Information Base (MIB) 256

Materials 7

Maximize Bandwidth Usage 237

Maximum Burst Size (MBS) 81, 86, 91

Max-incomplete High 176

Max-incomplete Low 176

Media Bandwidth Management 37

Merchantability 7

Message Integrity Check (MIC) 364

Metric 80

Modifications 4

Multicast 99

Multiplexing 78

multiplexing 78

LLC-based 78

VC-based 78

Multiprotocol Encapsulation 78

My IP Address 204

N

Nailed-Up Connection 79

NAT 97,138,139

Address mapping rule 143

Application 135

Definitions 133

How it works 134

Mapping Types 135

What it does 134

What NAT does 134

NAT (Network Address Translation) 133

NAT mode 137

NAT Traversal 263

NAT traversal 207

navigating the web configurator 47

Negotiation Mode 217

NetBIOS commands 150

Network Address Translation (NAT) 37

Network Management 138

Network Temporarily Disconnected 289

New 7

NNTP 138

North America 6

North America Contact Information 8

Norway, Contact Information 8

0

One-Minute High 176

Opening 6

Operating Condition 7

Out-dated Warranty 7

Outlet 4

Outside Header 200

P

Packet Filtering 155

Packet filtering

When to use 156

Packet Filtering Firewalls 145

Pairwise Master Key (PMK) 364, 366

Parts 7

Patent 3

Peak Cell Rate (PCR) 80, 86, 91

Perfect Forward Secrecy 218

Permission 3

PFS 218

Photocopying 3

Ping of Death 148

Pipes 6

Point to Point Protocol over ATM Adaptation Layer 5 (AAL5) 78

Point-to-Point 301

Point-to-Point Tunneling Protocol 138

Pool 6

POP3 138, 147, 148

Postage Prepaid. 7

Power Cord 6

PPPoE 77,337

Benefits 77

PPPoE (Point-to-Point Protocol over Ethernet) 37

PPTP 138

Preamble Mode 359

Pre-Shared Key 211

Priorities 126, 240

Priority 242

Priority-based Scheduler 236

Product Model 8

Product Page 4

Product Serial Number 8

Products 7

Proof of Purchase 7

Proper Operating Condition 7

Purchase, Proof of 7

Purchaser 7

Q

Qualified Service Personnel 6

Quick Start Guide 33

R

Radio Communications 4

Radio Frequency Energy 4

Radio Interference 4

Radio Reception 4

Radio Technician 4

RADIUS 361

Shared Secret Key 362

RADIUS Message Types 361

RADIUS Messages 361

Receiving Antenna 4

Registered 3

Registered Trademark 3

Regular Mail 8

reinitialize the ADSL line 292

s

SA 197

SafetyWarnings 6

Saving the State 151

Scheduler 236

Secure Gateway Address 205

Security Association 197

Security In General 154

Security Parameter Index 221

Security Parameters 367

Security Ramifications 158

Separation Between Equipment and Receiver 4

Serial Number 8

Server 135, 136, 278

Service 6, 7, 159

Service Personnel 6

Service Set 113

Service Type 168, 294

Services 138

Shipping 7

Shock, Electric 6

SMTP 138

Smurf 149, 150

SNMP 138,255

Manager 256

MIBs 256

Source Address 159

Spain, Contact Information 9

SPI 221

Splitters 42

Stateful Inspection 36, 145, 146, 151

Device 152

Process 152

Static Route 231

SUA 136

SUA (Single User Account) 136

SUA vs NAT 136

SubnetMask97,166

Subnet Masks 320

Subnetting 320

Supply Voltage 6

Support E-mail 8

Supporting Disk 33

Sustain Cell Rate (SCR) 86, 91

Sustained Cell Rate (SCR) 80

Sweden, Contact Information 9

Swimming Pool 6

SYN Flood 148, 149

SYN-ACK 149

Syntax Conventions 33

Syslog 171

System Name 276

System Timeout 252

T

Tampering 7

TCP Maximum Incomplete 176, 177

TCP Security 153

TCP/IP 147, 148

Teardrop 148

Telephone 8

Television Interference 4

Television Reception 4

Telnet 253

Temporal Key Integrity Protocol (TKIP) 364

TFTP Restrictions 251

Three-Way Handshake 148

Threshold Values 175

Thunderstorm 6

Traceroute 151

Trademark 3

Trademark Owners 3

Trademarks 3

Traffic Redirect 91, 92

Traffic redirect 91, 94

traffic redirect 36

Traffic shaping 80

Translation 3

Transmission Rates 36

Transport Mode 200

Triangle 160

Triangle Route Solutions 161

Tunnel Mode 200

TV Technician 4

U

UBR (Unspecified Bit Rate) 85, 90

UDP/ICMP Security 153

Undesired Operations 4

Universal Plug and Play 263

Application 263

Security issues 264

Universal Plug and Play (UPnP) 37

Universal Plug and Play Forum 264

UPnP 263

Upper Layer Protocols 153, 154

User Authentication 365

UserID 248

V

Value 7

VBR (Variable Bit Rate) 85, 90

Vendor 6

Ventilation Slots 6

Viewing Certifications 4

Virtual Channel Identifier (VCI) 78

virtual circuit (VC) 78

Virtual Path Identifier (VPI) 78

Virtual Private Network 197

Voltage Supply 6

Voltage, High 6

VPI & VCI 78

VPN 197

VPN Applications 198

W

Wall Mount 6

WAN (Wide Area Network) 77

WAN backup 92

WAN to LAN Rules 160

Warnings 6

Warranty 7

Warranty Information 8

Warranty Period 7

Water 6

Water Pipes 6

Web 252

Web Configurator 45, 47, 48, 146, 154, 159

web configurator screen summary 48

Web Site 8

WEP (Wired Equivalent Privacy) 39

WEP Encryption 116

WEP encryption 114

Wet Basement 6

Wi-Fi Multimedia QoS 126

Wi-Fi Protected Access 364

Wi-Fi Protected Access (WPA) 38

Wireless Client WPA Supplicants 365

Wireless LAN MAC Address Filtering 39

Wireless security 360

WLAN

Interference 357

Security parameters 367

Workmanship 7

Worldwide Contact Information 8

WPA 364

WPA2 364

WPA2-Pre-Shared Key 364

WPA2-PSK 364

WPA-PSK 364

Written Permission 3

WWW 131

Z

Zero Configuration Internet Access 36

Zero configuration Internet access 82

ZyNOS 3

ZyXEL Communications Corporation 3

ZyXEL Home Page 4

ZyXEL Limited Warranty Note 7

ZyXEL Network Operating System 3

ZyXEL_s Firewall Introduction 146

PRESTIGE 661H - Modem/Router ZYXEL - Free user manual and instructions

User questions about PRESTIGE 661H ZYXEL

USER MANUAL PRESTIGE 661H ZYXEL

User's Guide

Copyright

Disclaimer

Trademarks

Certifications

Federal Communications Commission (FCC) Interference Statement

Notice 1

SafetyWarnings

ZyXEL Limited Warranty

Note

Customer Support

Table of Contents

Chapter 3

Wizards 59

Chapter 4

WAN Setup 77

Chapter 5 LAN Setup 95

Chapter 6 Wireless LAN 109

Chapter 7 Network Address Translation (NAT) Screens 133

Chapter 8

Firewalls 145

Chapter 9

Firewall Configuration 157

Chapter 10 Trend Micro Security Services. 179

Chapter 11 Content Filtering 193

Chapter 12 Introduction to IPsec 197

Chapter 13 VPN Screens 203

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Chapter 18

Chapter 19

Chapter 20

Chapter 21

Chapter 22

Chapter 23

Appendix A

Appendix B

Appendix C

Appendix D

Appendix E

Appendix F

Command Interpreter 327

Appendix G

Firewall Commands 329

Appendix H

NetBIOS Filter Commands 335

Appendix I

PPPoE 337

Appendix J

Log Descriptions 339

Appendix K

Wireless LANs (wireless devices only) 355

Appendix L

List of Figures

List of Tables

Preface

About This User's Guide

Syntax Conventions

Related Documentation

User Guide Feedback

Graphics Icons Key

CHAPTER 1

Getting To Know Your ZyXEL Device

1.1 Introducing the ZyXEL Device

1.2 Features

High Speed Internet Access

Triple Play Service

Zero Configuration Internet Access

Any IP

Firewall

Content Filtering

Traffic Redirect

Media Bandwidth Management

Universal Plug and Play (UPnP)

PPPoE (RFC2516)