ZyXEL Communications MAX208M2W WiMAX Indoor VoIP Wi-Fi IAD User Manual MAX208M2W Users guide

ZyXEL Communications Corporation WiMAX Indoor VoIP Wi-Fi IAD MAX208M2W Users guide

Contents

User Manual Part 2

 Chapter 14Product SpecificationsMAX208M2W Series User s Guide 20114.1  Wall-MountingThis section shows you how to mount your MAX208M2W Series on a wall using the ZyXEL Wall-Mounting kit (not included).14.1.1  The Wall-Mounting KitThe wall-mounting kit contains the following parts:1Two Mortar Plugs (M4*L30 mm)2Two Screws (M4*L30 mm)3Wall-Mounting ChassisIf any parts are missing, contact your vendor.14.1.2  InstructionsTo mount the MAX208M2W Series on a wall:1Select a position free of obstructions on a sturdy wall. 2Drill two holes in the wall exactly 70 mm apart. The holes should be 6 mm wide and at least 30 mm deep.Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws.123
Chapter 14Product SpecificationsMAX208M2W Series User s Guide2023Attach the wall mounting chassis with the plugs and screws as shown below:4Connect the MAX208M2W Series to the wall mounting chassis by snapping the chassis  two upper chassis hooks into the matching holes on the MAX208M2W Series:Do not pinch or server the cable connections between the wall-mounting chassis the MAX208M2W Series.
 Chapter 14Product SpecificationsMAX208M2W Series User s Guide 2035Snap the lower chassis hooks into the matching holes on the MAX208M2W Series. The cable connections should come out either the left or right gaps between the wall-mounting chassis and the MAX208M2W Series6Once you have snapped the wall-mounting chassis in place, the MAX208M2W Series is securely fastened to the wall.
Chapter 14Product SpecificationsMAX208M2W Series User s Guide204
MAX208M2W Series User s Guide 205APPENDIX  A WiMAX SecurityWireless security is vital to protect your wireless communications. Without it, information transmitted over the wireless network would be accessible to any networking device within range.User Authentication and Data EncryptionThe WiMAX (IEEE 802.16) standard employs user authentication and encryption to ensure secured communication at all times.User authentication is the process of confirming a user s identity and level of authorization. Data encryption is the process of encoding information so that it cannot be read by anyone who does not know the code. WiMAX uses PKMv2 (Privacy Key Management version 2) for authentication, and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol) for data encryption. WiMAX supports EAP (Extensible Authentication Protocol, RFC 2486) which allows additional authentication methods to be deployed with no changes to the base station or the mobile or subscriber stations.PKMv2PKMv2 is a procedure that allows authentication of a mobile or subscriber station and negotiation of a public key to encrypt traffic between the MS/SS and the base station. PKMv2 uses standard EAP methods such as Transport Layer Security (EAP-TLS) or Tunneled TLS (EAP-TTLS) for secure communication. In cryptography, a $key  is a piece of information, typically a string of random numbers and letters, that can be used to $lock  (encrypt) or $unlock  (decrypt) a message. Public key encryption uses key pairs, which consist of a public (freely available) key and a private (secret) key. The public key is used for encryption and the private key is used for decryption. You can decrypt a message only if you have the private key. Public key certificates (or $digital IDs ) allow users to verify each other s identity.
Appendix AWiMAX SecurityMAX208M2W Series User s Guide206RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The base station is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:!Authentication Determines the identity of the users.!AuthorizationDetermines the network services available to authenticated users once they are connected to the network.!AccountingKeeps track of the client s network activity. RADIUS is a simple package exchange in which your base station acts as a message relay between the MS/SS and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the base station and the RADIUS server for user authentication:!Access-RequestSent by an base station requesting authentication.!Access-RejectSent by a RADIUS server rejecting access.!Access-AcceptSent by a RADIUS server allowing access. !Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The base station sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user accounting:!Accounting-RequestSent by the base station requesting accounting.!Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password they both know. The key is not sent over
 Appendix AWiMAX SecurityMAX208M2W Series User s Guide 207the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. DiameterDiameter (RFC 3588) is a type of AAA server that provides several improvements over RADIUS in efficiency, security, and support for roaming. Security AssociationThe set of information about user authentication and data encryption between two computers is known as a security association (SA). In a WiMAX network, the process of security association has three stages.!Authorization request and replyThe MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS.!Key request and replyThe MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key. !Encrypted trafficThe MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow.CCMPAll traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm. $Counter mode  refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting.$Cipher Block Chaining Message Authentication  (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of $chained  blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with.
Appendix AWiMAX SecurityMAX208M2W Series User s Guide208Authentication The MAX208M2W Series supports EAP-TTLS authentication.EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection (with EAP-TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
MAX208M2W Series User s Guide 209APPENDIX  B Setting Up Your Computer!s IPAddressNote: Your specific ZyXEL device may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported.This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network. Windows Vista/XP/2000, Mac OS 9/OS X, and all versions of UNIX/LINUX include the software components you need to use TCP/IP on your computer. If you manually assign IP information instead of using a dynamic IP, make sure that your network s computers have IP addresses that place them in the same subnet.In this appendix, you can set up an IP address for:!Windows XP/NT/2000 on page210!Windows Vista on page213!Mac OS X: 10.3 and 10.4 on page217!Mac OS X: 10.5 on page221!Linux: Ubuntu 8 (GNOME) on page 224!Linux: openSUSE 10.3 (KDE) on page230
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide210Windows XP/NT/2000The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT.1Click Start > Control Panel.Figure 101   Windows XP: Start Menu2In the Control Panel, click the Network Connections icon.Figure 102   Windows XP: Control Panel
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2113Right-click Local Area Connection and then select Properties.Figure 103   Windows XP: Control Panel > Network Connections > Properties4On the General tab, select Internet Protocol (TCP/IP) and then click Properties.Figure 104   Windows XP: Local Area Connection Properties
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2125The Internet Protocol TCP/IP Properties window opens.Figure 105   Windows XP: Internet Protocol (TCP/IP) Properties6Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically.Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided.7Click OK to close the Internet Protocol (TCP/IP) Properties window.Click OK to close the Local Area Connection Properties window.Verifying Settings1Click Start > All Programs > Accessories > Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information.
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 213Windows VistaThis section shows screens from Windows Vista Professional.1Click Start > Control Panel.Figure 106   Windows Vista: Start Menu2In the Control Panel, click the Network and Internet icon.Figure 107   Windows Vista: Control Panel3Click the Network and Sharing Center icon.Figure 108   Windows Vista: Network And Internet
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2144Click Manage network connections.Figure 109   Windows Vista: Network and Sharing Center5Right-click Local Area Connection and then select Properties.Figure 110   Windows Vista: Network and Sharing CenterNote: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue.
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2156Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties.Figure 111   Windows Vista: Local Area Connection Properties
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2167The Internet Protocol Version 4 (TCP/IPv4) Properties window opens.Figure 112   Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties8Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically.Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided.Click Advanced.9Click OK to close the Internet Protocol (TCP/IP) Properties window.Click OK to close the Local Area Connection Properties window.Verifying Settings1Click Start > All Programs > Accessories > Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information.
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 217Mac OS X: 10.3 and 10.4The screens in this section are from Mac OS X 10.4 but can also apply to 10.3.1Click Apple > System Preferences.Figure 113   Mac OS X 10.4: Apple Menu2In the System Preferences window, click the Network icon.Figure 114   Mac OS X 10.4: System Preferences
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2183When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure.Figure 115   Mac OS X 10.4: Network Preferences4For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab.Figure 116   Mac OS X 10.4: Network Preferences > TCP/IP Tab.
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2195For statically assigned settings, do the following:!From the Configure IPv4 list, select Manually.!In the IP Address field, type your IP address.!In the Subnet Mask field, type your subnet mask.!In the Router field, type the IP address of your device.Figure 117   Mac OS X 10.4: Network Preferences > Ethernet
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide220Click Apply Now and close the window.Verifying SettingsCheck your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab.Figure 118   Mac OS X 10.4: Network Utility
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 221Mac OS X: 10.5The screens in this section are from Mac OS X 10.5.1Click Apple > System Preferences.Figure 119   Mac OS X 10.5: Apple Menu2In System Preferences, click the Network icon.Figure 120   Mac OS X 10.5: Systems Preferences
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2223When the Network preferences pane opens, select Ethernet from the list of available connection types.Figure 121   Mac OS X 10.5: Network Preferences > Ethernet4From the Configure list, select Using DHCP for dynamically assigned settings.5For statically assigned settings, do the following:!From the Configure list, select Manually.!In the IP Address field, enter your IP address.!In the Subnet Mask field, enter your subnet mask.
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 223!In the Router field, enter the IP address of your MAX208M2W Series.Figure 122   Mac OS X 10.5: Network Preferences > Ethernet6Click Apply and close the window.
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide224Verifying SettingsCheck your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab.Figure 123   Mac OS X 10.5: Network UtilityLinux: Ubuntu 8 (GNOME)This section shows you how to configure your computer s TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default Ubuntu 8 installation.Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in GNOME:
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2251Click System > Administration > Network.Figure 124   Ubuntu 8: System > Administration Menu2When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password.Figure 125   Ubuntu 8: Network Settings > Connections
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2263In the Authenticate window, enter your admin account name and password then click the Authenticate button.Figure 126   Ubuntu 8: Administrator Account Authentication4In the Network Settings window, select the connection that you want to configure, then click Properties.Figure 127   Ubuntu 8: Network Settings > Connections
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2275The Properties dialog box opens.Figure 128   Ubuntu 8: Network Settings > Properties!In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address.!In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. 6Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen.
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2287If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. Figure 129   Ubuntu 8: Network Settings > DNS  8Click the Close button to apply the changes.Verifying SettingsCheck your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 229tab.  The Interface Statistics column shows data if your connection is working properly.Figure 130   Ubuntu 8: Network Tools
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide230Linux: openSUSE 10.3 (KDE)This section shows you how to configure your computer s TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default openSUSE 10.3 installation.Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE:1Click K Menu > Computer > Administrator Settings (YaST).Figure 131   openSUSE 10.3: K Menu > Computer Menu
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2312When the Run as Root - KDE su dialog opens, enter the admin password and click OK.Figure 132   openSUSE 10.3: K Menu > Computer Menu3When the YaST Control Center window opens, select Network Devices and then click the Network Card icon.Figure 133   openSUSE 10.3: YaST Control Center
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2324When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. Figure 134   openSUSE 10.3: Network Settings
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 2335When the Network Card Setup window opens, click the Address tabFigure 135   openSUSE 10.3: Network Card Setup6Select Dynamic Address (DHCP) if you have a dynamic IP address.Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields.7Click Next to save the changes and close the Network Card Setup window.
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide2348If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided.Figure 136   openSUSE 10.3: Network Settings9Click Finish to save your settings and close the window.
 Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide 235Verifying SettingsClick the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information.Figure 137   openSUSE 10.3: KNetwork ManagerWhen the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly.Figure 138   openSUSE: Connection Status - KNetwork Manager
Appendix BSetting Up Your Computer s IP AddressMAX208M2W Series User s Guide236
MAX208M2W Series User s Guide 237APPENDIX  C Pop-up Windows, JavaScriptand Java PermissionsIn order to use the web configurator you need to allow:!Web browser pop-up windows from your device.!JavaScript (enabled by default).!Java permissions (enabled by default).Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.Internet Explorer Pop-up BlockersYou may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device s IP address.Disable Pop-up Blockers1In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 139   Pop-up BlockerYou can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.
Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide2381In Internet Explorer, select Tools, Internet Options, Privacy.2Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 140   Internet Options: Privacy3Click Apply to save this setting.Enable Pop-up Blockers with ExceptionsAlternatively, if you only want to allow pop-up windows from your device, see the following steps.1In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
 Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide 2392Select Settings to open the Pop-up Blocker Settings screen.Figure 141   Internet Options: Privacy3Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://#. For example, http://192.168.167.1.
Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide2404Click Add to move the IP address to the list of Allowed sites.Figure 142   Pop-up Blocker Settings5Click Close to return to the Privacy screen. 6Click Apply to save this setting. JavaScriptIf pages of the web configurator do not display properly in Internet Explorer, check that JavaScript is allowed.
 Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide 2411In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 143   Internet Options: Security 2Click the Custom Level... button. 3Scroll down to Scripting. 4Under Active scripting make sure that Enable is selected (the default).5Under Scripting of Java applets make sure that Enable is selected (the default).
Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide2426Click OK to close the window.Figure 144   Security Settings - Java ScriptingJava Permissions1From Internet Explorer, click Tools, Internet Options and then the Security tab. 2Click the Custom Level... button. 3Scroll down to Microsoft VM. 4Under Java permissions make sure that a safety level is selected.
 Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide 2435Click OK to close the window.Figure 145   Security Settings - Java JAVA (Sun)1From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2Make sure that Use Java 2 for <applet> under Java (Sun) is selected.
Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide2443Click OK to close the window.Figure 146   Java (Sun)Mozilla FirefoxMozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears.Figure 147   Mozilla Firefox: TOOLS > Options
 Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide 245Click Content.to show the screen below. Select the check boxes as shown in the following screen.Figure 148   Mozilla Firefox Content Security
Appendix CPop-up Windows, JavaScript and Java PermissionsMAX208M2W Series User s Guide246
MAX208M2W Series User s Guide 247APPENDIX  D IP Addresses and SubnettingThis appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.Introduction to IP AddressesOne part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered.StructureAn IP address is made up of four parts, written in dotted decimal notation (for example, ). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal.
Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide248The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID.Figure 149   Network Number and Host IDHow much of the IP address is the network number and how much is the host ID varies according to the subnet mask.  Subnet MasksA subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term "subnet# is short for "sub-network#.A subnet mask has 32 bits. If a bit in the subnet mask is a "1# then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is "0# then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal).Table 88   IP Address Network Number and Host ID Example1ST OCTET:(192)2ND OCTET:(168)3RD OCTET:(1)4TH OCTET(2)IP Address (Binary)11000000101010000000000100000010Subnet Mask (Binary) 111111111111111111111111 00000000Network Number 110000001010100000000001Host ID00000010
 Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide 249By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.Subnet masks can be referred to by the size of the network number part (the bits with a "1# value). For example, an "8-bit mask# means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes.Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Network SizeThe size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network  (192.168.1.255 with a 24-bit subnet mask, for example).As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:Table 89   Subnet MasksBINARYDECIMAL1ST OCTET2ND OCTET3RD OCTET4TH OCTET8-bit mask 11111111 00000000 00000000 00000000 255.0.0.016-bit mask11111111 11111111 00000000 00000000 255.255.0.024-bit mask11111111 11111111 11111111 00000000 255.255.255.029-bit mask11111111 11111111 11111111 11111000 255.255.255.248Table 90   Maximum Host NumbersSUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS8 bits255.0.0.024 bits224 % 21677721416 bits255.255.0.016 bits216 % 26553424 bits255.255.255.08 bits28 % 225429 bits255.255.255.2483 bits23 % 26
Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide250NotationSince the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a "/# followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. SubnettingYou can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 % 2 or 254 possible hosts.Table 91   Alternative Subnet Mask NotationSUBNET MASKALTERNATIVE NOTATIONLAST OCTET (BINARY)LAST OCTET (DECIMAL)255.255.255.0 /24 0000 0000 0255.255.255.128/25 1000 0000 128255.255.255.192/26 1100 0000 192255.255.255.224/27 1110 0000 224255.255.255.240/28 1111 0000 240255.255.255.248/29 1111 1000 248255.255.255.252/30 1111 1100 252
 Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide 251The following figure shows the company network before subnetting.  Figure 150   Subnetting Example: Before SubnettingYou can "borrow# one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25).The "borrowed# host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25.
Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide252The following figure shows the company network after subnetting. There are now two sub-networks, A and B. Figure 151   Subnetting Example: After SubnettingIn a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 % 2 or 126 possible hosts (a host ID of all zeroes is the subnet s address itself, all ones is the subnet s broadcast address).192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254.Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to "borrow# two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
 Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide 253Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnet s broadcast address). Table 92   Subnet 1IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address (Decimal) 192.168.1. 0IP Address (Binary) 11000000.10101000.00000001. 00000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.0Lowest Host ID: 192.168.1.1Broadcast Address: 192.168.1.63Highest Host ID: 192.168.1.62Table 93   Subnet 2IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 64IP Address (Binary) 11000000.10101000.00000001. 01000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.64Lowest Host ID: 192.168.1.65Broadcast Address: 192.168.1.127Highest Host ID: 192.168.1.126Table 94   Subnet 3IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 128IP Address (Binary) 11000000.10101000.00000001. 10000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.128Lowest Host ID: 192.168.1.129Broadcast Address: 192.168.1.191Highest Host ID: 192.168.1.190Table 95   Subnet 4IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 192IP Address (Binary) 11000000.10101000.00000001. 11000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000
Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide254Example: Eight SubnetsSimilarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet.Subnet PlanningThe following table is a summary for subnet planning on a network with a 24-bit network number.Subnet Address: 192.168.1.192Lowest Host ID: 192.168.1.193Broadcast Address: 192.168.1.255Highest Host ID: 192.168.1.254Table 95   Subnet 4 (continued)IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUETable 96   Eight SubnetsSUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESSBROADCAST ADDRESS1 0 1 30 31232 33 62 63364 65 94 95496 97 126 1275 128 129 158 1596 160 161 190 1917 192 193 222 2238 224 225 254 255Table 97   24-bit Network Number Subnet PlanningNO. #BORROWED$ HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.255.128 (/25) 2 1262255.255.255.192 (/26) 4 623 255.255.255.224 (/27) 8 304 255.255.255.240 (/28) 16 145 255.255.255.248 (/29) 32 66 255.255.255.252 (/30) 64 27 255.255.255.254 (/31) 128 1
 Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide 255The following table is a summary for subnet planning on a network with a 16-bit network number. Configuring IP AddressesWhere you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the MAX208M2W Series. Once you have decided on the network number, pick an IP address for your MAX208M2W Series that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.The subnet mask specifies the network number portion of an IP address. Your MAX208M2W Series will compute the subnet mask automatically based on the IP Table 98   16-bit Network Number Subnet PlanningNO. #BORROWED$ HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.128.0 (/17) 2 327662255.255.192.0 (/18) 4 163823255.255.224.0 (/19) 8 81904 255.255.240.0 (/20) 16 40945 255.255.248.0 (/21) 32 20466 255.255.252.0 (/22) 64 10227 255.255.254.0 (/23) 128 5108 255.255.255.0 (/24) 256 2549 255.255.255.128 (/25) 512 12610 255.255.255.192 (/26) 1024 6211 255.255.255.224 (/27) 2048 3012 255.255.255.240 (/28) 4096 1413 255.255.255.248 (/29) 8192 614 255.255.255.252 (/30) 16384 215 255.255.255.254 (/31) 32768 1
Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide256address that you entered. You don't need to change the subnet mask computed by the MAX208M2W Series unless you are instructed to do otherwise.Private IP AddressesEvery machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:!10.0.0.0     ' 10.255.255.255!172.16.0.0   ' 172.31.255.255!192.168.0.0 ' 192.168.255.255You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.IP Address ConflictsEach device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses ExampleMore than one device can not use the same IP address. In the following example computer A has a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client. Neither can access the Internet. This problem can be solved by assigning a different static IP
 Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide 257address to computer A or setting computer A to obtain an IP address automatically.  Figure 152   Conflicting Computer IP Addresses ExampleConflicting Router IP Addresses ExampleSince a router connects different networks, it must have interfaces using different network numbers. For example, if a router is set between a LAN and the Internet (WAN), the router s LAN and WAN addresses must be on different subnets. In the following example, the LAN and WAN are on the same subnet. The LAN computers cannot access the Internet because the router cannot route between networks.Figure 153   Conflicting Computer IP Addresses ExampleConflicting Computer and Router IP Addresses ExampleMore than one device can not use the same IP address. In the following example, the computer and the router s LAN port both use 192.168.1.1 as the IP address.
Appendix DIP Addresses and SubnettingMAX208M2W Series User s Guide258The computer cannot access the Internet. This problem can be solved by assigning a different IP address to the computer or the router s LAN port.  Figure 154   Conflicting Computer and Router IP Addresses Example
MAX208M2W Series User s Guide 259APPENDIX  E Importing CertificatesThis appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate.Many ZyXEL products, such as the NSA-2401, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority.Note: You can see if you are browsing on a secure website if the URL in your web browser s address bar begins with  https:// or there is a sealed padlock icon () somewhere in the main browser window (not all browsers show the padlock in the same location.)In this appendix, you can import a public key certificate for:!Internet Explorer on page 260!Firefox on page 270!Opera on page 276!Konqueror on page 284
Appendix EImporting CertificatesMAX208M2W Series User s Guide260Internet ExplorerThe following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista.1If your device s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.Figure 155   Internet Explorer 7: Certification Error2Click Continue to this website (not recommended).Figure 156   Internet Explorer 7: Certification Error
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2613In the Address Bar, click Certificate Error > View certificates.Figure 157   Internet Explorer 7: Certificate Error4In the Certificate dialog box, click Install Certificate.Figure 158   Internet Explorer 7: Certificate
Appendix EImporting CertificatesMAX208M2W Series User s Guide2625In the Certificate Import Wizard, click Next.Figure 159   Internet Explorer 7: Certificate Import Wizard6If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9.Figure 160   Internet Explorer 7: Certificate Import Wizard
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2637Otherwise, select Place all certificates in the following store and then click Browse.Figure 161   Internet Explorer 7: Certificate Import Wizard8In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK.Figure 162   Internet Explorer 7: Select Certificate Store
Appendix EImporting CertificatesMAX208M2W Series User s Guide2649In the Completing the Certificate Import Wizard screen, click Finish.Figure 163   Internet Explorer 7: Certificate Import Wizard10 If you are presented with another Security Warning, click Yes.Figure 164   Internet Explorer 7: Security Warning
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 26511 Finally, click OK when presented with the successful certificate installation message.Figure 165   Internet Explorer 7: Certificate Import Wizard12 The next time you start Internet Explorer and go to a ZyXEL web configurator page, a sealed padlock icon appears in the address bar. Click it to view the page s Website Identification information.Figure 166   Internet Explorer 7: Website Identification
Appendix EImporting CertificatesMAX208M2W Series User s Guide266Installing a Stand-Alone Certificate File in Internet ExplorerRather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Double-click the public key certificate file.Figure 167   Internet Explorer 7: Public Key Certificate File2In the security warning dialog box, click Open.Figure 168   Internet Explorer 7: Open File - Security Warning3Refer to steps 4-12 in the Internet Explorer procedure beginning on page260 to complete the installation process.
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 267Removing a Certificate in Internet ExplorerThis section shows you how to remove a public key certificate in Internet Explorer 7.1Open Internet Explorer and click TOOLS > Internet Options.Figure 169   Internet Explorer 7: Tools Menu2In the Internet Options dialog box, click Content > Certificates.Figure 170   Internet Explorer 7: Internet Options
Appendix EImporting CertificatesMAX208M2W Series User s Guide2683In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove.Figure 171   Internet Explorer 7: Certificates4In the Certificates confirmation, click Yes.Figure 172   Internet Explorer 7: Certificates5In the Root Certificate Store dialog box, click Yes.Figure 173   Internet Explorer 7: Root Certificate Store
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2696The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix EImporting CertificatesMAX208M2W Series User s Guide270FirefoxThe following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms.1If your device s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.2Select Accept this certificate permanently and click OK.Figure 174   Firefox 2: Website Certified by an Unknown Authority
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2713The certificate is stored and you can now connect securely to the web configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page s security information.Figure 175   Firefox 2: Page Info
Appendix EImporting CertificatesMAX208M2W Series User s Guide272Installing a Stand-Alone Certificate File in FirefoxRather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Open Firefox and click TOOLS > Options.Figure 176   Firefox 2: Tools Menu2In the Options dialog box, click ADVANCED > Encryption > View Certificates.Figure 177   Firefox 2: Options
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2733In the Certificate Manager dialog box, click Web Sites > Import.Figure 178    Firefox 2: Certificate Manager4Use the Select File dialog box to locate the certificate and then click Open.Figure 179    Firefox 2: Select File5The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page s security information.
Appendix EImporting CertificatesMAX208M2W Series User s Guide274Removing a Certificate in FirefoxThis section shows you how to remove a public key certificate in Firefox 2.1Open Firefox and click TOOLS > Options.Figure 180   Firefox 2: Tools Menu2In the Options dialog box, click ADVANCED > Encryption > View Certificates.Figure 181   Firefox 2: Options
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2753In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete.Figure 182    Firefox 2: Certificate Manager4In the Delete Web Site Certificates dialog box, click OK.Figure 183   Firefox 2: Delete Web Site Certificates5The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix EImporting CertificatesMAX208M2W Series User s Guide276OperaThe following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms.1If your device s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.2Click Install to accept the certificate.Figure 184   Opera 9: Certificate signer not found
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2773The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page s security details.Figure 185   Opera 9: Security information
Appendix EImporting CertificatesMAX208M2W Series User s Guide278Installing a Stand-Alone Certificate File in OperaRather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Open Opera and click TOOLS > Preferences.Figure 186   Opera 9: Tools Menu
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2792In Preferences, click ADVANCED > Security > Manage certificates.Figure 187   Opera 9: Preferences
Appendix EImporting CertificatesMAX208M2W Series User s Guide2803In the Certificates Manager, click Authorities > Import.Figure 188    Opera 9: Certificate manager4Use the Import certificate dialog box to locate the certificate and then click Open.Figure 189    Opera 9: Import certificate
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2815In the Install authority certificate dialog box, click Install.Figure 190    Opera 9: Install authority certificate6Next, click OK.Figure 191    Opera 9: Install authority certificate7The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page s security details.
Appendix EImporting CertificatesMAX208M2W Series User s Guide282Removing a Certificate in OperaThis section shows you how to remove a public key certificate in Opera 9.1Open Opera and click TOOLS > Preferences.Figure 192   Opera 9: Tools Menu2In Preferences, ADVANCED > Security > Manage certificates.Figure 193   Opera 9: Preferences
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2833In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete.Figure 194    Opera 9: Certificate manager4The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.Note: There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button.
Appendix EImporting CertificatesMAX208M2W Series User s Guide284KonquerorThe following example uses Konqueror 3.5 on openSUSE 10.3, however the screens apply to Konqueror 3.5 on all Linux KDE distributions.1If your device s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.2Click Continue.Figure 195   Konqueror 3.5: Server Authentication3Click Forever when prompted to accept the certificate.Figure 196   Konqueror 3.5: Server Authentication
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2854Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details.Figure 197   Konqueror 3.5: KDE SSL Information
Appendix EImporting CertificatesMAX208M2W Series User s Guide286Installing a Stand-Alone Certificate File in KonquerorRather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Double-click the public key certificate file.Figure 198   Konqueror 3.5: Public Key Certificate File2In the Certificate Import Result - Kleopatra dialog box, click OK.Figure 199   Konqueror 3.5: Certificate Import ResultThe public key certificate appears in the KDE certificate manager, Kleopatra.Figure 200   Konqueror 3.5: Kleopatra
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 2873The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page s security details.
Appendix EImporting CertificatesMAX208M2W Series User s Guide288Removing a Certificate in KonquerorThis section shows you how to remove a public key certificate in Konqueror 3.5.1Open Konqueror and click Settings > Configure Konqueror.Figure 201   Konqueror 3.5: Settings Menu2In the Configure dialog box, select Crypto. 3On the Peer SSL Certificates tab, select the certificate you want to delete and then click  Remove.Figure 202   Konqueror 3.5: Configure4The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
 Appendix EImporting CertificatesMAX208M2W Series User s Guide 289Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button.
Appendix EImporting CertificatesMAX208M2W Series User s Guide290
MAX208M2W Series User s Guide 291APPENDIX  F Common ServicesThe following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. !Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.!Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number.!Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers.!If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number.!If the Protocol is USER, this is the IP protocol number.!Description: This is a brief explanation of the applications that use this service or the situations in which this service is used.Table 99   Commonly Used ServicesNAME PROTOCOL PORT(S) DESCRIPTIONAH (IPSEC_TUNNEL)User-Defined 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service.AIM/New-ICQ TCP 5190 AOL s Internet Messenger service. It is also used as a listening port by ICQ.AUTH TCP 113 Authentication protocol used by some servers.BGP TCP 179 Border Gateway Protocol.BOOTP_CLIENT UDP 68 DHCP Client.BOOTP_SERVER UDP 67 DHCP Server.CU-SEEME TCPUDP764824032A popular videoconferencing solution from White Pines Software.DNS TCP/UDP 53 Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers.
Appendix FCommon ServicesMAX208M2W Series User s Guide292ESP (IPSEC_TUNNEL)User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.FTP TCPTCP2021File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323 TCP 1720 NetMeeting uses this protocol.HTTP TCP 80 Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.ICMP User-Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes.ICQ UDP 4000 This is a popular Internet chat program.IGMP (MULTICAST)User-Defined 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts.IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management.IRC TCP/UDP 6667 This is another popular Internet chat program.MSN Messenger TCP 1863 Microsoft Networks  messenger service uses this protocol. NEW-ICQ TCP 5190 An Internet chat program.NEWS  TCP 144 A protocol for news groups.NFS UDP 2049 Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING User-Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).Table 99   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
 Appendix FCommon ServicesMAX208M2W Series User s Guide 293PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL (GRE)User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel.RCMD TCP 512 Remote Command Service.REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web.REXEC TCP 514 Remote Execution Daemon.RLOGIN TCP 513 Remote Login.RTELNET TCP 107 Remote Telnet.RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol.SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP TCP/UDP 161 Simple Network Management Program.SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).SQL-NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSH TCP/UDP 22 Secure Shell Remote Login Program.STRM WORKS UDP 1558 Stream Works Protocol.SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server.TACACS UDP 49 Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.Table 99   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
Appendix FCommon ServicesMAX208M2W Series User s Guide294TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE TCP 7000 Another videoconferencing solution.Table 99   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
MAX208M2W Series User s Guide 295APPENDIX  G Legal InformationCopyrightCopyright © 2011 by ZyXEL Communications Corporation.The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.Published by ZyXEL Communications Corporation. All rights reserved.DisclaimersZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.Your use of the MAX208M2W Series is subject to the terms and conditions of any related service providers.Do not use the MAX208M2W Series for illegal purposes. Illegal downloading or sharing of files can result in severe civil and criminal penalties. You are subject to the restrictions of copyright laws and any other applicable laws, and will bear the consequences of any infringements thereof. ZyXEL bears NO responsibility or liability for your use of the download service feature.TrademarksTrademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Appendix GLegal InformationMAX208M2W Series User s Guide296CertificationsFederal Communications Commission (FCC) Interference StatementThe device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:This device complies with part 15 of the FCC Rules. Operation is subject to the condition that this device does not cause harmful interference.This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:1Reorient or relocate the receiving antenna.2Increase the separation between the equipment and the receiver.3Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.4Consult the dealer or an experienced radio/TV technician for help.FCC Radiation Exposure StatementThis transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.  These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.  If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:  - Reorient or relocate the receiving antenna. - Increase the separation between the equipment and receiver. - Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. - Consult the dealer or an experienced radio/TV technician for help.  FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.   This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.  IMPORTANT NOTE: Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.  This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
 Appendix GLegal InformationMAX208M2W Series User s Guide 297Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.This Class B digital apparatus complies with Canadian ICES-003.Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.Viewing Certifications1Go to http://www.zyxel.com.2Select your product on the ZyXEL home page to go to that product's page.3Select the certification you wish to view from this page.ZyXEL Limited WarrantyZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Appendix GLegal InformationMAX208M2W Series User s Guide298NoteRepair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.RegistrationRegister your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com.
IndexMAX208M2W Series User s Guide 299IndexAAAA 70AbS 134accounting serversee AAAACK message 155activity 70Advanced Encryption Standardsee AESAES 207ALG 92alternative subnet mask notation 250analysis-by-synthesis 134Application Layer Gatewaysee ALGauthentication 70, 205inner 208keyserver 70types 208authorization 205request and reply 207server 70auto-discoveryUPnP 118Bbase stationsee BSBS 69$70links 70BYE request 155CCA 71, 72CBC-MAC 207CCMP 205, 207cell 69certificates 205CA 71formats 72verification 207certificationnotices 297viewing 297Certification Authority, see CAchaining 207chaining message authenticationsee CCMPcircuit-switched telephone networks 133Class of Service (CoS) 134client-serverprotocol 155SIP 155CMACsee MACcodec 133comfort noise 157copyright 295CoS 134counter modesee CCMPcoverage area 69cryptography 205Ddata 205$207decryption 205encryption 205flow 207DHCP 89server 89diameter 70
IndexMAX208M2W Series User s Guide300Differentiated Servicessee DiffServDiffServ 134DiffServ Code Point (DSCP) 134marking rule 138digital ID 72, 205DS field 137DSCPsee DiffServDTMF 143dual-tone multi-frequencysee DTMFDynamic Host Configuration Protocolsee DHCPEEAP 70EAP (Extensible Authentication Protocol) 72EAP-TLS 72EAP-TTLS 72echo cancellation 157encryption 205$207traffic 207Ethernetencapsulation 91Extensible Authorization Protocolsee EAPFFCC interference statement 296firewall 127FTP 161restrictions 161GG.168 157G.711 134G.729 134Hhybrid waveform codec 134IIANA 256identity 70, 205idle timeout 162IEEE 802.16 69, 205IEEE 802.16e 69IGD 1.0 93inner authentication 208Internetaccess 70gateway device 93Internet Assigned Numbers Authoritysee IANA 256Internet Telephony Service Providersee ITSPinteroperability 69IP-PBX 133ITSP 133ITU-T 157Kkey 205request and reply 207MMAC 207MAN 69Management Information Base (MIB) 164Message Authentication Codesee MACmessage integrity 207Metropolitan Area Networksee MANmicrowave 69, 70
IndexMAX208M2W Series User s Guide 301mobile stationsee MSMS 70multimedia 135NNAT 255and remote management 162server sets 91traversal 93NAT routers 141networkactivity 70services 70network address translators 141OOK response 155outbound proxy 142SIP 142outbound proxy server 142Ppattern-spotting 207PBX services 133PCM 134peer-to-peer calls 142per-hop behavior 137PHB (per-hop behavior) 138phoneservices 143PKMv2 70, 205, 208plain text encryption 207Privacy Key Managementsee PKMprivate key 205product registration 298proxy serverSIP 140public certificate 207public key 205pulse code modulation 134push button 104QQoS 134quality of serviceRRADIUS 70, 72, 206Message Types 206Messages 206Shared Secret Key 206Real-time Transport Protocolsee RTPregister serverSIP 140registrationproduct 298related documentation 3remote management and NAT 162remote management limitations 161required bandwidth 134RFC 1889 135RFC 3489 141RTP 135Ssafety warnings 7secure communication 205secure connection 70security 205security association 207see SAsee QoSserver, outbound proxy 142
IndexMAX208M2W Series User s Guide302services 70Session Initiation Protocolsee SIPsilence suppression 157silent packets 157SIP 134account 140ACK message 155ALG 92, 142Application Layer Gateway, see ALGBYE request 155call progression 154client 155client server 155identities 140INVITE request 155number 140OK response 155proxy server 140register server 140servers 155service domain 140URI 140user agent 140SIP outbound proxy 142SNMP 162manager 164sound quality 134SS 69, 70STUN 141, 142subnet 247mask 248subnetting 250subscriber stationsee SSsupplementary phone services 143syntax conventions 5system timeout 162TtamperingTCP/IP configuration 89TEK 207TFTP restrictions 161TLS 205ToS 134Touch Tone® 143transport encryption keysee TEKtransport layer securitysee TLStrigger port forwardingprocess 113TTLS 205, 208tunneled TLSsee TTLSType of Service 134Uunauthorized device 205uniform resource identifier 140Universal Plug and Playsee UPnPUPnP 92application 93auto-discovery 118security issues 93Windows XP 116use NAT 141user agent, SIP 140user authentication 205VVAD 157verification 207voiceactivity detection 157coding 133mail 133Voice over IPsee VoIPVoIP 133
IndexMAX208M2W Series User s Guide 303Wwaveform codec 134WiFi Protected Setup, see WPSWiMAX 69$70security 207WiMAX Forum 69Wireless Interoperability for Microwave Accesssee WiMAXwireless LANWPS 104adding stations 104push button 104Wireless Metropolitan Area Networksee MANwireless networkaccess 69standard 69wireless security 205wizard setup 31WPS 104adding stations 104push button 104
IndexMAX208M2W Series User s Guide304

Navigation menu