ZyXEL Communications NBG334SH1 Wireless Router User Manual SMG 700 User s Guide V1 00 Nov 2004

ZyXEL Communications Corporation Wireless Router SMG 700 User s Guide V1 00 Nov 2004

UserManual.wiki >

ZyXEL Communications >

NBG334SH1 User Manual >

users manual pt2

Contents

users manual pt2

Chapter 7 LANZyXEL NBG-334SH User’s Guide 101Figure 55 Any IP ExampleThe Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the ZyXEL Device’s IP address."You must enable NAT to use the Any IP feature on the ZyXEL Device. Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. IP routing table is defined on IP Ethernet devices (the ZyXEL Device) to decide which hop to use, to help forward data along to its specified destination.The following lists out the steps taken, when a computer tries to access the Internet for the first time through the ZyXEL Device.1When a computer (which is in a different subnet) first attempts to access the Internet, it sends packets to its default gateway (which is not the ZyXEL Device) by looking at the MAC address in its ARP table. 2When the computer cannot locate the default gateway, an ARP request is broadcast on the LAN. 3The ZyXEL Device receives the ARP request and replies to the computer with its own MAC address. 4The computer updates the MAC address for the default gateway to the ARP table. Once the ARP table is updated, the computer is able to access the Internet through the ZyXEL Device. 5When the ZyXEL Device receives packets from the computer, it creates an entry in the IP routing table so it can properly forward packets intended for the computer. After all the routing information is updated, the computer can access the ZyXEL Device and the Internet as if it is in the same subnet as the ZyXEL Device.

Chapter 7 LANZyXEL NBG-334SH User’s Guide1027.3 LAN IP ScreenUse this screen to change your basic LAN settings. Click Network > LAN.Figure 56 LAN IPThe following table describes the labels in this screen.7.4 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.To change your ZyXEL Device’s IP alias settings, click Network > LAN > IP Alias. The screen appears as shown.Table 36 LAN IPLABEL DESCRIPTIONLAN TCP/IPIP Address Type the IP address of your ZyXEL Device in dotted decimal notation 192.168.1.1 (factory default).IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.

Chapter 7 LANZyXEL NBG-334SH User’s Guide 103Figure 57 LAN IP AliasThe following table describes the labels in this screen.7.5 Advanced LAN ScreenTo change your ZyXEL Device’s advanced IP settings, click Network > LAN > Advanced. The screen appears as shown.Table 37 LAN IP AliasLABEL DESCRIPTIONIP Alias 1,2 Select the check box to configure another LAN network for the ZyXEL Device.IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation. IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.

Chapter 7 LANZyXEL NBG-334SH User’s Guide104Figure 58 Advanced LANThe following table describes the labels in this screen.Table 38 Advanced LANLABEL DESCRIPTIONMulticast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Active Select this if you want to let computers on different subnets use the ZyXEL Device.Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.Allow between LAN and WANSelect this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.

ZyXEL NBG-334SH User’s Guide 105CHAPTER 8 DHCP Server8.1 DHCPDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.8.2 DHCP Server General ScreenClick Network > DHCP Server. The following screen displays.Figure 59 DHCP Server GeneralThe following table describes the labels in this screen.Table 39 DHCP Server GeneralLABEL DESCRIPTIONEnable DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Leave the Enable DHCP Server check box selected unless your ISP instructs you to do otherwise. Clear it to disable the ZyXEL Device acting as a DHCP server. When configured as a server, the ZyXEL Device provides TCP/IP configuration for the clients. If not, DHCP service is disabled and you must have another DHCP server on your LAN, or else the computers must be manually configured. When set as a server, fill in the following four fields.IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.Pool Size This field specifies the size, or count of the IP address pool.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.

Chapter 8 DHCP ServerZyXEL NBG-334SH User’s Guide1068.3 DHCP Server Advanced Screen This screen allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. You can also use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP clients.Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.To change your ZyXEL Device’s static DHCP settings, click Network > DHCP Server > Advanced. The following screen displays.Figure 60 DHCP Server AdvancedThe following table describes the labels in this screen.Table 40 DHCP Server AdvancedLABEL DESCRIPTION# This is the index number of the static IP table entry (row).MAC Address Type the MAC address (with colons) of a computer on your LAN.IP Address Type the LAN IP address of a computer on your LAN.DNS Servers Assigned by DHCP Server The ZyXEL Device passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The ZyXEL Device only passes this information to the LAN DHCP clients when you select the Enable DHCP Server check box. When you clear the Enable DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured.

Chapter 8 DHCP ServerZyXEL NBG-334SH User’s Guide 1078.4 Client List ScreenThe DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyXEL Device’s DHCP server.Configure this screen to always assign an IP address to a MAC address (and host name). Click Network > DHCP Server > Client List. "You can also view a read-only client list by clicking the DHCP Table (Details...) hyperlink in the Status screen. The following screen displays.Figure 61 Client ListFirst DNS ServerSecond DNS ServerThird DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyXEL Device's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply. Select DNS Relay to have the ZyXEL Device act as a DNS proxy. The ZyXEL Device's LAN IP address displays in the field to the right (read-only). The ZyXEL Device tells the DHCP clients on the LAN that the ZyXEL Device itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyXEL Device, the ZyXEL Device forwards the query to the ZyXEL Device's system DNS server (configured in the WAN > Internet Connection screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you click Apply. Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.Table 40 DHCP Server AdvancedLABEL DESCRIPTION

Chapter 8 DHCP ServerZyXEL NBG-334SH User’s Guide108The following table describes the labels in this screen.Table 41 Client ListLABEL DESCRIPTION# This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above.Host Name This field displays the computer host name.MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation).A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.Reserve Select this check box to have the ZyXEL Device always assign this IP address to this MAC address (and host name). After you click Apply, the MAC address and IP address also display in the Advanced screen (where you can edit them).Refresh Click Refresh to reload the DHCP table.

ZyXEL NBG-334SH User’s Guide 109CHAPTER 9 Network Address Translation(NAT)This chapter discusses how to configure NAT on the ZyXEL Device.9.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.9.2 Using NAT"You must create a firewall rule in addition to setting up NAT, to allow traffic from the WAN to be forwarded through the ZyXEL Device.9.2.1 Port Forwarding: Services and Port NumbersA port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world. Use the Application screen to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide110"Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.9.2.2 Configuring Servers Behind Port Forwarding ExampleLet's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the InternetFigure 62 Multiple Servers Behind NAT Example9.3 General NAT ScreenClick Network > NAT to open the General screen.Figure 63 NAT General

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide 111The following table describes the labels in this screen.9.4 NAT Application Screen Port forwarding allows you to define the local servers to which the incoming services will be forwarded. To change your ZyXEL Device’s port forwarding settings, click Network > NAT > Application. The screen appears as shown."If you do not assign a Default Server IP address in the NAT > General screen, the ZyXEL Device discards all packets received for ports that are not specified in this screen or remote management.Refer to Appendix I on page 257 for port numbers commonly used for particular services.Table 42 NAT GeneralLABEL DESCRIPTIONNetwork Address TranslationNetwork Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select the check box to enable NAT.Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in the Application screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified in the Application screen or remote management.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide112Figure 64 NAT ApplicationThe following table describes the labels in this screen.Table 43 NAT ApplicationLABEL DESCRIPTIONGame List Update A game list includes the pre-defined service name(s) and port number(s). You can edit and upload it to the ZyXEL Device to replace the existing entries in the second field next to Service Name.File Path Type in the location of the file you want to upload in this field or click Browse... to find it.Browse... Click Browse... to find the.txt file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Update Click Update to begin the upload process. This process may take up to two minutes.Add Application RuleActive Select the check box to enable this rule and the requested service can be forwarded to the host with a specified internal IP address.Clear the checkbox to disallow forwarding of these ports to an inside server without having to delete the entry. Service Name Type a name (of up to 31 printable characters) to identify this rule in the first field next to Service Name. Otherwise, select a predefined service in the second field next to Service Name. The predefined service name and port number(s) will display in the Service Name and Port fields.

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide 1139.4.1 Game List ExampleHere is an example game list text file. The index number, service name and associated port(s) are specified by semi-colons (no spaces). Use the name=xxx (where xxx is the service name) to create a new service. Port range can be separated with a hyphen (-) (no spaces). Multiple (non-consecutive) ports can be separated by commas.Port Type a port number(s) to be forwarded.To specify a range of ports, enter a hyphen (-) between the first port and the last port, such as 10-20.To specify two or more non-consecutive port numbers, separate them by a comma without spaces, such as 123,567.Server IP Address Type the inside IP address of the server that receives packets from the port(s) specified in the Port field.Apply Click Apply to save your changes to the Application Rules Summary table.Reset Click Reset to not save and return your new changes in the Service Name and Port fields to the previous one.Application Rules Summary#This is the number of an individual port forwarding server entry.Active This icon is turned on when the rule is enabled. Name This field displays a name to identify this rule.Port This field displays the port number(s). Server IP Address This field displays the inside IP address of the server.Modify Click the Edit icon to display and modify an existing rule setting in the fields under Add Application Rule. Click the Remove icon to delete a rule.Table 43 NAT Application (continued)LABEL DESCRIPTION

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide114Figure 65 Game List Example9.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address. Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyXEL Device records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the ZyXEL Device's WAN port receives a response with a specific port number and protocol ("incoming" port), the ZyXEL Device forwards the traffic to the LAN IP address of the computer that sent the request. After that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.9.5.1 Trigger Port Forwarding Example The following is an example of trigger port forwarding.version=11;name=Battlefield 1942;port=14567,22000,23000-23009,27900,289002;name=Call of Duty;port=289603;name=Civilization IV;port=20564;name=Diablo I and II;port=6112-6119,40005;name=Doom 3;port=276666;name=F.E.A.R;port=278887;name=Final Fantasy XI;port=25,80,110,443,50000-655358;name=Guild Wars;port=6112,809;name=Half Life;port=6003,7002,27005,27010,27011,2701510;name=Jedi Knight III: Jedi Academy;port=28060-28062,28070-2808111;name=Need for Speed: Hot Pursuit 2;port=1230,8511-8512,27900,28900,61200-6123012;name=Neverwinter Nights;port=5120-5300,6500,27900,2890013;name=Quake 2;port=2791014;name=Quake 3;port=27660,2796015;name=Rainbow Six 3: Raven Shield;port=7777-7787,8777-878716;name=Serious Sam II;port=25600-2560517;name=Silent Hunter III;port=17997-1800318;name=Soldier of Fortune II;port=20100-2011219;name=Starcraft;port=6112-6119,400020;name=Star Trek: Elite Force II;port=29250,2925621;name=SWAT 4;port=10480-1048322;name=Warcraft II and III;port=6112-6119,400023;name=World of Warcraft;port=3724

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide 115Figure 66 Trigger Port Forwarding Process: Example1Jane requests a file from the Real Audio server (port 7070).2Port 7070 is a “trigger” port and causes the ZyXEL Device to record Jane’s computer IP address. The ZyXEL Device associates Jane's computer IP address with the "incoming" port range of 6970-7170.3The Real Audio server responds using a port number ranging between 6970-7170.4The ZyXEL Device forwards the traffic to Jane’s computer IP address. 5Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyXEL Device times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). 9.5.2 Two Points To Remember About Trigger Ports1Trigger events only happen on data that is going coming from inside the ZyXEL Device and going to the outside.2If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN can’t trigger it.9.6 NAT Advanced ScreenTo change your ZyXEL Device’s trigger port settings, click Network > NAT > Advanced. The screen appears as shown."Only one LAN computer can use a trigger port (range) at a time.

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide116Figure 67 NAT AdvancedThe following table describes the labels in this screen.Table 44 NAT AdvancedLABEL DESCRIPTIONMax NAT/Firewall Session Per UserType a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions that a host can create.When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet. Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/firewall sessions each client computer can establish through the ZyXEL Device. If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is using all of the available NAT sessions.#This is the rule index number (read-only).Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyXEL Device forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Type a port number or the starting port number in a range of port numbers.

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide 117End Port Type a port number or the ending port number in a range of port numbers.Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyXEL Device to record the IP address of the LAN computer that sent the traffic to a server on the WAN.Start Port Type a port number or the starting port number in a range of port numbers.End Port Type a port number or the ending port number in a range of port numbers.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.Table 44 NAT AdvancedLABEL DESCRIPTION

Chapter 9 Network Address Translation (NAT)ZyXEL NBG-334SH User’s Guide118

ZyXEL NBG-334SH User’s Guide 119CHAPTER 10 Dynamic DNS10.1 Dynamic DNS Introduction Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.10.1.1 DynDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname."If you have a private WAN IP address, then you cannot use Dynamic DNS.10.2 Dynamic DNS Screen To change your ZyXEL Device’s DDNS, click Network > DDNS. The screen appears as shown.

Chapter 10 Dynamic DNSZyXEL NBG-334SH User’s Guide120Figure 68 Dynamic DNSThe following table describes the labels in this screen.Table 45 Dynamic DNSLABEL DESCRIPTIONEnable Dynamic DNS Select this check box to use dynamic DNS.Service Provider Select the name of your Dynamic DNS service provider.Dynamic DNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.Host Name Enter a host names in the field provided. You can specify up to two host names in the field separated by a comma (",").User Name Enter your user name.Password Enter the password assigned to you.Enable Wildcard OptionSelect the check box to enable DynDNS Wildcard.Enable off line option This option is available when CustomDNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.IP Address Update Policy:Use WAN IP Address Select this option to update the IP address of the host name(s) to the WAN IP address.Dynamic DNS server auto detect IP AddressSelect this option to update the IP address of the host name(s) automatically by the DDNS server. It is recommended that you select this option.Use specified IP AddressType the IP address of the host name(s). Use this if you have a static IP address.Apply Click Apply to save your changes back to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.

ZyXEL NBG-334SH User’s Guide 121CHAPTER 11 FirewallThis chapter gives some background information on firewalls and explains how to get started with the ZyXEL Device’s firewall.11.1 Introduction to ZyXEL’s Firewall 11.1.1 What is a Firewall?Originally, the term “firewall” referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from a network that is not trusted. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself. 11.1.2 Stateful Inspection Firewall Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.11.1.3 About the ZyXEL Device FirewallThe ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (click the General tab under Firewall and then click the Enable Firewall check box). The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network.

Chapter 11 FirewallZyXEL NBG-334SH User’s Guide122The ZyXEL Device is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.The ZyXEL Device has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet.The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless the remote host is authorized to use a specific service.11.1.4 Guidelines For Enhancing Security With Your Firewall1Change the default password via web configurator. 2Think about access control before you connect to the network in any way, including attaching a modem to the port. 3Limit who can access your router. 4Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6Protect against IP spoofing by making sure the firewall is active. 7Keep the firewall in a secured (locked) room. 11.2 Triangle RoutesIf an alternate gateway on the LAN has an IP address in the same subnet as the ZyXEL Device’s LAN IP address, return traffic may not go through the ZyXEL Device. This is called an asymmetrical or “triangle” route. This causes the ZyXEL Device to reset the connection, as the connection has not been acknowledged.You can have the ZyXEL Device permit the use of asymmetrical route topology on the network (not reset the connection).Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyXEL Device. A better solution is to use IP alias to put the ZyXEL Device and the backup gateway on separate subnets.11.2.1 Triangle Routes and IP AliasYou can use IP alias instead of allowing triangle routes. IP Alias allow you to partition your network into logical sections over the same interface. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.

Chapter 11 FirewallZyXEL NBG-334SH User’s Guide 1231A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.2The ZyXEL Device reroutes the packet to Gateway A, which is in Subnet 2. 3The reply from the WAN goes to the ZyXEL Device. 4The ZyXEL Device then sends it to the computer on the LAN in Subnet 1. Figure 69 Using IP Alias to Solve the Triangle Route Problem11.3 General Firewall Screen Click Security > Firewall to open the General screen. Use this screen to enable or disable the ZyXEL Device’s firewall, and set up firewall logs. Figure 70 GeneralThe following table describes the labels in this screen.Table 46 Firewall GeneralLABEL DESCRIPTIONEnable Firewall Select this check box to activate the firewall. The ZyXEL Device performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.Packet Direction This is the direction of travel of packets.Firewall rules are grouped based on the direction of travel of packets to which they apply.

Chapter 11 FirewallZyXEL NBG-334SH User’s Guide12411.4 Services ScreenClick Security > Firewall > Services. The screen appears as shown next. If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. Use this screen to prevent the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed.You can also use this screen to enable service blocking, enter/delete/modify the services you want to block and the date/time you want to block them.Log Select whether to create a log for packets that are traveling in the selected direction when the packets are blocked or forwarded.To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs > Log Settings screen. Apply Click Apply to save the settings. Reset Click Reset to start configuring this screen again. Table 46 Firewall GeneralLABEL DESCRIPTION

Chapter 11 FirewallZyXEL NBG-334SH User’s Guide 125Figure 71 Firewall ServicesThe following table describes the labels in this screen.Table 47 Firewall ServicesLABEL DESCRIPTIONICMP Internet Control Message Protocol is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user. Respond to Ping onThe ZyXEL Device will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests.

Chapter 11 FirewallZyXEL NBG-334SH User’s Guide126Do not respond to requests for unauthorized servicesSelect this option to prevent hackers from finding the ZyXEL Device by probing for unused ports. If you select this option, the ZyXEL Device will not respond to port request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device unseen. By default this option is not selected and the ZyXEL Device will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a TCP Reset packet for a port probe on its unused TCP ports. Note that the probing packets must first traverse the ZyXEL Device's firewall mechanism before reaching this anti-probing mechanism. Therefore if the firewall mechanism blocks a probing packet, the ZyXEL Device reacts based on the firewall policy, which by default, is to send a TCP reset packet for a blocked TCP packet. You can use the command "sys firewall tcprst rst [on|off]" to change this policy. When the firewall mechanism blocks a UDP packet, it drops the packet without sending a response packet.Enable Services BlockingSelect this check box to enable this feature.Available ServicesThis is a list of pre-defined services (ports) you may prohibit your LAN computers from using. Select the port you want to block using the drop-down list and click Add to add the port to the Blocked Services field.Blocked Services This is a list of services (ports) that will be inaccessible to computers on your LAN once you enable service blocking. Custom Port A custom port is a service that is not available in the pre-defined Available Services list and you must define using the next two fields.Type Choose the IP port (TCP or UDP) that defines your customized port from the drop down list box.Port Number Enter the port number range that defines the service. For example, if you want to define the Gnutella service, then select TCP type and enter a port range from 6345 to 6349.Add Select a service from the Available Services drop-down list and then click Add to add a service to the Blocked ServicesDelete Select a service from the Blocked Services list and then click Delete to remove this service from the list.Clear All Click Clear All to empty the Blocked Services.Day to Block: Select a check box to configure which days of the week (or everyday) you want service blocking to be active. Time of Day to Block (24-Hour Format)Select the time of day you want service blocking to take effect. Configure blocking to take effect all day by selecting All Day. You can also configure specific times by selecting From and entering the start time in the Start (hour) and Start (min) fields and the end time in the End (hour) and End (min) fields. Enter times in 24-hour format, for example, "3:00pm" should be entered as "15:00".Bypass Triangle RouteSelect this check box to have the ZyXEL Device firewall ignore the use of triangle route topology on the network. Max NAT/Firewall Session Per UserType a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions that a host can create.Apply Click Apply to save the settings. Reset Click Reset to start configuring this screen again. Table 47 Firewall ServicesLABEL DESCRIPTION

ZyXEL NBG-334SH User’s Guide 127CHAPTER 12 Content FilteringThis chapter provides a brief overview of content filtering using the embedded web GUI.12.1 Introduction to Content FilteringInternet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering is the ability to block certain web features or specific URL keywords.12.2 Restrict Web FeaturesThe ZyXEL Device can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. 12.3 Days and TimesThe ZyXEL Device also allows you to define time periods and days during which the ZyXEL Device performs content filtering.12.4 Filter ScreenClick Security > Content Filter to open the Filter screen.

Chapter 12 Content FilteringZyXEL NBG-334SH User’s Guide128Figure 72 Content Filter: FilterThe following table describes the labels in this screen.Table 48 Content Filter: FilterLABEL DESCRIPTIONTrusted Computer IP AddressTo enable this feature, type an IP address of any one of the computers in your network that you want to have as a trusted computer. This allows the trusted computer to have full access to all features that are configured to be blocked by content filtering.Leave this field blank to have no trusted computers.Restrict Web FeaturesSelect the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.ActiveX A tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. Java A programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds.Cookies Used by Web servers to track usage and provide service based on ID. Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. Enable URL Keyword BlockingThe ZyXEL Device can block Web sites with URLs that contain certain keywords in the domain name or IP address. For example, if the keyword "bad" was enabled, all sites containing this keyword in the domain name or IP address will be blocked, e.g., URL http://www.website.com/bad.html would be blocked. Select this check box to enable this feature.

Chapter 12 Content FilteringZyXEL NBG-334SH User’s Guide 12912.5 ScheduleUse this screen to set the day(s) and time you want the ZyXEL Device to use content filtering. Click Security > Content Filter > Schedule. The following screen displays.Figure 73 Content Filter: ScheduleKeyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards are not allowed. You can also enter a numerical IP address.Keyword List This list displays the keywords already added. Add Click Add after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed.When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.Delete Highlight a keyword in the lower box and click Delete to remove it. The keyword disappears from the text box after you click Apply.Clear All Click this button to remove all of the listed keywords.Message to display when a site is blocked.Denied Access MessageEnter a message to be displayed when a user tries to access a restricted web site. The default message is “Please contact your network administrator!!”Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afreshTable 48 Content Filter: FilterLABEL DESCRIPTION

Chapter 12 Content FilteringZyXEL NBG-334SH User’s Guide130The following table describes the labels in this screen.12.6 Customizing Keyword Blocking URL CheckingYou can use commands to set how much of a website’s URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter.12.6.1 Domain Name or IP Address URL CheckingBy default, the ZyXEL Device checks the URL’s domain name or IP address when performing keyword blocking.This means that the ZyXEL Device checks the characters that come before the first slash in the URL.For example, with the URL www.zyxel.com.tw/news/pressroom.php, content filtering only searches for keywords within www.zyxel.com.tw.12.6.2 Full Path URL CheckingFull path URL checking has the ZyXEL Device check the characters that come before the last slash in the URL.For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/.Use the ip urlfilter customize actionFlags 6 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's full path.12.6.3 File Name URL CheckingFilename URL checking has the ZyXEL Device check all of the characters in the URL.Table 49 Content Filter: ScheduleLABEL DESCRIPTIONDay to Block Select check boxes for the days that you want the ZyXEL Device to perform content filtering. Select the Everyday check box to have content filtering turned on all days of the week.Time of Day to Block (24-Hour Format)Time of Day to Block allows the administrator to define during which time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected.Select All Day to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced.Select From and enter the time period, in 24-hour format, during which content filtering will be enforced. Apply Click Apply to save your customized settings and exit this screen.Reset Click Reset to begin configuring this screen afresh

Chapter 12 Content FilteringZyXEL NBG-334SH User’s Guide 131For example, filename URL checking searches for keywords within the URL www.zyxel.com.tw/news/pressroom.php.Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's complete filename.

Chapter 12 Content FilteringZyXEL NBG-334SH User’s Guide132

ZyXEL NBG-334SH User’s Guide 133CHAPTER 13 Static Route ScreensThis chapter shows you how to configure static routes for your ZyXEL Device.13.1 Static Route OverviewEach remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node router R1. However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node router R1 (via gateway router R2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes.Figure 74 Example of Static Routing Topology13.2 IP Static Route ScreenClick Management > Static Route to open the IP Static Route screen. The following screen displays.

Chapter 13 Static Route ScreensZyXEL NBG-334SH User’s Guide134Figure 75 IP Static RouteThe following table describes the labels in this screen.13.2.1 Static Route Setup Screen To edit a static route, click the edit icon under Modify. The following screen displays. Fill in the required information for each static route.Table 50 IP Static RouteLABEL DESCRIPTION#This is the index number of an individual static route. The first entry is for the default route and not editable.Name This is the name that describes or identifies this route. Active This icon is turned on when this static route is active.Click the Edit icon under Modify and select the Active checkbox in the Static Route Setup screen to enable the static route. Clear the checkbox to disable this static route without having to delete the entry.Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. Gateway This is the IP address of the gateway. The gateway is an immediate neighbor of your ZyXEL Device that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyXEL Device; over the WAN, the gateway must be the IP address of one of the remote nodes.Modify Click the Edit icon to open the static route setup screen. Modify a static route or create a new static route in the Static Route Setup screen.Click the Remove icon to delete a static route.

Chapter 13 Static Route ScreensZyXEL NBG-334SH User’s Guide 135Figure 76 Static Route SetupThe following table describes the labels in this screen.Table 51 Static Route SetupLABEL DESCRIPTIONRoute Name Enter the name of the IP static route. Leave this field blank to delete this static route.Active This field allows you to activate/deactivate this static route.Private This parameter determines if the ZyXEL Device will include this route to a remote node in its RIP broadcasts.Select this check box to keep this route private and not included in RIP broadcasts. Clear this checkbox to propagate this route to other hosts through RIP broadcasts.Destination IP AddressThis parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.IP Subnet Mask Enter the IP subnet mask here.Gateway IP AddressEnter the IP address of the gateway. The gateway is an immediate neighbor of your ZyXEL Device that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyXEL Device; over the WAN, the gateway must be the IP address of one of the Remote Nodes.Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number. Apply Click Apply to save your changes back to the ZyXEL Device.Cancel Click Cancel to return to the previous screen and not save your changes.

Chapter 13 Static Route ScreensZyXEL NBG-334SH User’s Guide136

ZyXEL NBG-334SH User’s Guide 137CHAPTER 14 Bandwidth ManagementThis chapter contains information about configuring bandwidth management, editing rules and viewing the ZyXEL Device’s bandwidth management logs.14.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules. The ZyXEL Device applies bandwidth management to traffic that it forwards out through an interface. The ZyXEL Device does not control the bandwidth of traffic that comes into an interface.Bandwidth management applies to all traffic flowing out of the router, regardless of the traffic's source.Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management. • The sum of the bandwidth allotments that apply to the WAN interface (LAN to WAN, WLAN to WAN, WAN to WAN / ZyXEL Device) must be less than or equal to the Upstream Bandwidth that you configure in the Bandwidth Management Advanced screen. • The sum of the bandwidth allotments that apply to the LAN port (WAN to LAN, WLAN to LAN, LAN to LAN / ZyXEL Device) must be less than or equal to 100,000 kbps (you cannot configure the bandwidth budget for the LAN port). • The sum of the bandwidth allotments that apply to the WLAN port (LAN to WLAN, WAN to WLAN, WLAN to WLAN / ZyXEL Device) must be less than or equal to 54,000 kbps (you cannot configure the bandwidth budget for the WLAN port). 14.2 Application-based Bandwidth ManagementYou can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E-mail and Video for example).14.3 Subnet-based Bandwidth ManagementYou can create bandwidth classes based on subnets.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide138The following figure shows LAN subnets. You could configure one bandwidth class for subnet A and another for subnet B. Figure 77 Subnet-based Bandwidth Management Example14.4 Application and Subnet-based Bandwidth ManagementYou could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.14.5 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface.Table 52 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET BVoIP 64 Kbps 64 KbpsWeb 64 Kbps 64 KbpsFTP 64 Kbps 64 KbpsE-mail 64 Kbps 64 KbpsVideo 64 Kbps 64 KbpsTable 53 Bandwidth Management PrioritiesPRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.High Typically used for voice traffic or video that is especially sensitive to jitter (jitter is the variations in delay).

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide 13914.6 Predefined Bandwidth Management ServicesThe following is a description of the services that you can select and to which you can apply media bandwidth management using the wizard screens. Mid Typically used for “excellent effort” or better than best effort and would include important business traffic that can tolerate some delay.Low This is typically used for non-critical “background” traffic such as bulk transfers that are allowed but that should not affect other applications and users. Table 53 Bandwidth Management PrioritiesPRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.Table 54 Media Bandwidth Management Setup: ServicesSERVICE DESCRIPTIONXbox Live This is Microsoft’s online gaming service that lets you play multiplayer Xbox games on the Internet via broadband technology. Xbox Live uses port 3074.VoIP (SIP) Sending voice signals over the Internet is called Voice over IP or VoIP. Session Initiated Protocol (SIP) is an internationally recognized standard for implementing VoIP. SIP is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.SIP is transported primarily over UDP but can also be transported over TCP, using the default port number 5060. FTP File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail. FTP uses port number 21.E-Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals. Here are some default ports for e-mail: POP3 - port 110IMAP - port 143SMTP - port 25HTTP - port 80BitTorrent BitTorrent is a free P2P (peer-to-peer) sharing tool allowing you to distribute large software and media files using ports 6881 to 6889. BitTorrent requires you to search for a file with a searching engine yourself. It distributes files by corporation and trading, that is, the client downloads the file in small pieces and share the pieces with other peers to get other half of the file.MSN Webcam MSN messenger allows you to chat online and send instant messages. If you use MSN messenger and also have a webcam, you can send your image/photo in real-time along with messagesWWW The World Wide Web (WWW) is an Internet system to distribute graphical, hyper-linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server protocol for the World Wide Web. The Web is not synonymous with the Internet; rather, it is just one service on the Internet. Other services on the Internet include Internet Relay Chat and Newsgroups. The Web is accessed through use of a browser.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide14014.6.1 Services and Port NumbersThe commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the DNS service. (UDP/TCP:53) means UDP port 53 and TCP port 53. Table 55 Commonly Used ServicesSERVICE DESCRIPTIONAIM/New-ICQ(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ.AUTH(TCP:113) Authentication protocol used by some servers.BGP(TCP:179) Border Gateway Protocol.BOOTP_CLIENT(UDP:68) DHCP Client.BOOTP_SERVER(UDP:67) DHCP Server.CU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software.DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323(TCP:1720) NetMeeting uses this protocol.HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS(TCP:443) HTTPS is a secured http session often used in e-commerce.ICQ(UDP:4000) This is a popular Internet chat program.IKE(UDP:500) The Internet Key Exchange algorithm is used for key distribution and management.IPSEC_TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this service.IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.IRC(TCP/UDP:6667) This is another popular Internet chat program.MSN Messenger(TCP:1863) Microsoft Networks’ messenger service uses this protocol. MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.NEW-ICQ(TCP:5190) An Internet chat program.NEWS(TCP:144) A protocol for news groups.NFS(UDP:2049) Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide 141PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).PPTP(TCP:1723) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL(GRE:0) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the data channel.RCMD(TCP:512) Remote Command Service.REAL_AUDIO(TCP:7070) A streaming audio service that enables real time sound over the web.REXEC(TCP:514) Remote Execution Daemon.RLOGIN(TCP:513) Remote Login.RTELNET(TCP:107) Remote Telnet.RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP(TCP:115) Simple File Transfer Protocol.SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP(TCP/UDP:161) Simple Network Management Program.SNMP-TRAPS(TCP/UDP:162) Traps for use with the SNMP (RFC:1215).SQL-NET(TCP:1521) Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSH(TCP/UDP:22) Secure Shell Remote Login Program.STRM WORKS(UDP:1558) Stream Works Protocol.SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.TFTP(UDP:69) Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE(TCP:7000) Another videoconferencing solution.Table 55 Commonly Used ServicesSERVICE DESCRIPTION

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide14214.7 Default Bandwidth Management Classes and PrioritiesIf you enable bandwidth management but do not configure a rule for critical traffic like VoIP, the voice traffic may then get delayed due to insufficient bandwidth. With the automatic traffic classifier feature activated, the ZyXEL Device automatically assigns a default bandwidth management class and priority to traffic that does not match any of the user-defined rules. The traffic is classified based on the traffic type. Real-time traffic always gets higher priority over other traffic. The following table shows you the priorities between the three default classes (AutoClass_H, AutoClass_M and Default Class) and user-defined rules. 6 is the highest priority.14.8 Bandwidth Management General Configuration Click Management > Bandwidth MGMT to open the bandwidth management General screen.Figure 78 Bandwidth Management: GeneralTable 56 Bandwidth Management Priority with Default ClassesCLASS TYPE PRIORITYUser-defined with high priority 6AutoClass_H 5User-defined with medium priority 4AutoClass_M 3User-defined with low priority 2Default Class 1

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide 143The following table describes the labels in this screen.14.9 Bandwidth Management Advanced Configuration Click Management > Bandwidth MGMT > Advanced to open the bandwidth management Advanced screen.Figure 79 Bandwidth Management: AdvancedTable 57 Bandwidth Management: GeneralLABEL DESCRIPTIONEnable Bandwidth Management Select this check box to have the ZyXEL Device apply bandwidth management. Enable bandwidth management to give traffic that matches a bandwidth rule priority over traffic that does not match a bandwidth rule. Enabling bandwidth management also allows you to control the maximum or minimum amounts of bandwidth that can be used by traffic that matches a bandwidth rule. Enable Automatic Traffic Classifier This field is only applicable when you select the Enable Bandwidth Management check box.Select this check box to have the ZyXEL Device base on the default bandwidth classes to apply bandwidth management. Real-time packets, such as VoIP traffic always get higher priority.Apply Click Apply to save your customized settings.Reset Click Reset to begin configuring this screen afresh.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide144The following table describes the labels in this screen.14.9.1 Rule Configuration with the Pre-defined Service To edit a bandwidth management rule for the pre-defined service in the ZyXEL Device, click the Edit icon in the Application List table of the Advanced screen. The following screen displays.Table 58 Bandwidth Management: AdvancedLABEL DESCRIPTIONUpstream Bandwidth (kbps) Enter the amount of bandwidth in kbps (2 to 100,000) that you want to allocate for traffic. 20 kbps to 20,000 kbps is recommended.The recommendation is to set this speed to be equal to or less than the speed of the broadband device connected to the WAN port. For example, set the speed to 1000 Kbps (or less) if the broadband device connected to the WAN port has an upstream speed of 1000 Kbps.Application List Use this table to allocate specific amounts of bandwidth based on the pre-defined service.#This is the number of an individual bandwidth management rule.Enable Select this check box to have the ZyXEL Device apply this bandwidth management rule.Service This is the name of the service.Priority Select a priority from the drop down list box. Choose High, Mid or Low.Advanced Setting Click the Edit icon to open the Rule Configuration screen where you can modify the rule.User-defined Service Use this table to allocate specific amounts of bandwidth to specific applications and/or subnets.#This is the number of an individual bandwidth management rule.Enable Select this check box to have the ZyXEL Device apply this bandwidth management rule.Direction Select To LAN to apply bandwidth management to traffic that the ZyXEL Device forwards to the LAN. Select To WAN to apply bandwidth management to traffic that the ZyXEL Device forwards to the WAN. Select To WLAN to apply bandwidth management to traffic that the ZyXEL Device forwards to the WLAN. Service Name Enter a descriptive name of up to 19 alphanumeric characters, including spaces.Priority Select a priority from the drop down list box. Choose High, Mid or Low.Modify Click the Edit icon to open the Rule Configuration screen. Modify an existing rule or create a new rule in the Rule Configuration screen. See Section 14.9.2 on page 145 for more information.Click the Remove icon to delete a rule.Apply Click Apply to save your customized settings.Reset Click Reset to begin configuring this screen afresh.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide 145Figure 80 Bandwidth Management Rule Configuration: Pre-defined ServiceThe following table describes the labels in this screen.14.9.2 Rule Configuration with the User-defined Service In addition to the pre-defined services, if you want to edit a bandwidth management rule for other applications and/or subnets, click the Edit icon in the User-defined Service table of the Advanced screen. The following screen displays.Table 59 Bandwidth Management Rule Configuration: Pre-defined ServiceLABEL DESCRIPTION#This is the number of an individual bandwidth management rule.Enable Select an interface’s check box to enable bandwidth management on that interface. Direction These read-only labels represent the physical interfaces. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management.Bandwidth Select Maximum Bandwidth or Minimum Bandwidth and specify the maximum or minimum bandwidth allowed for the rule in kilobits per second. Destination Port This is the port number of the destination. See Table 55 on page 140 for some common services and port numbers.Source Port This is the port number of the source. See Table 55 on page 140 for some common services and port numbers.Protocol This is the protocol (TCP or UDP) used for the service.OK Click OK to save your customized settings.Cancel Click Cancel to exit this screen without saving.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide146Figure 81 Bandwidth Management Rule Configuration: User-defined ServiceThe following table describes the labels in this screen.14.10 Bandwidth Management Monitor Click Management > Bandwidth MGMT > Monitor to open the bandwidth management Monitor screen. View the bandwidth usage of the WAN configured bandwidth rules. This is also shown as bandwidth usage over the bandwidth budget for each rule. The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use.Table 60 Bandwidth Management Rule Configuration: User-defined ServiceLABEL DESCRIPTIONBW Budget Select Maximum Bandwidth or Minimum Bandwidth and specify the maximum or minimum bandwidth allowed for the rule in kilobits per second. Destination AddressEnter the destination IP address in dotted decimal notation.Destination Subnet NetmaskEnter the destination subnet mask. This field is N/A if you do not specify a Destination Address. Refer to the appendices for more information on IP subnetting.Destination Port Enter the port number of the destination. See Table 55 on page 140 for some common services and port numbers.Source Address Enter the source IP address in dotted decimal notation.Source Subnet NetmaskEnter the destination subnet mask. This field is N/A if you do not specify a Source Address. Refer to the appendices for more information on IP subnetting.Source Port Enter the port number of the source. See Table 55 on page 140 for some common services and port numbers.Protocol Select the protocol (TCP or UDP) or select User defined and enter the protocol (service type) number. OK Click OK to save your customized settings.Cancel Click Cancel to exit this screen without saving.

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide 147Figure 82 Bandwidth Management: Monitor

Chapter 14 Bandwidth ManagementZyXEL NBG-334SH User’s Guide148

ZyXEL NBG-334SH User’s Guide 149CHAPTER 15 Remote Management ScreensThis chapter provides information on the Remote Management screens. 15.1 Remote Management OverviewRemote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers."When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for details on configuring firewall rules.You may manage your ZyXEL Device from a remote location via:"When you choose WAN or LAN & WAN, you still need to configure a firewall rule to allow access.To disable remote management of a service, select Disable in the corresponding Server Access field.You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.1Telnet2HTTPTable 61 • Internet (WAN only) • ALL (LAN and WAN)• LAN only • Neither (Disable).

Chapter 15 Remote Management ScreensZyXEL NBG-334SH User’s Guide15015.1.1 Remote Management LimitationsRemote management over LAN or WAN will not work when:1You have disabled that service in one of the remote management screens.2The IP address in the Secured Client IP Address field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately.3There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.4There is a firewall rule that blocks it.15.1.2 Remote Management and NATWhen NAT is enabled:• Use the ZyXEL Device’s WAN IP address when configuring from the WAN. • Use the ZyXEL Device’s LAN IP address when configuring from the LAN.15.1.3 System TimeoutThere is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the System screen15.2 WWW Screen To change your ZyXEL Device’s World Wide Web settings, click Management > Remote MGMT to display the WWW screen.Figure 83 WWW Remote Management

Chapter 15 Remote Management ScreensZyXEL NBG-334SH User’s Guide 151The following table describes the labels in this screen.15.3 TelnetYou can configure your ZyXEL Device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL Device.Figure 84 Telnet Configuration on a TCP/IP Network15.4 Telnet ScreenTo change your ZyXEL Device’s Telnet settings, click Management > Remote MGMT > Telnet. The following screen displays. Table 62 WWW Remote ManagementLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.

Chapter 15 Remote Management ScreensZyXEL NBG-334SH User’s Guide152Figure 85 Telnet Remote ManagementThe following table describes the labels in this screen.15.5 FTP ScreenYou can upload and download the ZyXEL Device’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.To change your ZyXEL Device’s FTP settings, click Management > Remote MGMT > FTP. The screen appears as shown.Figure 86 FTP Remote ManagementTable 63 Telnet Remote ManagementLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.

Chapter 15 Remote Management ScreensZyXEL NBG-334SH User’s Guide 153The following table describes the labels in this screen.15.6 DNS Screen Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on Wizard Setup for background information. To change your ZyXEL Device’s DNS settings, click Management > Remote MGMT > DNS. The screen appears as shown.Figure 87 DNS Remote ManagementTable 64 FTP Remote ManagementLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.

Chapter 15 Remote Management ScreensZyXEL NBG-334SH User’s Guide154The following table describes the labels in this screen.Table 65 DNS Remote ManagementLABEL DESCRIPTIONServer Port The DNS service port number is 53 and cannot be changed here.Server Access Select the interface(s) through which a computer may send DNS queries to the ZyXEL Device.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to send DNS queries to the ZyXEL Device.Select All to allow any computer to send DNS queries to the ZyXEL Device.Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the ZyXEL Device.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.

ZyXEL NBG-334SH User’s Guide 155CHAPTER 16 Universal Plug-and-Play (UPnP)This chapter introduces the UPnP feature in the web configurator.16.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.See Section 16.3 on page 156 for configuration instructions. 16.1.1 How do I know if I'm using UPnP? UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. 16.1.2 NAT TraversalUPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:• Dynamic port mapping• Learning public IP addresses• Assigning lease times to mappingsWindows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT.16.1.3 Cautions with UPnPThe automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

Chapter 16 Universal Plug-and-Play (UPnP)ZyXEL NBG-334SH User’s Guide156When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyXEL Device allows multicast messages on the LAN only.All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 16.2 UPnP and ZyXELZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports Internet Gateway Device (IGD) 1.0. See the following sections for examples of installing and using UPnP.16.3 UPnP ScreenClick the Management > UPnP to display the UPnP screen.Figure 88 Configuring UPnPThe following table describes the labels in this screen. Table 66 Configuring UPnPLABEL DESCRIPTIONActive the Universal Plug and Play (UPnP) FeatureSelect this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyXEL Device's IP address (although you must still enter the password to access the web configurator).Allow users to make configuration changes through UPnPSelect this check box to allow UPnP-enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Allow UPnP to pass through FirewallSelect this check box to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).

Chapter 16 Universal Plug-and-Play (UPnP)ZyXEL NBG-334SH User’s Guide 15716.4 Installing UPnP in Windows ExampleThis section shows how to install UPnP in Windows Me and Windows XP. 16.4.0.1 Installing UPnP in Windows MeFollow the steps below to install the UPnP in Windows Me. 1Click Start and Control Panel. Double-click Add/Remove Programs.2Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Figure 89 Add/Remove Programs: Windows Setup: Communication 3In the Communications window, select the Universal Plug and Play check box in the Components selection box. Apply Click Apply to save the setting to the ZyXEL Device.Cancel Click Cancel to return to the previously saved settings.Table 66 Configuring UPnPLABEL DESCRIPTION

Chapter 16 Universal Plug-and-Play (UPnP)ZyXEL NBG-334SH User’s Guide158Figure 90 Add/Remove Programs: Windows Setup: Communication: Components4Click OK to go back to the Add/Remove Programs Properties window and click Next. 5Restart the computer when prompted. Installing UPnP in Windows XPFollow the steps below to install the UPnP in Windows XP.1Click Start and Control Panel. 2Double-click Network Connections.3In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Figure 91 Network Connections4The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.

Chapter 16 Universal Plug-and-Play (UPnP)ZyXEL NBG-334SH User’s Guide 159Figure 92 Windows Optional Networking Components Wizard5In the Networking Services window, select the Universal Plug and Play check box. Figure 93 Networking Services6Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.

Chapter 16 Universal Plug-and-Play (UPnP)ZyXEL NBG-334SH User’s Guide16016.4.0.2 Using UPnP in Windows XP ExampleThis section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device.Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device. Auto-discover Your UPnP-enabled Network Device1Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.2Right-click the icon and select Properties. Figure 94 Network Connections3In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.

Navigation menu