ZyXEL Communications NBG334W Wireless Firewall Router User Manual NBG334W User s Guide

ZyXEL Communications Corporation Wireless Firewall Router NBG334W User s Guide

Users Manual Part 3

Chapter 7 WANNBG334W User’s Guide100The following table describes the labels in this screen.Table 38 Network > WAN > Internet Connection: PPTP EncapsulationLABEL DESCRIPTIONISP Parameters for Internet AccessEncapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. The NBG334W supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.User Name Type the user name given to you by your ISP. Password Type the password associated with the User Name above.Retype to Confirm Type your password again to make sure that you have entered is correctly. Nailed-up Connection Select Nailed-Up Connection if you do not want the connection to time out.Idle Timeout This value specifies the time in seconds that elapses before the NBG334W automatically disconnects from the PPTP server.PPTP ConfigurationGet automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. My IP Address Type the (static) IP address assigned to you by your ISP.My IP Subnet MaskYour NBG334W will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the NBG334W.Server IP Address Type the IP address of the PPTP server.Connection ID/NameType your identification name for the PPTP server.WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address. Remote IP AddressEnter the remote IP address (if your ISP gave you one) in this field.Remote IP Subnet MaskEnter the remote IP subnet mask in this field.DNS Servers
Chapter 7 WANNBG334W User’s Guide 1017.5 Advanced WAN ScreenTo change your NBG334W’s advanced WAN settings, click Network > WAN > Advanced. The screen appears as shown.Figure 54 Network > WAN > Advanced First DNS ServerSecond DNS ServerThird DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the NBG334W's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply. Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.WAN MAC Address The MAC address section allows users to configure the WAN port's MAC address by either using the NBG334W’s MAC address, copying the MAC address from a computer on your LAN or manually entering a MAC address. Factory default Select Factory default to use the factory assigned default MAC Address.Clone the computer’s MAC addressSelect Clone the computer's MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file. Set WAN MAC AddressSelect this option and enter the MAC address you want to use.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.Table 38 Network > WAN > Internet Connection: PPTP EncapsulationLABEL DESCRIPTION
Chapter 7 WANNBG334W User’s Guide102The following table describes the labels in this screen.Table 39 WAN > AdvancedLABEL DESCRIPTIONMulticast SetupMulticast Select IGMP V-1, IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.Allow between LAN and WANSelect this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls. Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
NBG334W User’s Guide 103CHAPTER 8 LANThis chapter describes how to configure LAN settings.8.1 LAN OverviewA Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks.8.1.1 IP Pool SetupThe NBG334W is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64. This configuration leaves 31 IP addresses (excluding the NBG334W itself) in the lower range (192.168.1.2 to 192.168.1.32) for other server computers, for instance, servers for mail, FTP, TFTP, web, etc., that you may have.8.1.2 System DNS ServersRefer to the IP address and subnet mask section in the Connection Wizard chapter.8.2 LAN TCP/IP The NBG334W has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.8.2.1 Factory LAN DefaultsThe LAN parameters of the NBG334W are preset in the factory with the following values:• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)• DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured.
Chapter 8 LANNBG334W User’s Guide1048.2.2 IP Address and Subnet MaskRefer to the IP address and subnet mask section in the Connection Wizard chapter for this information.8.2.3 MulticastTraditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Management Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The NBG334W supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the NBG334W queries all directly connected networks to gather group membership. After that, the NBG334W periodically updates this information. IP multicasting can be enabled/disabled on the NBG334W LAN and/or WAN interfaces in the web configurator (LAN; WA N ). Select None to disable IP multicasting on these interfaces.8.2.4 Any IPTraditionally, you must set the IP addresses and the subnet masks of a computer and the NBG334W to be in the same subnet to allow the computer to access the Internet (through the NBG334W). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the NBG334W.With the Any IP feature and NAT enabled, the NBG334W allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, when the IP addresses of the computer and the NBG334W are not in the same subnet. Whether a computer is set to use a dynamic or static (fixed) IP address, you can simply connect the computer to the NBG334W and access the Internet.The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment. In a residential house where a NBG334W is installed, you can still use the computer to access the Internet without changing the network settings, even when the IP addresses of the computer and the NBG334W are not in the same subnet.
Chapter 8 LANNBG334W User’s Guide 105Figure 55 Any IP ExampleThe Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the NBG334W’s IP address."You must enable NAT to use the Any IP feature on the NBG334W. Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. IP routing table is defined on IP Ethernet devices (the NBG334W) to decide which hop to use, to help forward data along to its specified destination.The following lists out the steps taken, when a computer tries to access the Internet for the first time through the NBG334W.1When a computer (which is in a different subnet) first attempts to access the Internet, it sends packets to its default gateway (which is not the NBG334W) by looking at the MAC address in its ARP table. 2When the computer cannot locate the default gateway, an ARP request is broadcast on the LAN. 3The NBG334W receives the ARP request and replies to the computer with its own MAC address. 4The computer updates the MAC address for the default gateway to the ARP table. Once the ARP table is updated, the computer is able to access the Internet through the NBG334W. 5When the NBG334W receives packets from the computer, it creates an entry in the IP routing table so it can properly forward packets intended for the computer. After all the routing information is updated, the computer can access the NBG334W and the Internet as if it is in the same subnet as the NBG334W.
Chapter 8 LANNBG334W User’s Guide1068.3 LAN IP ScreenUse this screen to change your basic LAN settings. Click Network > LAN.Figure 56 Network > LAN > IP The following table describes the labels in this screen.8.4 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The NBG334W supports three logical LAN interfaces via its single physical Ethernet interface with the NBG334W itself as the gateway for each LAN network.To change your NBG334W’s IP alias settings, click Network > LAN > IP Alias. The screen appears as shown.Table 40 Network > LAN > IPLABEL DESCRIPTIONLAN TCP/IPIP Address Type the IP address of your NBG334W in dotted decimal notation 192.168.1.1 (factory default).IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your NBG334W will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the NBG334W.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
Chapter 8 LANNBG334W User’s Guide 107Figure 57 Network > LAN > IP Alias The following table describes the labels in this screen.8.5 Advanced LAN ScreenTo change your NBG334W’s advanced IP settings, click Network > LAN > Advanced. The screen appears as shown.Figure 58 Network > LAN > Advanced Table 41 Network > LAN > IP AliasLABEL DESCRIPTIONIP Alias 1,2 Select the check box to configure another LAN network for the NBG334W.IP Address Enter the IP address of your NBG334W in dotted decimal notation. IP Subnet Mask Your NBG334W will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the NBG334W.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
Chapter 8 LANNBG334W User’s Guide108The following table describes the labels in this screen.Table 42 Network > LAN > AdvancedLABEL DESCRIPTIONMulticast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Any IP SetupActive Select this if you want to let computers on different subnets use the NBG334W.Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.Allow between LAN and WANSelect this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
NBG334W User’s Guide 109CHAPTER 9 DHCP9.1 DHCPDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the NBG334W as a DHCP server or disable it. When configured as a server, the NBG334W provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.9.2 DHCP Server General ScreenClick Network > DHCP Server. The following screen displays.Figure 59 Network > DHCP Server > General The following table describes the labels in this screen.Table 43 Network > DHCP Server > General LABEL DESCRIPTIONEnable DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Leave the Enable DHCP Server check box selected unless your ISP instructs you to do otherwise. Clear it to disable the NBG334W acting as a DHCP server. When configured as a server, the NBG334W provides TCP/IP configuration for the clients. If not, DHCP service is disabled and you must have another DHCP server on your LAN, or else the computers must be manually configured. When set as a server, fill in the following four fields.IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.Pool Size This field specifies the size, or count of the IP address pool.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
Chapter 9 DHCPNBG334W User’s Guide1109.3 DHCP Server Advanced Screen This screen allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. You can also use this screen to configure the DNS server information that the NBG334W sends to the DHCP clients.Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.To change your NBG334W’s static DHCP settings, click Network > DHCP Server > Advanced. The following screen displays.Figure 60 Network > DHCP Server > Advanced The following table describes the labels in this screen.Table 44 Network > DHCP Server > AdvancedLABEL DESCRIPTION# This is the index number of the static IP table entry (row).MAC Address Type the MAC address (with colons) of a computer on your LAN.IP Address Type the LAN IP address of a computer on your LAN.DNS Servers Assigned by DHCP Server The NBG334W passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The NBG334W only passes this information to the LAN DHCP clients when you select the Enable DHCP Server check box. When you clear the Enable DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured.
Chapter 9 DHCPNBG334W User’s Guide 1119.4 Client List ScreenThe DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the NBG334W’s DHCP server.Configure this screen to always assign an IP address to a MAC address (and host name). Click Network > DHCP Server > Client List. "You can also view a read-only client list by clicking the DHCP Table (Details...) hyperlink in the Status screen. The following screen displays.Figure 61 Network > DHCP Server > Client List First DNS ServerSecond DNS ServerThird DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the NBG334W's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply. Select DNS Relay to have the NBG334W act as a DNS proxy. The NBG334W's LAN IP address displays in the field to the right (read-only). The NBG334W tells the DHCP clients on the LAN that the NBG334W itself is the DNS server. When a computer on the LAN sends a DNS query to the NBG334W, the NBG334W forwards the query to the NBG334W's system DNS server (configured in the WAN > Internet Connection screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you click Apply. Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.Table 44 Network > DHCP Server > AdvancedLABEL DESCRIPTION
Chapter 9 DHCPNBG334W User’s Guide112The following table describes the labels in this screen.Table 45 Network > DHCP Server > Client List LABEL DESCRIPTION# This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above.Host Name This field displays the computer host name.MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation).A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.Reserve Select this check box to have the NBG334W always assign this IP address to this MAC address (and host name). After you click Apply, the MAC address and IP address also display in the Advanced screen (where you can edit them).Apply Click Apply to save your settings.Refresh Click Refresh to reload the DHCP table.
NBG334W User’s Guide 113CHAPTER 10 Network Address Translation(NAT)This chapter discusses how to configure NAT on the NBG334W.10.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.10.2 Using NAT"You must create a firewall rule in addition to setting up NAT, to allow traffic from the WAN to be forwarded through the NBG334W.10.2.1 Port Forwarding: Services and Port NumbersA port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world. Use the Application screen to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide114"Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.10.2.2 Configuring Servers Behind Port Forwarding ExampleLet's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the InternetFigure 62 Multiple Servers Behind NAT Example10.3 General NAT ScreenClick Network > NAT to open the General screen.Figure 63 Network > NAT > General
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide 115The following table describes the labels in this screen.10.4 NAT Application Screen Port forwarding allows you to define the local servers to which the incoming services will be forwarded. To change your NBG334W’s port forwarding settings, click Network > NAT > Application. The screen appears as shown."If you do not assign a Default Server IP address in the NAT > General screen, the NBG334W discards all packets received for ports that are not specified in this screen or remote management.Refer to Appendix F on page 259 for port numbers commonly used for particular services.Table 46 Network > NAT > GeneralLABEL DESCRIPTIONEnable Network Address TranslationNetwork Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select the check box to enable NAT.Default Server SetupDefault Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in the Application screen. If you do not assign a Default Server IP address, the NBG334W discards all packets received for ports that are not specified in the Application screen or remote management.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide116Figure 64 Network > NAT > Application The following table describes the labels in this screen.Table 47 NAT ApplicationLABEL DESCRIPTIONGame List Update A game list includes the pre-defined service name(s) and port number(s). You can edit and upload it to the NBG334W to replace the existing entries in the second field next to Service Name.File Path Type in the location of the file you want to upload in this field or click Browse... to find it.Browse... Click Browse... to find the.txt file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Update Click Update to begin the upload process. This process may take up to two minutes.Add Application RuleActive Select the check box to enable this rule and the requested service can be forwarded to the host with a specified internal IP address.Clear the checkbox to disallow forwarding of these ports to an inside server without having to delete the entry. Service Name Type a name (of up to 31 printable characters) to identify this rule in the first field next to Service Name. Otherwise, select a predefined service in the second field next to Service Name. The predefined service name and port number(s) will display in the Service Name and Port fields.
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide 11710.4.1 Game List ExampleHere is an example game list text file. The index number, service name and associated port(s) are specified by semi-colons (no spaces). Use the name=xxx (where xxx is the service name) to create a new service. Port range can be separated with a hyphen (-) (no spaces). Multiple (non-consecutive) ports can be separated by commas.Port Type a port number(s) to be forwarded.To specify a range of ports, enter a hyphen (-) between the first port and the last port, such as 10-20.To specify two or more non-consecutive port numbers, separate them by a comma without spaces, such as 123,567.Server IP Address Type the inside IP address of the server that receives packets from the port(s) specified in the Port field.Apply Click Apply to save your changes to the Application Rules Summary table.Reset Click Reset to not save and return your new changes in the Service Name and Port fields to the previous one.Application Rules Summary#This is the number of an individual port forwarding server entry.Active This icon is turned on when the rule is enabled. Name This field displays a name to identify this rule.Port This field displays the port number(s). Server IP Address This field displays the inside IP address of the server.Modify Click the Edit icon to display and modify an existing rule setting in the fields under Add Application Rule. Click the Remove icon to delete a rule.Table 47 NAT Application (continued)LABEL DESCRIPTION
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide118Figure 65 Game List Example10.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address. Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The NBG334W records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the NBG334W's WAN port receives a response with a specific port number and protocol ("incoming" port), the NBG334W forwards the traffic to the LAN IP address of the computer that sent the request. After that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.10.5.1 Trigger Port Forwarding Example The following is an example of trigger port forwarding.version=11;name=Battlefield 1942;port=14567,22000,23000-23009,27900,289002;name=Call of Duty;port=289603;name=Civilization IV;port=20564;name=Diablo I and II;port=6112-6119,40005;name=Doom 3;port=276666;name=F.E.A.R;port=278887;name=Final Fantasy XI;port=25,80,110,443,50000-655358;name=Guild Wars;port=6112,809;name=Half Life;port=6003,7002,27005,27010,27011,2701510;name=Jedi Knight III: Jedi Academy;port=28060-28062,28070-2808111;name=Need for Speed: Hot Pursuit 2;port=1230,8511-8512,27900,28900,61200-6123012;name=Neverwinter Nights;port=5120-5300,6500,27900,2890013;name=Quake 2;port=2791014;name=Quake 3;port=27660,2796015;name=Rainbow Six 3: Raven Shield;port=7777-7787,8777-878716;name=Serious Sam II;port=25600-2560517;name=Silent Hunter III;port=17997-1800318;name=Soldier of Fortune II;port=20100-2011219;name=Starcraft;port=6112-6119,400020;name=Star Trek: Elite Force II;port=29250,2925621;name=SWAT 4;port=10480-1048322;name=Warcraft II and III;port=6112-6119,400023;name=World of Warcraft;port=3724
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide 119Figure 66 Trigger Port Forwarding Process: Example1Jane requests a file from the Real Audio server (port 7070).2Port 7070 is a “trigger” port and causes the NBG334W to record Jane’s computer IP address. The NBG334W associates Jane's computer IP address with the "incoming" port range of 6970-7170.3The Real Audio server responds using a port number ranging between 6970-7170.4The NBG334W forwards the traffic to Jane’s computer IP address. 5Only Jane can connect to the Real Audio server until the connection is closed or times out. The NBG334W times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). 10.5.2 Two Points To Remember About Trigger Ports1Trigger events only happen on data that is going coming from inside the NBG334W and going to the outside.2If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN can’t trigger it.10.6 NAT Advanced ScreenTo change your NBG334W’s trigger port settings, click Network > NAT > Advanced. The screen appears as shown."Only one LAN computer can use a trigger port (range) at a time.
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide120Figure 67 Network > NAT > Advanced The following table describes the labels in this screen.Table 48 Network > NAT > AdvancedLABEL DESCRIPTIONMax NAT/Firewall Session Per UserType a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions that a host can create.When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet. Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/firewall sessions each client computer can establish through the NBG334W. If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is using all of the available NAT sessions.Port Triggering Rules#This is the rule index number (read-only).Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide 121Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The NBG334W forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Type a port number or the starting port number in a range of port numbers.End Port Type a port number or the ending port number in a range of port numbers.Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the NBG334W to record the IP address of the LAN computer that sent the traffic to a server on the WAN.Start Port Type a port number or the starting port number in a range of port numbers.End Port Type a port number or the ending port number in a range of port numbers.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.Table 48 Network > NAT > AdvancedLABEL DESCRIPTION
Chapter 10 Network Address Translation (NAT)NBG334W User’s Guide122
NBG334W User’s Guide 123CHAPTER 11 Dynamic DNS11.1 Dynamic DNS Introduction Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.11.1.1 DynDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname."If you have a private WAN IP address, then you cannot use Dynamic DNS.11.2 Dynamic DNS Screen To change your NBG334W’s DDNS, click Network > DDNS. The screen appears as shown.
Chapter 11 Dynamic DNSNBG334W User’s Guide124Figure 68 Dynamic DNSThe following table describes the labels in this screen.Table 49 Dynamic DNSLABEL DESCRIPTIONEnable Dynamic DNS Select this check box to use dynamic DNS.Service Provider Select the name of your Dynamic DNS service provider.Dynamic DNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.Host Name Enter a host names in the field provided. You can specify up to two host names in the field separated by a comma (",").User Name Enter your user name.Password Enter the password assigned to you.Enable Wildcard OptionSelect the check box to enable DynDNS Wildcard.Enable off line option This option is available when CustomDNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.IP Address Update Policy:Use WAN IP Address Select this option to update the IP address of the host name(s) to the WAN IP address.Dynamic DNS server auto detect IP AddressSelect this option to update the IP address of the host name(s) automatically by the DDNS server. It is recommended that you select this option.Use specified IP AddressType the IP address of the host name(s). Use this if you have a static IP address.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.
125PART IIISecurityFirewall (127)Content Filtering (133)
126
NBG334W User’s Guide 127CHAPTER 12 FirewallThis chapter gives some background information on firewalls and explains how to get started with the NBG334W’s firewall.12.1 Introduction to ZyXEL’s Firewall 12.1.1 What is a Firewall?Originally, the term “firewall” referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from a network that is not trusted. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself. 12.1.2 Stateful Inspection Firewall Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.12.1.3 About the NBG334W FirewallThe NBG334W firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (click the General tab under Firewall and then click the Enable Firewall check box). The NBG334W's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The NBG334W can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network.
Chapter 12 FirewallNBG334W User’s Guide128The NBG334W is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.The NBG334W has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet.The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless the remote host is authorized to use a specific service.12.1.4 Guidelines For Enhancing Security With Your Firewall1Change the default password via web configurator. 2Think about access control before you connect to the network in any way, including attaching a modem to the port. 3Limit who can access your router. 4Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6Protect against IP spoofing by making sure the firewall is active. 7Keep the firewall in a secured (locked) room. 12.2 Triangle RoutesIf an alternate gateway on the LAN has an IP address in the same subnet as the NBG334W’s LAN IP address, return traffic may not go through the NBG334W. This is called an asymmetrical or “triangle” route. This causes the NBG334W to reset the connection, as the connection has not been acknowledged.You can have the NBG334W permit the use of asymmetrical route topology on the network (not reset the connection).Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the NBG334W. A better solution is to use IP alias to put the NBG334W and the backup gateway on separate subnets.12.2.1 Triangle Routes and IP AliasYou can use IP alias instead of allowing triangle routes. IP Alias allow you to partition your network into logical sections over the same interface. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the NBG334W to your LAN. The following steps describe such a scenario.
Chapter 12 FirewallNBG334W User’s Guide 1291A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.2The NBG334W reroutes the packet to Gateway A, which is in Subnet 2. 3The reply from the WAN goes to the NBG334W. 4The NBG334W then sends it to the computer on the LAN in Subnet 1. Figure 69 Using IP Alias to Solve the Triangle Route Problem12.3 General Firewall Screen Click Security > Firewall to open the General screen. Use this screen to enable or disable the NBG334W’s firewall, and set up firewall logs. Figure 70 Security > Firewall > General lThe following table describes the labels in this screen.Table 50 Security > Firewall > General LABEL DESCRIPTIONEnable Firewall Select this check box to activate the firewall. The NBG334W performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.Packet Direction This is the direction of travel of packets.Firewall rules are grouped based on the direction of travel of packets to which they apply.
Chapter 12 FirewallNBG334W User’s Guide13012.4 Services ScreenClick Security > Firewall > Services. The screen appears as shown next. If an outside user attempts to probe an unsupported port on your NBG334W, an ICMP response packet is automatically returned. This allows the outside user to know the NBG334W exists. Use this screen to prevent the ICMP response packet from being sent. This keeps outsiders from discovering your NBG334W when unsupported ports are probed.You can also use this screen to enable service blocking, enter/delete/modify the services you want to block and the date/time you want to block them.Log Select whether to create a log for packets that are traveling in the selected direction when the packets are blocked or forwarded.To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs > Log Settings screen. Apply Click Apply to save the settings. Reset Click Reset to start configuring this screen again. Table 50 Security > Firewall > General LABEL DESCRIPTION
Chapter 12 FirewallNBG334W User’s Guide 131Figure 71 Security > Firewall > Services The following table describes the labels in this screen.Table 51 Security > Firewall > ServicesLABEL DESCRIPTIONICMP Internet Control Message Protocol is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user. Respond to Ping onThe NBG334W will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests.
Chapter 12 FirewallNBG334W User’s Guide132Do not respond to requests for unauthorized servicesSelect this option to prevent hackers from finding the NBG334W by probing for unused ports. If you select this option, the NBG334W will not respond to port request(s) for unused ports, thus leaving the unused ports and the NBG334W unseen. By default this option is not selected and the NBG334W will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a TCP Reset packet for a port probe on its unused TCP ports. Note that the probing packets must first traverse the NBG334W's firewall mechanism before reaching this anti-probing mechanism. Therefore if the firewall mechanism blocks a probing packet, the NBG334W reacts based on the firewall policy, which by default, is to send a TCP reset packet for a blocked TCP packet. You can use the command "sys firewall tcprst rst [on|off]" to change this policy. When the firewall mechanism blocks a UDP packet, it drops the packet without sending a response packet.Service SetupEnable Services BlockingSelect this check box to enable this feature.Available ServicesThis is a list of pre-defined services (ports) you may prohibit your LAN computers from using. Select the port you want to block using the drop-down list and click Add to add the port to the Blocked Services field.Blocked Services This is a list of services (ports) that will be inaccessible to computers on your LAN once you enable service blocking. Custom Port A custom port is a service that is not available in the pre-defined Available Services list and you must define using the next two fields.Type Choose the IP port (TCP or UDP) that defines your customized port from the drop down list box.Port Number Enter the port number range that defines the service. For example, if you want to define the Gnutella service, then select TCP type and enter a port range from 6345 to 6349.Add Select a service from the Available Services drop-down list and then click Add to add a service to the Blocked ServicesDelete Select a service from the Blocked Services list and then click Delete to remove this service from the list.Clear All Click Clear All to empty the Blocked Services.Schedule to BlockDay to Block: Select a check box to configure which days of the week (or everyday) you want service blocking to be active. Time of Day to Block (24-Hour Format)Select the time of day you want service blocking to take effect. Configure blocking to take effect all day by selecting All Day. You can also configure specific times by selecting From and entering the start time in the Start (hour) and Start (min) fields and the end time in the End (hour) and End (min) fields. Enter times in 24-hour format, for example, "3:00pm" should be entered as "15:00".Misc settingBypass Triangle RouteSelect this check box to have the NBG334W firewall ignore the use of triangle route topology on the network. Max NAT/Firewall Session Per UserType a number ranging from 1 to 2048 to limit the number of NAT/firewall sessions that a host can create.Apply Click Apply to save the settings. Reset Click Reset to start configuring this screen again. Table 51 Security > Firewall > ServicesLABEL DESCRIPTION
NBG334W User’s Guide 133CHAPTER 13 Content FilteringThis chapter provides a brief overview of content filtering using the embedded web GUI.13.1 Introduction to Content FilteringInternet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering is the ability to block certain web features or specific URL keywords.13.2 Restrict Web FeaturesThe NBG334W can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. 13.3 Days and TimesThe NBG334W also allows you to define time periods and days during which the NBG334W performs content filtering.13.4 Filter ScreenClick Security > Content Filter to open the Filter screen.
Chapter 13 Content FilteringNBG334W User’s Guide134Figure 72 Security > Content Filter > Filter The following table describes the labels in this screen.Table 52 Security > Content Filter > FilterLABEL DESCRIPTIONTrusted Computer IP AddressTo enable this feature, type an IP address of any one of the computers in your network that you want to have as a trusted computer. This allows the trusted computer to have full access to all features that are configured to be blocked by content filtering.Leave this field blank to have no trusted computers.Restrict Web FeaturesSelect the box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.ActiveX A tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. Java A programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds.Cookies Used by Web servers to track usage and provide service based on ID. Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. Keyword BlockingEnable URL Keyword BlockingThe NBG334W can block Web sites with URLs that contain certain keywords in the domain name or IP address. For example, if the keyword "bad" was enabled, all sites containing this keyword in the domain name or IP address will be blocked, e.g., URL http://www.website.com/bad.html would be blocked. Select this check box to enable this feature.
Chapter 13 Content FilteringNBG334W User’s Guide 13513.5 ScheduleUse this screen to set the day(s) and time you want the NBG334W to use content filtering. Click Security > Content Filter > Schedule. The following screen displays.Figure 73 Security > Content Filter > ScheduleThe following table describes the labels in this screen.Keyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards are not allowed. You can also enter a numerical IP address.Keyword List This list displays the keywords already added. Add Click Add after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed.When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.Delete Highlight a keyword in the lower box and click Delete to remove it. The keyword disappears from the text box after you click Apply.Clear All Click this button to remove all of the listed keywords.Denied Access MessageEnter a message to be displayed when a user tries to access a restricted web site. The default message is “Please contact your network administrator!!”Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afreshTable 52 Security > Content Filter > FilterLABEL DESCRIPTIONTable 53 Security > Content Filter > ScheduleLABEL DESCRIPTIONDay to Block Select check boxes for the days that you want the NBG334W to perform content filtering. Select the Everyday check box to have content filtering turned on all days of the week.Time of Day to Block (24-Hour Format)Time of Day to Block allows the administrator to define during which time periods content filtering is enabled. Time of Day to Block restrictions only apply to the keywords (see above). Restrict web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected.Select All Day to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced.Select From and enter the time period, in 24-hour format, during which content filtering will be enforced.
Chapter 13 Content FilteringNBG334W User’s Guide13613.6 Customizing Keyword Blocking URL CheckingYou can use commands to set how much of a website’s URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter.13.6.1 Domain Name or IP Address URL CheckingBy default, the NBG334W checks the URL’s domain name or IP address when performing keyword blocking.This means that the NBG334W checks the characters that come before the first slash in the URL.For example, with the URL www.zyxel.com.tw/news/pressroom.php, content filtering only searches for keywords within www.zyxel.com.tw.13.6.2 Full Path URL CheckingFull path URL checking has the NBG334W check the characters that come before the last slash in the URL.For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/.Use the ip urlfilter customize actionFlags 6 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's full path.13.6.3 File Name URL CheckingFilename URL checking has the NBG334W check all of the characters in the URL.For example, filename URL checking searches for keywords within the URL www.zyxel.com.tw/news/pressroom.php.Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's complete filename.Apply Click Apply to save your customized settings and exit this screen.Reset Click Reset to begin configuring this screen afreshTable 53 Security > Content Filter > ScheduleLABEL DESCRIPTION
137PART IVManagementStatic Route Screens (139)Bandwidth Management (143)Remote Management (153)Universal Plug-and-Play (UPnP) (159)
138
NBG334W User’s Guide 139CHAPTER 14 Static Route ScreensThis chapter shows you how to configure static routes for your NBG334W.14.1 Static Route OverviewEach remote node specifies only the network to which the gateway is directly connected, and the NBG334W has no knowledge of the networks beyond. For instance, the NBG334W knows about network N2 in the following figure through remote node router R1. However, the NBG334W is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node router R1 (via gateway router R2). The static routes are for you to tell the NBG334W about the networks beyond the remote nodes.Figure 74 Example of Static Routing Topology14.2 IP Static Route ScreenClick Management > Static Route to open the IP Static Route screen. The following screen displays.
Chapter 14 Static Route ScreensNBG334W User’s Guide140Figure 75 Management > Static Route > IP Static RouteThe following table describes the labels in this screen.14.2.1 Static Route Setup Screen To edit a static route, click the edit icon under Modify. The following screen displays. Fill in the required information for each static route.Table 54 Management > Static Route > IP Static RouteLABEL DESCRIPTION#This is the index number of an individual static route. The first entry is for the default route and not editable.Name This is the name that describes or identifies this route. Active This icon is turned on when this static route is active.Click the Edit icon under Modify and select the Active checkbox in the Static Route Setup screen to enable the static route. Clear the checkbox to disable this static route without having to delete the entry.Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. Gateway This is the IP address of the gateway. The gateway is an immediate neighbor of your NBG334W that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your NBG334W; over the WAN, the gateway must be the IP address of one of the remote nodes.Modify Click the Edit icon to open the static route setup screen. Modify a static route or create a new static route in the Static Route Setup screen.Click the Remove icon to delete a static route.
Chapter 14 Static Route ScreensNBG334W User’s Guide 141Figure 76 Management > Static Route > IP Static Route: Static Route SetupThe following table describes the labels in this screen.Table 55 Management > Static Route > IP Static Route: Static Route SetupLABEL DESCRIPTIONRoute Name Enter the name of the IP static route. Leave this field blank to delete this static route.Active This field allows you to activate/deactivate this static route.Private This parameter determines if the NBG334W will include this route to a remote node in its RIP broadcasts.Select this check box to keep this route private and not included in RIP broadcasts. Clear this checkbox to propagate this route to other hosts through RIP broadcasts.Destination IP AddressThis parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.IP Subnet Mask Enter the IP subnet mask here.Gateway IP AddressEnter the IP address of the gateway. The gateway is an immediate neighbor of your NBG334W that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your NBG334W; over the WAN, the gateway must be the IP address of one of the Remote Nodes.Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number. Apply Click Apply to save your changes back to the NBG334W.Cancel Click Cancel to return to the previous screen and not save your changes.
Chapter 14 Static Route ScreensNBG334W User’s Guide142
NBG334W User’s Guide 143CHAPTER 15 Bandwidth ManagementThis chapter contains information about configuring bandwidth management, editing rules and viewing the NBG334W’s bandwidth management logs.15.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules. The NBG334W applies bandwidth management to traffic that it forwards out through an interface. The NBG334W does not control the bandwidth of traffic that comes into an interface.Bandwidth management applies to all traffic flowing out of the router, regardless of the traffic's source.Traffic redirect or IP alias may cause LAN-to-LAN traffic to pass through the NBG334W and be managed by bandwidth management. • The sum of the bandwidth allotments that apply to the WAN interface (LAN to WAN, WLAN to WAN, WAN to WAN / NBG334W) must be less than or equal to the Upstream Bandwidth that you configure in the Bandwidth Management Advanced screen. • The sum of the bandwidth allotments that apply to the LAN port (WAN to LAN, WLAN to LAN, LAN to LAN / NBG334W) must be less than or equal to 100,000 kbps (you cannot configure the bandwidth budget for the LAN port). • The sum of the bandwidth allotments that apply to the WLAN port (LAN to WLAN, WAN to WLAN, WLAN to WLAN / NBG334W) must be less than or equal to 54,000 kbps (you cannot configure the bandwidth budget for the WLAN port). 15.2 Application-based Bandwidth ManagementYou can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E-mail and Video for example).15.3 Subnet-based Bandwidth ManagementYou can create bandwidth classes based on subnets.
Chapter 15 Bandwidth ManagementNBG334W User’s Guide144The following figure shows LAN subnets. You could configure one bandwidth class for subnet A and another for subnet B. Figure 77 Subnet-based Bandwidth Management Example15.4 Application and Subnet-based Bandwidth ManagementYou could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.15.5 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the NBG334W forwards out through an interface.Table 56 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET BVoIP 64 Kbps 64 KbpsWeb 64 Kbps 64 KbpsFTP 64 Kbps 64 KbpsE-mail 64 Kbps 64 KbpsVideo 64 Kbps 64 KbpsTable 57 Bandwidth Management PrioritiesPRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.High Typically used for voice traffic or video that is especially sensitive to jitter (jitter is the variations in delay).
Chapter 15 Bandwidth ManagementNBG334W User’s Guide 14515.6 Predefined Bandwidth Management ServicesThe following is a description of the services that you can select and to which you can apply media bandwidth management using the wizard screens. Mid Typically used for “excellent effort” or better than best effort and would include important business traffic that can tolerate some delay.Low This is typically used for non-critical “background” traffic such as bulk transfers that are allowed but that should not affect other applications and users. Table 57 Bandwidth Management PrioritiesPRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.Table 58 Media Bandwidth Management Setup: ServicesSERVICE DESCRIPTIONXbox Live This is Microsoft’s online gaming service that lets you play multiplayer Xbox games on the Internet via broadband technology. Xbox Live uses port 3074.VoIP (SIP) Sending voice signals over the Internet is called Voice over IP or VoIP. Session Initiated Protocol (SIP) is an internationally recognized standard for implementing VoIP. SIP is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.SIP is transported primarily over UDP but can also be transported over TCP, using the default port number 5060. FTP File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail. FTP uses port number 21.E-Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals. Here are some default ports for e-mail: POP3 - port 110IMAP - port 143SMTP - port 25HTTP - port 80BitTorrent BitTorrent is a free P2P (peer-to-peer) sharing tool allowing you to distribute large software and media files using ports 6881 to 6889. BitTorrent requires you to search for a file with a searching engine yourself. It distributes files by corporation and trading, that is, the client downloads the file in small pieces and share the pieces with other peers to get other half of the file.MSN Webcam MSN messenger allows you to chat online and send instant messages. If you use MSN messenger and also have a webcam, you can send your image/photo in real-time along with messagesWWW The World Wide Web (WWW) is an Internet system to distribute graphical, hyper-linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server protocol for the World Wide Web. The Web is not synonymous with the Internet; rather, it is just one service on the Internet. Other services on the Internet include Internet Relay Chat and Newsgroups. The Web is accessed through use of a browser.
Chapter 15 Bandwidth ManagementNBG334W User’s Guide14615.6.1 Services and Port NumbersThe commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the DNS service. (UDP/TCP:53) means UDP port 53 and TCP port 53.
Chapter 15 Bandwidth ManagementNBG334W User’s Guide 147Table 59 Commonly Used ServicesSERVICE DESCRIPTIONAIM/New-ICQ(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ.AUTH(TCP:113) Authentication protocol used by some servers.BGP(TCP:179) Border Gateway Protocol.BOOTP_CLIENT(UDP:68) DHCP Client.BOOTP_SERVER(UDP:67) DHCP Server.CU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software.DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323(TCP:1720) NetMeeting uses this protocol.HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS(TCP:443) HTTPS is a secured http session often used in e-commerce.ICQ(UDP:4000) This is a popular Internet chat program.IKE(UDP:500) The Internet Key Exchange algorithm is used for key distribution and management.IPSEC_TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this service.IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.IRC(TCP/UDP:6667) This is another popular Internet chat program.MSN Messenger(TCP:1863) Microsoft Networks’ messenger service uses this protocol. MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.NEW-ICQ(TCP:5190) An Internet chat program.NEWS(TCP:144) A protocol for news groups.NFS(UDP:2049) Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).PPTP(TCP:1723) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL(GRE:0) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the data channel.RCMD(TCP:512) Remote Command Service.REAL_AUDIO(TCP:7070) A streaming audio service that enables real time sound over the web.
Chapter 15 Bandwidth ManagementNBG334W User’s Guide14815.7 Default Bandwidth Management Classes and PrioritiesIf you enable bandwidth management but do not configure a rule for critical traffic like VoIP, the voice traffic may then get delayed due to insufficient bandwidth. With the automatic traffic classifier feature activated, the NBG334W automatically assigns a default bandwidth management class and priority to traffic that does not match any of the user-defined rules. The traffic is classified based on the traffic type. Real-time traffic always gets higher priority over other traffic. The following table shows you the priorities between the three default classes (AutoClass_H, AutoClass_M and Default Class) and user-defined rules. 6 is the highest priority.REXEC(TCP:514) Remote Execution Daemon.RLOGIN(TCP:513) Remote Login.RTELNET(TCP:107) Remote Telnet.RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP(TCP:115) Simple File Transfer Protocol.SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP(TCP/UDP:161) Simple Network Management Program.SNMP-TRAPS(TCP/UDP:162) Traps for use with the SNMP (RFC:1215).SQL-NET(TCP:1521) Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSH(TCP/UDP:22) Secure Shell Remote Login Program.STRM WORKS(UDP:1558) Stream Works Protocol.SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.TACACS(UDP:49) Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET(TCP:23) Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.TFTP(UDP:69) Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE(TCP:7000) Another videoconferencing solution.Table 59 Commonly Used ServicesSERVICE DESCRIPTIONTable 60 Bandwidth Management Priority with Default ClassesCLASS TYPE PRIORITYUser-defined with high priority 6AutoClass_H 5User-defined with medium priority 4
Chapter 15 Bandwidth ManagementNBG334W User’s Guide 14915.8 Bandwidth Management General Configuration Click Management > Bandwidth MGMT to open the bandwidth management General screen.Figure 78 Management > Bandwidth MGMT > General The following table describes the labels in this screen.15.9 Bandwidth Management Advanced Configuration Click Management > Bandwidth MGMT > Advanced to open the bandwidth management Advanced screen.AutoClass_M 3User-defined with low priority 2Default Class 1Table 60 Bandwidth Management Priority with Default ClassesCLASS TYPE PRIORITYTable 61 Management > Bandwidth MGMT > GeneralLABEL DESCRIPTIONEnable Bandwidth Management Select this check box to have the NBG334W apply bandwidth management. Enable bandwidth management to give traffic that matches a bandwidth rule priority over traffic that does not match a bandwidth rule. Enabling bandwidth management also allows you to control the maximum or minimum amounts of bandwidth that can be used by traffic that matches a bandwidth rule. Enable Automatic Traffic Classifier This field is only applicable when you select the Enable Bandwidth Management check box.Select this check box to have the NBG334W base on the default bandwidth classes to apply bandwidth management. Real-time packets, such as VoIP traffic always get higher priority.Apply Click Apply to save your customized settings.Reset Click Reset to begin configuring this screen afresh.
Chapter 15 Bandwidth ManagementNBG334W User’s Guide150Figure 79 Management > Bandwidth MGMT > Advanced The following table describes the labels in this screen.Table 62 Management > Bandwidth MGMT > Advanced LABEL DESCRIPTIONCheck my upstream bandwidthClick the Detection button to check the size of your upstream bandwidth.Upstream Bandwidth (kbps) Enter the amount of bandwidth in kbps (2 to 100,000) that you want to allocate for traffic. 20 kbps to 20,000 kbps is recommended.The recommendation is to set this speed to be equal to or less than the speed of the broadband device connected to the WAN port. For example, set the speed to 1000 Kbps (or less) if the broadband device connected to the WAN port has an upstream speed of 1000 Kbps.Application List Use this table to allocate specific amounts of bandwidth based on the pre-defined service.#This is the number of an individual bandwidth management rule.Enable Select this check box to have the NBG334W apply this bandwidth management rule.Service This is the name of the service.Priority Select a priority from the drop down list box. Choose High, Mid or Low.Advanced Setting Click the Edit icon to open the Rule Configuration screen where you can modify the rule.User-defined Service Use this table to allocate specific amounts of bandwidth to specific applications and/or subnets.#This is the number of an individual bandwidth management rule.
Chapter 15 Bandwidth ManagementNBG334W User’s Guide 15115.9.1 Rule Configuration If you want to edit a bandwidth management rule for other applications and/or subnets, click the Edit icon in the Application List or User-defined Service table of the Advanced screen. The following screen displays.Figure 80 Management > Bandwidth MGMT > Advanced: User-defined Service Rule Configuration The following table describes the labels in this screenTable 63 Management > Bandwidth MGMT > Advanced: User-defined Service Rule Enable Select this check box to have the NBG334W apply this bandwidth management rule.Direction Select To LAN to apply bandwidth management to traffic that the NBG334W forwards to the LAN. Select To WAN to apply bandwidth management to traffic that the NBG334W forwards to the WAN. Select To WLAN to apply bandwidth management to traffic that the NBG334W forwards to the WLAN. Service Name Enter a descriptive name of up to 19 alphanumeric characters, including spaces.Priority Select a priority from the drop down list box. Choose High, Mid or Low.Modify Click the Edit icon to open the Rule Configuration screen. Modify an existing rule or create a new rule in the Rule Configuration screen. See Section 15.9.1 on page 151 for more information.Click the Remove icon to delete a rule.Apply Click Apply to save your customized settings.Reset Click Reset to begin configuring this screen afresh.Table 62 Management > Bandwidth MGMT > Advanced (continued)LABEL DESCRIPTION
Chapter 15 Bandwidth ManagementNBG334W User’s Guide152Configuration 15.10 Bandwidth Management Monitor Click Management > Bandwidth MGMT > Monitor to open the bandwidth management Monitor screen. View the bandwidth usage of the WAN configured bandwidth rules. This is also shown as bandwidth usage over the bandwidth budget for each rule. The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use.Figure 81 Management > Bandwidth MGMT > Monitor LABEL DESCRIPTIONBW Budget Select Maximum Bandwidth or Minimum Bandwidth and specify the maximum or minimum bandwidth allowed for the rule in kilobits per second. Destination AddressEnter the destination IP address in dotted decimal notation.Destination Subnet NetmaskEnter the destination subnet mask. This field is N/A if you do not specify a Destination Address. Refer to the appendices for more information on IP subnetting.Destination Port Enter the port number of the destination. See Table 59 on page 147 for some common services and port numbers.Source Address Enter the source IP address in dotted decimal notation.Source Subnet NetmaskEnter the destination subnet mask. This field is N/A if you do not specify a Source Address. Refer to the appendices for more information on IP subnetting.Source Port Enter the port number of the source. See Table 59 on page 147 for some common services and port numbers.Protocol Select the protocol (TCP or UDP) or select User defined and enter the protocol (service type) number. OK Click OK to save your customized settings.Cancel Click Cancel to exit this screen without saving.
NBG334W User’s Guide 153CHAPTER 16 Remote ManagementThis chapter provides information on the Remote Management screens. 16.1 Remote Management OverviewRemote management allows you to determine which services/protocols can access which NBG334W interface (if any) from which computers."When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for details on configuring firewall rules.You may manage your NBG334W from a remote location via:"When you choose WAN or LAN & WAN, you still need to configure a firewall rule to allow access.To disable remote management of a service, select Disable in the corresponding Server Access field.You may only have one remote management session running at a time. The NBG334W automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.1Telnet2HTTP16.1.1 Remote Management LimitationsRemote management over LAN or WAN will not work when:• Internet (WAN only) • ALL (LAN and WAN)• LAN only • Neither (Disable).
Chapter 16 Remote ManagementNBG334W User’s Guide1541You have disabled that service in one of the remote management screens.2The IP address in the Secured Client IP Address field does not match the client IP address. If it does not match, the NBG334W will disconnect the session immediately.3There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.4There is a firewall rule that blocks it.16.1.2 Remote Management and NATWhen NAT is enabled:• Use the NBG334W’s WAN IP address when configuring from the WAN. • Use the NBG334W’s LAN IP address when configuring from the LAN.16.1.3 System TimeoutThere is a default system management idle timeout of five minutes (three hundred seconds). The NBG334W automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the System screen16.2 WWW Screen To change your NBG334W’s World Wide Web settings, click Management > Remote MGMT to display the WWW screen.Figure 82 Management > Remote MGMT > WWW The following table describes the labels in this screenTable 64 Management > Remote MGMT > WWW LABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the NBG334W using this service.
Chapter 16 Remote ManagementNBG334W User’s Guide 15516.3 TelnetYou can configure your NBG334W for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the NBG334W.Figure 83 Telnet Configuration on a TCP/IP Network16.4 Telnet ScreenTo change your NBG334W’s Telnet settings, click Management > Remote MGMT > Telne t. The following screen displays. Figure 84 Management > Remote MGMT > Telnet Secured Client IP AddressA secured client is a “trusted” computer that is allowed to communicate with the NBG334W using this service. Select All to allow any computer to access the NBG334W using this service.Choose Selected to just allow the computer with the IP address that you specify to access the NBG334W using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.LABEL DESCRIPTION
Chapter 16 Remote ManagementNBG334W User’s Guide156The following table describes the labels in this screen.16.5 FTP ScreenYou can upload and download the NBG334W’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.To change your NBG334W’s FTP settings, click Management > Remote MGMT > FTP. The screen appears as shown.Figure 85 Management > Remote MGMT > FTP The following table describes the labels in this screen.Table 65 Management > Remote MGMT > TelnetLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the NBG334W using this service.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to communicate with the NBG334W using this service. Select All to allow any computer to access the NBG334W using this service.Choose Selected to just allow the computer with the IP address that you specify to access the NBG334W using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.Table 66 Management > Remote MGMT > FTPLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the NBG334W using this service.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to communicate with the NBG334W using this service. Select All to allow any computer to access the NBG334W using this service.Choose Selected to just allow the computer with the IP address that you specify to access the NBG334W using this service.
Chapter 16 Remote ManagementNBG334W User’s Guide 15716.6 DNS Screen Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on Wizard Setup for background information. To change your NBG334W’s DNS settings, click Management > Remote MGMT > DNS. The screen appears as shown.Figure 86 Management > Remote MGMT > DNS The following table describes the labels in this screen.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.Table 66 Management > Remote MGMT > FTPLABEL DESCRIPTIONTable 67 Management > Remote MGMT > DNSLABEL DESCRIPTIONServer Port The DNS service port number is 53 and cannot be changed here.Server Access Select the interface(s) through which a computer may send DNS queries to the NBG334W.Secured Client IP AddressA secured client is a “trusted” computer that is allowed to send DNS queries to the NBG334W.Select All to allow any computer to send DNS queries to the NBG334W.Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the NBG334W.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.
Chapter 16 Remote ManagementNBG334W User’s Guide158
NBG334W User’s Guide 159CHAPTER 17 Universal Plug-and-Play (UPnP)This chapter introduces the UPnP feature in the web configurator.17.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.See Section 17.3 on page 160 for configuration instructions. 17.1.1 How do I know if I'm using UPnP? UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. 17.1.2 NAT TraversalUPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:• Dynamic port mapping• Learning public IP addresses• Assigning lease times to mappingsWindows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT.17.1.3 Cautions with UPnPThe automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide160When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the NBG334W allows multicast messages on the LAN only.All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 17.2 UPnP and ZyXELZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports Internet Gateway Device (IGD) 1.0. See the following sections for examples of installing and using UPnP.17.3 UPnP ScreenClick the Management > UPnP to display the UPnP screen.Figure 87 Management > UPnP > General The following table describes the labels in this screen. Table 68 Management > UPnP > GeneralLABEL DESCRIPTIONEnable the Universal Plug and Play (UPnP) FeatureSelect this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the NBG334W's IP address (although you must still enter the password to access the web configurator).Allow users to make configuration changes through UPnPSelect this check box to allow UPnP-enabled applications to automatically configure the NBG334W so that they can communicate through the NBG334W, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Allow UPnP to pass through FirewallSelect this check box to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide 16117.4 Installing UPnP in Windows ExampleThis section shows how to install UPnP in Windows Me and Windows XP. 17.4.0.1 Installing UPnP in Windows MeFollow the steps below to install the UPnP in Windows Me. 1Click Start and Control Panel. Double-click Add/Remove Programs.2Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Figure 88 Add/Remove Programs: Windows Setup: Communication 3In the Communications window, select the Universal Plug and Play check box in the Components selection box. Apply Click Apply to save the setting to the NBG334W.Cancel Click Cancel to return to the previously saved settings.Table 68 Management > UPnP > GeneralLABEL DESCRIPTION
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide162Figure 89 Add/Remove Programs: Windows Setup: Communication: Components4Click OK to go back to the Add/Remove Programs Properties window and click Next. 5Restart the computer when prompted. Installing UPnP in Windows XPFollow the steps below to install the UPnP in Windows XP.1Click Start and Control Panel. 2Double-click Network Connections.3In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Figure 90 Network Connections4The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide 163Figure 91 Windows Optional Networking Components Wizard5In the Networking Services window, select the Universal Plug and Play check box. Figure 92 Networking Services6Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide16417.4.0.2 Using UPnP in Windows XP ExampleThis section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the NBG334W.Make sure the computer is connected to a LAN port of the NBG334W. Turn on your computer and the NBG334W. Auto-discover Your UPnP-enabled Network Device1Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.2Right-click the icon and select Properties. Figure 93 Network Connections3In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide 165Figure 94 Internet Connection Properties 4You may edit or delete the port mappings or click Add to manually add port mappings.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide166Figure 95 Internet Connection Properties: Advanced SettingsFigure 96 Internet Connection Properties: Advanced Settings: Add5When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.6Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide 167Figure 97 System Tray Icon7Double-click on the icon to display your current Internet connection status.Figure 98 Internet Connection StatusWeb Configurator Easy AccessWith UPnP, you can access the web-based configurator on the NBG334W without finding out the IP address of the NBG334W first. This comes helpful if you do not know the IP address of the NBG334W.Follow the steps below to access the web configurator.1Click Start and then Control Panel. 2Double-click Network Connections. 3Select My Network Places under Other Places.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide168Figure 99 Network Connections4An icon with the description for each UPnP-enabled device displays under Local Network. 5Right-click on the icon for your NBG334W and select Invoke. The web configurator login screen displays.
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide 169Figure 100 Network Connections: My Network Places6Right-click on the icon for your NBG334W and select Properties. A properties window displays with basic information about the NBG334W. Figure 101 Network Connections: My Network Places: Properties: Example
Chapter 17 Universal Plug-and-Play (UPnP)NBG334W User’s Guide170
171PART VMaintenance and TroubleshootingSystem (173)Logs (177)Tools (191)Configuration Mode (197)Sys Op Mode (199)Troubleshooting (203)
172
NBG334W User’s Guide 173CHAPTER 18 SystemThis chapter provides information on the System screens. 18.1 System OverviewSee the chapter about wizard setup for more information on the next few screens.18.2 System General Screen Click Maintenance > System. The following screen displays.Figure 102 Maintenance > System > General The following table describes the labels in this screen.Table 69 Maintenance > System > GeneralLABEL DESCRIPTIONSystem Name System Name is a unique name to identify the NBG334W in an Ethernet network. It is recommended you enter your computer’s “Computer name” in this field (see the chapter about wizard setup for how to find your computer’s name). This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name.
Chapter 18 SystemNBG334W User’s Guide17418.3 Time Setting ScreenTo change your NBG334W’s time and date, click Maintenance > System > Time Setting. The screen appears as shown. Use this screen to configure the NBG334W’s time based on your local time zone.Figure 103 Maintenance > System > Time Setting Administrator Inactivity TimerType how many minutes a management session can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).Password Setup Change your NBG334W’s password (recommended) using the fields as shown.Old Password Type the default password or the existing password you use to access the system in this field.New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays an asterisk (*) for each character you type.Retype to Confirm Type the new password again in this field.Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.Table 69 Maintenance > System > GeneralLABEL DESCRIPTION
Chapter 18 SystemNBG334W User’s Guide 175The following table describes the labels in this screen.Table 70 Maintenance > System > Time SettingLABEL DESCRIPTIONCurrent Time and DateCurrent Time This field displays the time of your NBG334W.Each time you reload this page, the NBG334W synchronizes the time with the time server.Current Date This field displays the date of your NBG334W. Each time you reload this page, the NBG334W synchronizes the date with the time server.Time and Date SetupManual Select this radio button to enter the time and date manually. If you configure a new time and date, Time Zone and Daylight Saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.New Time (hh:mm:ss)This field displays the last updated time from the time server or the last time configured manually.When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. New Date (yyyy/mm/dd)This field displays the last updated date from the time server or the last date configured manually.When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.Get from Time ServerSelect this radio button to have the NBG334W get the time and date from the time server you specified below.Auto Select Auto to have the NBG334W automatically search for an available time server and synchronize the date and time with the time server after you click Apply.User Defined Time Server Address Select User Defined Time Server Address and enter the IP address or URL (up to 20 extended ASCII characters in length) of your time server. Check with your ISP/network administrator if you are unsure of this information.Time Zone SetupTime Zone Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Savings Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Select this option if you use Daylight Saving Time.Start Date Configure the day and time when Daylight Saving Time starts if you selected Daylight Savings. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, April and type 2 in the o'clock field.Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).
Chapter 18 SystemNBG334W User’s Guide176End Date Configure the day and time when Daylight Saving Time ends if you selected Daylight Savings. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Last, Sunday, October and type 2 in the o'clock field.Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes back to the NBG334W.Reset Click Reset to begin configuring this screen afresh.Table 70 Maintenance > System > Time SettingLABEL DESCRIPTION
NBG334W User’s Guide 177CHAPTER 19 LogsThis chapter contains information about configuring general log settings and viewing the NBG334W’s logs. Refer to the appendices for example log message explanations.19.1 View Log The web configurator allows you to look at all of the NBG334W’s logs in one location. Click Maintenance > Logs to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 19.2 on page 178). Options include logs about system maintenance, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, Java and cookies), attacks (such as DoS) and IPSec.Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Figure 104 Maintenance > Logs > View Log
Chapter 19 LogsNBG334W User’s Guide178The following table describes the labels in this screen.19.2 Log SettingsYou can configure the NBG334W’s general log settings in one location.Click Maintenance > Logs > Log Settings to open the Log Settings screen.Use the Log Settings screen to configure to where the NBG334W is to send logs; the schedule for when the NBG334W is to send the logs and which logs and/or immediate alerts the NBG334W to send.An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites or web sites with restricted web features such as cookies, active X and so on. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black.Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent.Table 71 Maintenance > Logs > View LogLABEL DESCRIPTIONDisplay The categories that you select in the Log Settings page (see Section 19.2 on page 178) display in the drop-down list box.Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the Address Info fields in Log Settings).Refresh Click Refresh to renew the log screen. Clear Log Click Clear Log to delete all the logs. Time This field displays the time the log was recorded. See the chapter on system maintenance and information to configure the NBG334W’s time and date.Message This field states the reason for the log.Source This field lists the source IP address and the port number of the incoming packet.Destination This field lists the destination IP address and the port number of the incoming packet.Note This field displays additional information about the log entry.
Chapter 19 LogsNBG334W User’s Guide 179Figure 105 Maintenance > Logs > Log Settings The following table describes the labels in this screen.Table 72 Maintenance > Logs > Log SettingsLABEL DESCRIPTIONE-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via E-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the NBG334W sends. Not all NBG334W models have this field.Send Log To The NBG334W sends logs to the e-mail address specified in this field. If this field is left blank, the NBG334W does not send logs via e-mail.
Chapter 19 LogsNBG334W User’s Guide180Send Alerts To Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs. Enter the E-mail address where the alert messages will be sent. Alerts include system errors, attacks and attempted access to blocked web sites. If this field is left blank, alert messages will not be sent via E-mail. SMTP AuthenticationSMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs.User Name Enter the user name (up to 31 characters) (usually the user name of a mail account).Password Enter the password associated with the user name above.Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: •Daily• Weekly• Hourly• When Log is Full• None. If you select Weekly or Daily, specify a time of day when the E-mail should be sent. If you select Weekly, then also specify which day of the week the E-mail should be sent. If you select When Log is Full, an alert is sent when the log fills up. If you select None, no log messages are sent. Day for Sending Log Use the drop down list box to select which day of the week to send the logs. Time for Sending LogEnter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Clear log after sending mailSelect the checkbox to delete all the logs after the NBG334W sends an E-mail of the logs.Syslog Logging The NBG334W sends a log to an external syslog server.Active Click Active to enable syslog logging. Syslog Server IP AddressEnter the server name or IP address of the syslog server that will log the selected categories of logs. Log Facility Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to the syslog server manual for more information. Active Log and AlertLog Select the categories of logs that you want to record.Send Immediate Alert Select log categories for which you want the NBG334W to send E-mail alerts immediately. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. Table 72 Maintenance > Logs > Log SettingsLABEL DESCRIPTION
Chapter 19 LogsNBG334W User’s Guide 18119.3 Log DescriptionsThis section provides descriptions of example log messages. Table 73 System Maintenance LogsLOG MESSAGE DESCRIPTIONTime calibration is successfulThe router has adjusted its time based on information from the time server.Time calibration failed The router failed to get information from the time server.WAN interface gets IP:%s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.DHCP client IP expired A DHCP client's IP address has expired.DHCP server assigns%s The DHCP server assigned an IP address to a client.Successful WEB login Someone has logged on to the router's web configurator interface.WEB login failed Someone has failed to log on to the router's web configurator interface.Successful TELNET login Someone has logged on to the router via telnet.TELNET login failed Someone has failed to log on to the router via telnet.Successful FTP login Someone has logged on to the router via ftp.FTP login failed Someone has failed to log on to the router via ftp.NAT Session Table is Full! The maximum number of NAT session table entries has been exceeded and the table is full.Starting Connectivity MonitorStarting Connectivity Monitor.Time initialized by Daytime ServerThe router got the time and date from the Daytime server.Time initialized by Time serverThe router got the time and date from the time server.Time initialized by NTP serverThe router got the time and date from the NTP server.Connect to Daytime server failThe router was not able to connect to the Daytime server.Connect to Time server fail The router was not able to connect to the Time server.Connect to NTP server fail The router was not able to connect to the NTP server.Too large ICMP packet has been droppedThe router dropped an ICMP packet that was too large.Configuration Change: PC = 0x%x, Task ID = 0x%xThe router is saving configuration changes.Successful SSH login Someone has logged on to the router’s SSH server.SSH login failed Someone has failed to log on to the router’s SSH server.Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol.HTTPS login failed Someone has failed to log on to the router's web configurator interface using HTTPS protocol.
Chapter 19 LogsNBG334W User’s Guide182 Table 74 System Error LogsLOG MESSAGE DESCRIPTION%s exceeds the max. number of session per host!This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.setNetBIOSFilter: calloc errorThe router failed to allocate memory for the NetBIOS filter settings.readNetBIOSFilter: calloc errorThe router failed to allocate memory for the NetBIOS filter settings.WAN connection is down. A WAN connection is down. You cannot access the network through this interface.Table 75 Access Control LogsLOG MESSAGE DESCRIPTIONFirewall default policy: [TCP | UDP | IGMP | ESP | GRE | OSPF] <Packet Direction>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy’s setting.Firewall rule [NOT] match:[TCP | UDP | IGMP | ESP | GRE | OSPF] <Packet Direction>, <rule:%d>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Triangle route packet forwarded: [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: [TCP | UDP | IGMP | ESP | GRE | OSPF]The router blocked a packet that didn't have a corresponding NAT table entry.Router sent blocked web site message: TCPThe router sent a message to notify a user that the router blocked access to a web site that the user requested.Table 76 TCP Reset LogsLOG MESSAGE DESCRIPTIONUnder SYN flood attack, sent TCP RSTThe router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen. Peer TCP state out of order, sent TCP RSTThe router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.
Chapter 19 LogsNBG334W User’s Guide 183 Firewall session time out, sent TCP RSTThe router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout: 3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 secondsExceed MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > “Maximum Incomplete High”, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < “Maximum Incomplete Low”.Access block, sent TCP RSTThe router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst").Table 77 Packet Filter LogsLOG MESSAGE DESCRIPTION[TCP | UDP | ICMP | IGMP | Generic] packet filter matched (set:%d, rule:%d)Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.Table 78 ICMP LogsLOG MESSAGE DESCRIPTIONFirewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>ICMP access matched the default policy and was blocked or forwarded according to the user's setting. For type and code details, see Table 87 on page 188.Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>ICMP access matched (or didn’t match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. For type and code details, see Table 87 on page 188.Triangle route packet forwarded: ICMPThe firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: ICMPThe router blocked a packet that didn’t have a corresponding NAT table entry.Unsupported/out-of-order ICMP: ICMPThe firewall does not support this kind of ICMP packets or the ICMP packets are out of order.Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.Table 76 TCP Reset Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19 LogsNBG334W User’s Guide184 Table 79 CDR LogsLOG MESSAGE DESCRIPTIONboard%d line%d channel%d, call%d,%s C01 Outgoing Call dev=%x ch=%x%sThe router received the setup requirements for a call. “call” is the reference (count) number of the call. “dev” is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or “ch” is the call channel ID.For example,"board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.board%d line%d channel%d, call%d,%s C02 OutCall Connected%d%sThe PPPoE, PPTP or dial-up call is connected.board%d line%d channel%d, call%d,%s C02 Call TerminatedThe PPPoE, PPTP or dial-up call was disconnected.Table 80 PPP LogsLOG MESSAGE DESCRIPTIONppp:LCP Starting The PPP connection’s Link Control Protocol stage has started.ppp:LCP Opening The PPP connection’s Link Control Protocol stage is opening.ppp:CHAP Opening The PPP connection’s Challenge Handshake Authentication Protocol stage is opening.ppp:IPCP StartingThe PPP connection’s Internet Protocol Control Protocol stage is starting.ppp:IPCP Opening The PPP connection’s Internet Protocol Control Protocol stage is opening.ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing.ppp:IPCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing.Table 81 UPnP LogsLOG MESSAGE DESCRIPTIONUPnP pass through Firewall UPnP packets can pass through the firewall.Table 82 Content Filtering LogsLOG MESSAGE DESCRIPTION%s: Keyword blocking The content of a requested web page matched a user defined keyword.%s: Not in trusted web listThe web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.%s: Forbidden Web site The web site is in the forbidden web site list.%s: Contains ActiveX The web site contains ActiveX.%s: Contains Java appletThe web site contains a Java applet.%s: Contains cookie The web site contains a cookie.
Chapter 19 LogsNBG334W User’s Guide 185 %s: Proxy mode detectedThe router detected proxy mode in the packet.%s The content filter server responded that the web site is in the blocked category list, but it did not return the category type.%s:%s The content filter server responded that the web site is in the blocked category list, and returned the category type.%s(cache hit) The system detected that the web site is in the blocked list from the local cache, but does not know the category type.%s:%s(cache hit) The system detected that the web site is in blocked list from the local cache, and knows the category type.%s: Trusted Web site The web site is in a trusted domain.%s When the content filter is not on according to the time schedule or you didn't select the "Block Matched Web Site” check box, the system forwards the web content.Waiting content filter server timeoutThe external content filtering server did not respond within the timeout period.DNS resolving failed The NBG334W cannot get the IP address of the external content filtering via DNS query.Creating socket failed The NBG334W cannot issue a query because TCP/IP socket creation failed, port:port number.Connecting to content filter server failThe connection to the external content filtering server failed.License key is invalid The external content filtering license key is invalid.Table 83 Attack LogsLOG MESSAGE DESCRIPTIONattack [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.attack ICMP (type:%d, code:%d)The firewall detected an ICMP attack. For type and code details, see Table 87 on page 188.land [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.land ICMP (type:%d, code:%d)The firewall detected an ICMP land attack. For type and code details, see Table 87 on page 188.ip spoofing - WAN [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall detected an IP spoofing attack on the WAN port.ip spoofing - WAN ICMP (type:%d, code:%d)The firewall detected an ICMP IP spoofing attack on the WAN port. For type and code details, see Table 87 on page 188.icmp echo: ICMP (type:%d, code:%d)The firewall detected an ICMP echo attack. For type and code details, see Table 87 on page 188.syn flood TCP The firewall detected a TCP syn flood attack.ports scan TCP The firewall detected a TCP port scan attack.teardrop TCP The firewall detected a TCP teardrop attack.Table 82 Content Filtering Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19 LogsNBG334W User’s Guide186 teardrop UDP The firewall detected an UDP teardrop attack.teardrop ICMP (type:%d, code:%d)The firewall detected an ICMP teardrop attack. For type and code details, see Table 87 on page 188.illegal command TCP The firewall detected a TCP illegal command attack.NetBIOS TCP The firewall detected a TCP NetBIOS attack.ip spoofing - no routing entry [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall classified a packet with no source routing entry as an IP spoofing attack.ip spoofing - no routing entry ICMP (type:%d, code:%d)The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack.vulnerability ICMP (type:%d, code:%d)The firewall detected an ICMP vulnerability attack. For type and code details, see Table 87 on page 188.traceroute ICMP (type:%d, code:%d)The firewall detected an ICMP traceroute attack. For type and code details, see Table 87 on page 188.Table 84 PKI LogsLOG MESSAGE DESCRIPTIONEnrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port.Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port.Failed to resolve <SCEP CA server url>The SCEP online certificate enrollment failed because the certification authority server’s address cannot be resolved.Enrollment successful The CMP online certificate enrollment was successful. The Destination field records the certification authority server’s IP address and port.Enrollment failed The CMP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port.Failed to resolve <CMP CA server url>The CMP online certificate enrollment failed because the certification authority server’s IP address cannot be resolved.Rcvd ca cert: <subject name>The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd user cert: <subject name>The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd CRL <size>: <issuer name>The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd ARL <size>: <issuer name>The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field.Table 83 Attack Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19 LogsNBG334W User’s Guide 187 Failed to decode the received ca certThe router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received user certThe router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received CRLThe router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received ARLThe router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field.Rcvd data <size> too large! Max size allowed: <max size>The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.Cert trusted: <subject name>The router has verified the path of the certificate with the listed subject name.Due to <reason codes>, cert not trusted: <subject name>Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. Please see Table 87 on page 188 for the corresponding descriptions of the codes.Table 85 802.1X LogsLOG MESSAGE DESCRIPTIONLocal User Database accepts user.A user was authenticated by the local user database.Local User Database reports user credential error.A user was not authenticated by the local user database because of an incorrect user password.Local User Database does not find user`s credential.A user was not authenticated by the local user database because the user is not listed in the local user database.RADIUS accepts user. A user was authenticated by the RADIUS Server.RADIUS rejects user. Pls check RADIUS Server.A user was not authenticated by the RADIUS Server. Please check the RADIUS Server.Local User Database does not support authentication method.The local user database only supports the EAP-MD5 method. A user tried to use another authentication method and was not authenticated.User logout because of session timeout expired.The router logged out a user whose session expired.User logout because of user deassociation.The router logged out a user who ended the session.User logout because of no authentication response from user.The router logged out a user from which there was no authentication response.User logout because of idle timeout expired.The router logged out a user whose idle timeout period expired.User logout because of user request.A user logged out.Table 84 PKI Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19 LogsNBG334W User’s Guide188 Local User Database does not support authentication method.A user tried to use an authentication method that the local user database does not support (it only supports EAP-MD5).No response from RADIUS. Pls check RADIUS Server.There is no response message from the RADIUS server, please check the RADIUS server.Use Local User Database to authenticate user.The local user database is operating as the authentication server.Use RADIUS to authenticate user. The RADIUS server is operating as the authentication server.No Server to authenticate user. There is no authentication server to authenticate a user.Local User Database does not find user`s credential.A user was not authenticated by the local user database because the user is not listed in the local user database.Table 86 ACL Setting NotesPACKET DIRECTION DIRECTION DESCRIPTION(L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN.(W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN.(L to L/P) LAN to LAN/NBG334WACL set for packets traveling from the LAN to the LAN or the NBG334W.(W to W/P) WAN to WAN/NBG334WACL set for packets traveling from the WAN to the WAN or the NBG334W.Table 87 ICMP NotesTYPE CODE DESCRIPTION0Echo Reply0Echo reply message3Destination Unreachable0Net unreachable1Host unreachable2Protocol unreachable3Port unreachable4A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)5Source route failed4Source Quench0A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.5Redirect0Redirect datagrams for the Network1Redirect datagrams for the HostTable 85 802.1X Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19 LogsNBG334W User’s Guide 189 The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. 2Redirect datagrams for the Type of Service and Network3Redirect datagrams for the Type of Service and Host8Echo0Echo message11 Time Exceeded0Time to live exceeded in transit1Fragment reassembly time exceeded12 Parameter Problem0Pointer indicates the error13 Timestamp0Timestamp request message14 Timestamp Reply0Timestamp reply message15 Information Request0Information request message16 Information Reply0Information reply messageTable 88 Syslog LogsLOG MESSAGE DESCRIPTION<Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address last three numbers>" cat="<category>"This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU->LOGS->Log Settings page. The severity is the log’s syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The “devID” is the last three characters of the MAC address of the router’s LAN port. The “cat” is the same as the category in the router’s logs.Table 89 RFC-2408 ISAKMP Payload TypesLOG DISPLAY PAYLOAD TYPESA Security AssociationPROP ProposalTRANS TransformKE Key ExchangeID IdentificationCER CertificateCER_REQ Certificate RequestHASH HashTable 87 ICMP Notes (continued)TYPE CODE DESCRIPTION

Navigation menu