ZyXEL Communications NBG410W3G 3G Wireless Router User Manual NBG41xW3G UG V4 03 Ed1 2008 08 15 DRAFT

ZyXEL Communications Corporation 3G Wireless Router NBG41xW3G UG V4 03 Ed1 2008 08 15 DRAFT

Contents

User manual 1 rev2

 www.zyxel.comNBG410W3G Series3G Wireless RouterUser s GuideVersion 4.0308/2008Edition 1
 About This User's GuideNBG410W3G Series User s Guide 3About This User's GuideIntended AudienceThis manual is intended for people who want to configure the ZyXEL Device using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access. Web Configurator Online HelpEmbedded web help for descriptions of individual screens and supplementary information. Supporting DiskRefer to the included CD for support documents. ZyXEL Web SitePlease refer to www.zyxel.com for additional support documentation and product certifications.User Guide FeedbackHelp us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!The Technical Writing Team,ZyXEL Communications Corp.,6 Innovation Road II,Science-Based Industrial Park, Hsinchu, 300, Taiwan.E-mail: techwriters@zyxel.com.tw
Document ConventionsNBG410W3G Series User s Guide4Document ConventionsWarnings and NotesThese are how warnings and notes are shown in this User!s Guide. Warnings tell you about things that could harm you or your device.Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.Syntax Conventions The NBG410W3G and NBG412W3G may be referred to as the "ZyXEL Device#, the "device#, the "system#, or the "NBG410W3G Series# in this User!s Guide. Product labels, screen names, field labels and field choices are all in bold font. A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the "enter# or "return# key on your keyboard. "Enter# means for you to type one or more characters and then press the [ENTER] key. "Select# or "choose# means for you to use one of the predefined choices. A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen. Units of measurement may denote the "metric# value or the "scientific# value. For example, "k# for kilo may denote "1000# or "1024#, "M# for mega may denote "1000000# or "1048576# and so on. "e.g.,# is a shorthand for "for instance#, and "i.e.,# means "that is# or "in other words#.
 Document ConventionsNBG410W3G Series User s Guide 5Icons Used in FiguresFigures in this User!s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device.ZyXEL Device Computer Notebook computerServer DSLAM FirewallTelephone Switch Router
Safety WarningsNBG410W3G Series User s Guide6Safety WarningsFor your safety, be sure to read and follow all warning notices and instructions. Do NOT use this product near water, for example, in a wet basement or near a swimming pool. Do NOT expose your device to dampness, dust or corrosive liquids. Do NOT store things on the device. Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. Connect ONLY suitable accessories to the device. Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.  Make sure to connect the cables to the correct ports. Place connecting cables carefully so that no one will step on them or stumble over them. Always disconnect all cables from this device before servicing or disassembling. Use ONLY an appropriate power adaptor or cord for your device. Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). Do NOT remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet. Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord. Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution. If the power adaptor or cord is damaged, remove it from the power outlet. Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one. Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.  Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.  Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s).  If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. This product is recyclable. Dispose of it properly.
 Safety WarningsNBG410W3G Series User s Guide 7
Safety WarningsNBG410W3G Series User s Guide8
 Contents OverviewNBG410W3G Series User s Guide 9Contents OverviewIntroduction ............................................................................................................................33Getting to Know Your ZyXEL Device .........................................................................................35Introducing the Web Configurator ..............................................................................................43Wizard Setup .............................................................................................................................59Tutorials .....................................................................................................................................65Network ...................................................................................................................................99LAN Screens ...........................................................................................................................101WAN Screens ...........................................................................................................................111DMZ Screens ...........................................................................................................................135Wireless ................................................................................................................................145Wi-Fi ........................................................................................................................................147Security .................................................................................................................................165Firewall ....................................................................................................................................167Authentication Server ..............................................................................................................191Certificates ...............................................................................................................................195Advanced ..............................................................................................................................223Network Address Translation (NAT) ........................................................................................225Static Route .............................................................................................................................243DNS .........................................................................................................................................247Remote Management ..............................................................................................................259UPnP .......................................................................................................................................281Custom Application ..................................................................................................................291ALG Screen .............................................................................................................................293Logs and Maintenance ........................................................................................................299Logs Screens ...........................................................................................................................301Maintenance ............................................................................................................................325Troubleshooting and Specifications ..................................................................................337Troubleshooting .......................................................................................................................339Product Specifications .............................................................................................................345Appendices and Index .........................................................................................................351
Contents OverviewNBG410W3G Series User s Guide10
 Table of ContentsNBG410W3G Series User s Guide 11Table of ContentsAbout This User's Guide..........................................................................................................3Document Conventions............................................................................................................4Safety Warnings........................................................................................................................6Contents Overview...................................................................................................................9Table of Contents....................................................................................................................11List of Figures.........................................................................................................................21List of Tables...........................................................................................................................29Part I: Introduction.................................................................................33Chapter  1Getting to Know Your ZyXEL Device....................................................................................351.1 Overview ..............................................................................................................................351.2 Applications for the ZyXEL Device ......................................................................................351.2.1 3G WAN Application ...................................................................................................351.2.2 Secure Broadband Internet Access via Cable or DSL Modem ..................................361.3 Ways to Manage the ZyXEL Device ....................................................................................361.4 Configuring Your ZyXEL Device s Security Features ..........................................................371.4.1 Control Access to Your Device ...................................................................................371.4.2 Wireless Security .......................................................................................................371.4.3  Firewall ......................................................................................................................371.4.4 NAT ............................................................................................................................381.4.5 UPnP ..........................................................................................................................381.5 Maintaining Your ZyXEL Device ..........................................................................................381.5.1 Front Panel Lights ......................................................................................................39Chapter  2Introducing the Web Configurator........................................................................................432.1 Web Configurator Overview .................................................................................................432.2 Accessing the ZyXEL Device Web Configurator .................................................................432.3 Resetting the ZyXEL Device ................................................................................................452.3.1 Procedure To Use The Reset Button .........................................................................452.3.2 Uploading a Configuration File Via Console Port .......................................................45
Table of ContentsNBG410W3G Series User s Guide122.4 Navigating the ZyXEL Device Web Configurator .................................................................462.4.1 Title Bar ......................................................................................................................462.4.2 Main Window ..............................................................................................................472.4.3 HOME Screen  ...........................................................................................................472.4.4 Navigation Panel ........................................................................................................522.4.5 Port Statistics   ...........................................................................................................542.4.6 Show Statistics: Line Chart ........................................................................................552.4.7 DHCP Table Screen    ................................................................................................56Chapter  3Wizard Setup...........................................................................................................................593.1 Wizard Setup Overview  ......................................................................................................593.2 Internet Access  ...................................................................................................................593.2.1 ISP Parameters ..........................................................................................................593.2.2 Internet Access Wizard Setup Complete ...................................................................64Chapter  4Tutorials...................................................................................................................................654.1 DMZ Overview .....................................................................................................................654.2 DMZ Setup Example ...........................................................................................................664.2.1 Basic Setup ................................................................................................................664.2.2 Advanced Setup .........................................................................................................684.3 Firewall Rule Setup .............................................................................................................694.4 Setting Up a VoIP Phone with H.323 ...................................................................................724.5 Using NAT with Multiple Public IP Addresses ......................................................................774.5.1 Example Parameters and Scenario ...........................................................................774.5.2 Configuring the WAN Connection with a Static IP Address ........................................784.5.3 Public IP Address Mapping ........................................................................................824.5.4 Forwarding Traffic from the WAN to a Local Computer ..............................................874.5.5 Allow WAN-to-LAN Traffic through the Firewall ..........................................................894.5.6 Testing the Connections .............................................................................................964.6 Using NAT with Multiple Game Players ...............................................................................96Part II: Network.......................................................................................99Chapter  5LAN Screens..........................................................................................................................1015.1 LAN, WAN and the ZyXEL Device .....................................................................................1015.2 IP Address and Subnet Mask ............................................................................................1015.2.1 Private IP Addresses ................................................................................................1025.3 DHCP ................................................................................................................................102
 Table of ContentsNBG410W3G Series User s Guide 135.3.1 IP Pool Setup ...........................................................................................................1035.4 RIP Setup ..........................................................................................................................1035.5 Multicast ............................................................................................................................1035.6 WINS .................................................................................................................................1045.7 LAN ....................................................................................................................................1045.8 LAN Static DHCP ...............................................................................................................1065.9 LAN IP Alias   ....................................................................................................................1075.10 LAN Port Roles ................................................................................................................109Chapter  6WAN Screens.........................................................................................................................1116.1 WAN Overview ...................................................................................................................1116.2 Multiple WAN ......................................................................................................................1116.3 TCP/IP Priority (Metric) .......................................................................................................1126.4 WAN General ......................................................................................................................1126.5 WAN IP Address Assignment .............................................................................................1156.6 DNS Server Address Assignment ......................................................................................1166.7 WAN MAC Address ............................................................................................................1166.8 WAN 1  ...............................................................................................................................1176.8.1 WAN Ethernet Encapsulation ....................................................................................1176.8.2 PPPoE Encapsulation ..............................................................................................1206.8.3 PPTP Encapsulation ................................................................................................1236.9 3G (WAN 2)  ......................................................................................................................1266.10 Traffic Redirect  ...............................................................................................................1326.11 Configuring Traffic Redirect .............................................................................................133Chapter  7DMZ Screens.........................................................................................................................1357.1 DMZ  ..................................................................................................................................1357.2 Configuring DMZ ...............................................................................................................1357.3 DMZ Static DHCP   ............................................................................................................1387.4 DMZ IP Alias   ....................................................................................................................1397.5 DMZ Public IP Address Example ......................................................................................1417.6 DMZ Private and Public IP Address Example ...................................................................1417.7 DMZ Port Roles   ...............................................................................................................142Part III: Wireless...................................................................................145Chapter  8Wi-Fi.......................................................................................................................................1478.1 Wi-Fi Introduction ..............................................................................................................147
Table of ContentsNBG410W3G Series User s Guide148.2 Wireless Security Overview ...............................................................................................1488.2.1 SSID .........................................................................................................................1488.2.2 MAC Address Filter ..................................................................................................1488.2.3 User Authentication ..................................................................................................1498.2.4 Encryption ................................................................................................................1498.2.5 Additional Installation Requirements for Using 802.1x .............................................1518.3 Wireless Card  ...................................................................................................................1518.3.1 SSID Profile  .............................................................................................................1538.4 Configuring Wireless Security ...........................................................................................1548.4.1 No Security ...............................................................................................................1568.4.2 Static WEP ...............................................................................................................1568.4.3 IEEE 802.1x Only .....................................................................................................1578.4.4 IEEE 802.1x + Static WEP .......................................................................................1588.4.5 WPA, WPA2, WPA2-MIX ..........................................................................................1608.4.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX .................................................................1618.5 MAC Filter  .........................................................................................................................162Part IV: Security...................................................................................165Chapter  9Firewall...................................................................................................................................1679.1 Firewall Overview  .............................................................................................................1679.2 Packet Direction Matrix ......................................................................................................1689.3 Packet Direction Examples ................................................................................................1699.4 Security Considerations .....................................................................................................1709.5 Firewall Rules Example .....................................................................................................1719.6 Asymmetrical Routes .........................................................................................................1739.6.1 Asymmetrical Routes and IP Alias ...........................................................................1739.7 Firewall Default Rule .........................................................................................................1739.8 Firewall Rule Summary  ....................................................................................................1759.8.1 Firewall Edit Rule     .................................................................................................1779.9 Anti-Probing    ....................................................................................................................1809.10 Firewall Thresholds    ......................................................................................................1819.10.1 Threshold Values ...................................................................................................1829.11 Threshold Screen .............................................................................................................1829.12 Service  ............................................................................................................................1849.12.1 Firewall Edit Custom Service  ................................................................................1859.13 My Service Firewall Rule Example ..................................................................................186Chapter  10Authentication Server...........................................................................................................191
 Table of ContentsNBG410W3G Series User s Guide 1510.1 Authentication Server Overview ......................................................................................19110.2 Local User Database   .....................................................................................................19110.3 RADIUS   .........................................................................................................................193Chapter  11Certificates............................................................................................................................19511.1 Certificates Overview .......................................................................................................19511.1.1 Advantages of Certificates .....................................................................................19611.2 Self-signed Certificates ....................................................................................................19611.3 Verifying a Certificate .......................................................................................................19611.3.1 Checking the Fingerprint of a Certificate on Your Computer ..................................19611.4 Configuration Summary ...................................................................................................19711.5 My Certificates  ................................................................................................................19811.6 My Certificate Details   .....................................................................................................20011.7 My Certificate Export  .......................................................................................................20211.7.1 Certificate File Export Formats ...............................................................................20211.8 My Certificate Import   ......................................................................................................20311.8.1 Certificate File Formats ..........................................................................................20311.9 My Certificate Create   .....................................................................................................20511.10 Trusted CAs   .................................................................................................................20911.11 Trusted CA Details  .........................................................................................................21111.12 Trusted CA Import   ........................................................................................................21411.13 Trusted Remote Hosts   .................................................................................................21511.14 Trusted Remote Hosts Import   ......................................................................................21711.15 Trusted Remote Host Certificate Details   ......................................................................21811.16 Directory Servers  ..........................................................................................................22011.17 Directory Server Add or Edit   ........................................................................................221Part V: Advanced.................................................................................223Chapter  12Network Address Translation (NAT)....................................................................................22512.1 NAT Overview   ................................................................................................................22512.1.1 NAT Definitions ......................................................................................................22512.1.2 What NAT Does .....................................................................................................22612.1.3 How NAT Works .....................................................................................................22612.1.4 NAT Application ......................................................................................................22712.1.5 Port Restricted Cone NAT ......................................................................................22812.1.6 NAT Mapping Types ...............................................................................................22912.2 Using NAT ........................................................................................................................23012.2.1 SUA (Single User Account) Versus NAT ................................................................230
Table of ContentsNBG410W3G Series User s Guide1612.3 NAT Overview Screen .....................................................................................................23012.4 NAT Address Mapping   ...................................................................................................23212.4.1 What NAT Does .....................................................................................................23212.4.2 NAT Address Mapping Edit  ...................................................................................23412.5 Port Forwarding  ..............................................................................................................23512.5.1 Default Server IP Address ......................................................................................23512.5.2 Port Forwarding: Services and Port Numbers ........................................................23612.5.3 Configuring Servers Behind Port Forwarding (Example) .......................................23612.5.4 NAT and Multiple WAN ...........................................................................................23712.5.5 Port Translation ......................................................................................................23712.6 Port Forwarding Screen ...................................................................................................23812.7 Port Triggering   ...............................................................................................................240Chapter  13Static Route...........................................................................................................................24313.1 IP Static Route    ..............................................................................................................24313.2 IP Static Route .................................................................................................................24413.2.1 IP Static Route Edit   ..............................................................................................245Chapter  14DNS........................................................................................................................................24714.1 DNS Overview  ................................................................................................................24714.2 DNS Server Address Assignment ...................................................................................24714.3 DNS Servers ....................................................................................................................24714.4 Address Record ...............................................................................................................24814.4.1 DNS Wildcard .........................................................................................................24814.5 Name Server Record .......................................................................................................24814.5.1 Private DNS Server ................................................................................................24814.6 System Screen ................................................................................................................24814.6.1 Adding an Address Record   ..................................................................................25014.6.2 Inserting a Name Server Record   ..........................................................................25114.7 DNS Cache   ....................................................................................................................25214.8 Configure DNS Cache .....................................................................................................25214.9 Configuring DNS DHCP  .................................................................................................25414.10 Dynamic DNS   ..............................................................................................................25514.10.1 DYNDNS Wildcard ...............................................................................................25514.10.2 High Availability ....................................................................................................25614.11 Configuring Dynamic DNS .............................................................................................256Chapter  15Remote Management............................................................................................................25915.1 Remote Management Overview ......................................................................................25915.1.1 Remote Management Limitations ..........................................................................260
 Table of ContentsNBG410W3G Series User s Guide 1715.1.2 System Timeout .....................................................................................................26015.2 WWW (HTTP and HTTPS)  .............................................................................................26015.3 WWW ..............................................................................................................................26115.4 HTTPS Example ..............................................................................................................26315.4.1 Internet Explorer Warning Messages .....................................................................26315.4.2 Netscape Navigator Warning Messages ................................................................26315.4.3 Avoiding the Browser Warning Messages ..............................................................26415.4.4 Login Screen ..........................................................................................................26515.5  SSH  ...............................................................................................................................26715.6 How SSH Works ..............................................................................................................26715.7 SSH Implementation on the ZyXEL Device .....................................................................26815.7.1 Requirements for Using SSH .................................................................................26815.8 Configuring SSH ..............................................................................................................26915.9 Secure Telnet Using SSH Examples ...............................................................................27015.9.1 Example 1: Microsoft Windows ..............................................................................27015.9.2 Example 2: Linux ....................................................................................................27015.10 Secure FTP Using SSH Example ..................................................................................27115.11 Telnet  ............................................................................................................................27215.12 Configuring TELNET .....................................................................................................27215.13 FTP   ..............................................................................................................................27315.14 SNMP   ..........................................................................................................................27415.14.1  Supported MIBs ..................................................................................................27515.14.2 SNMP Traps .........................................................................................................27615.14.3 REMOTE MANAGEMENT: SNMP .......................................................................27615.15 DNS   .............................................................................................................................27715.16 Introducing Vantage CNM  .............................................................................................27815.17 Configuring CNM ...........................................................................................................27815.17.1 Additional Configuration for Vantage CNM ..........................................................280Chapter  16UPnP......................................................................................................................................28116.1 Universal Plug and Play Overview  .................................................................................28116.1.1 How Do I Know If I'm Using UPnP? .......................................................................28116.1.2 NAT Traversal ........................................................................................................28116.1.3 Cautions with UPnP ...............................................................................................28116.1.4 UPnP and ZyXEL ...................................................................................................28216.2 Configuring UPnP ............................................................................................................28216.3 Displaying UPnP Port Mapping    ....................................................................................28316.4 Installing UPnP in Windows Example ..............................................................................28416.4.1 Installing UPnP in Windows Me .............................................................................28516.4.2 Installing UPnP in Windows XP .............................................................................28616.5 Using UPnP in Windows XP Example .............................................................................28616.5.1 Auto-discover Your UPnP-enabled Network Device ..............................................287
Table of ContentsNBG410W3G Series User s Guide1816.5.2 Web Configurator Easy Access .............................................................................288Chapter  17Custom Application..............................................................................................................29117.1 Custom Application  .........................................................................................................29117.2 Custom Application Configuration ...................................................................................291Chapter  18ALG Screen...........................................................................................................................29318.1 ALG Introduction  .............................................................................................................29318.1.1 ALG and NAT .........................................................................................................29318.1.2 ALG and the Firewall ..............................................................................................29318.1.3 ALG and Multiple WAN ..........................................................................................29418.2 FTP ..................................................................................................................................29418.3 H.323 ...............................................................................................................................29418.4 RTP ..................................................................................................................................29418.4.1 H.323 ALG Details .................................................................................................29418.5 SIP ...................................................................................................................................29518.5.1 STUN .....................................................................................................................29518.5.2 SIP ALG Details .....................................................................................................29618.5.3 SIP Signaling Session Timeout ..............................................................................29618.5.4 SIP Audio Session Timeout ....................................................................................29618.6 ALG Screen .....................................................................................................................296Part VI: Logs and Maintenance...........................................................299Chapter  19Logs Screens........................................................................................................................30119.1 Configuring View Log  ......................................................................................................30119.2 Log Description Example .................................................................................................30219.2.1 About the Certificate Not Trusted Log ....................................................................30319.3 Configuring Log Settings  ................................................................................................30419.4 Configuring Reports  ........................................................................................................30719.4.1 Viewing Web Site Hits ............................................................................................30919.4.2 Viewing Host IP Address ........................................................................................30919.4.3 Viewing Protocol/Port .............................................................................................31019.4.4 System Reports Specifications ...............................................................................31219.5 Log Descriptions ..............................................................................................................31219.6 Syslog Logs .....................................................................................................................323Chapter  20Maintenance..........................................................................................................................325
 Table of ContentsNBG410W3G Series User s Guide 1920.1 Maintenance Overview ....................................................................................................32520.2 General Setup and System Name ...................................................................................32520.2.1 General Setup  .......................................................................................................32520.3 Configuring Password  ....................................................................................................32620.4 Time and Date  ................................................................................................................32720.5 Pre-defined NTP Time Server Pools ...............................................................................33020.5.1 Resetting the Time .................................................................................................33020.5.2 Time Server Synchronization .................................................................................33020.6 F/W Upload Screen  ........................................................................................................33120.7 Backup and Restore  .......................................................................................................33320.7.1 Backup Configuration .............................................................................................33420.7.2 Restore Configuration ............................................................................................33420.7.3 Back to Factory Defaults ........................................................................................33520.8 Restart Screen  ................................................................................................................336Part VII: Troubleshooting and Specifications...................................337Chapter  21Troubleshooting....................................................................................................................33921.1 Power, Hardware Connections, and LEDs ......................................................................33921.2 ZyXEL Device Access and Login ....................................................................................34021.3 Internet Access ................................................................................................................34221.4 3G Connection .................................................................................................................343Chapter  22Product Specifications.........................................................................................................34522.1 General ZyXEL Device Specifications .............................................................................34522.2 Wall-mounting Instructions ..............................................................................................34722.3 Power Adaptor Specifications ..........................................................................................349Part VIII: Appendices and Index.........................................................351Appendix  A  Pop-up Windows, JavaScripts and Java Permissions......................................353Appendix  B  Setting up Your Computer s IP Address............................................................361Appendix  C  IP Addresses and Subnetting...........................................................................377Appendix  D  Common Services............................................................................................385Appendix  E  Wireless LANs..................................................................................................389
Table of ContentsNBG410W3G Series User s Guide20Appendix  F  Importing Certificates........................................................................................403Appendix  G  Legal Information..............................................................................................415Appendix  H  Customer Support.............................................................................................419Index.......................................................................................................................................425
 List of FiguresNBG410W3G Series User s Guide 21List of FiguresFigure 1 3G WAN Application .................................................................................................................36Figure 2 Secure Internet Access via Cable or DSL Modem ...................................................................36Figure 3 Front Panel ...............................................................................................................................39Figure 4 Login Screen ............................................................................................................................44Figure 5 Change Password Screen ........................................................................................................44Figure 6 Replace Certificate Screen .......................................................................................................44Figure 7 Example Xmodem Upload ........................................................................................................46Figure 8 HOME Screen ..........................................................................................................................46Figure 9 Web Configurator HOME Screen  ............................................................................................47Figure 10 HOME > Show Statistics ........................................................................................................55Figure 11 HOME > Show Statistics > Line Chart ....................................................................................56Figure 12 HOME > DHCP Table .............................................................................................................57Figure 13 Wizard Setup Welcome ..........................................................................................................59Figure 14 ISP Parameters: Ethernet Encapsulation ...............................................................................60Figure 15 ISP Parameters: PPPoE Encapsulation .................................................................................61Figure 16 ISP Parameters: PPTP Encapsulation ...................................................................................63Figure 17 Internet Access Setup Complete ............................................................................................64Figure 18 DMZ Overview ........................................................................................................................65Figure 19 DMZ Tutorial: DMZ Setup .......................................................................................................66Figure 20 DMZ Tutorial: NETWORK > DMZ > Static DHCP  .................................................................67Figure 21 DMZ Tutorial: NETWORK > DMZ  .........................................................................................67Figure 22 DMZ Tutorial: ADVANCED > NAT Overview ..........................................................................68Figure 23 DMZ Tutorial: ADVANCED > ALG ..........................................................................................68Figure 24 DMZ Tutorial: ADVANCED > NAT > Port Forwarding ............................................................69Figure 25 DMZ Tutorial: SECURITY > Firewall > Rule Summary ..........................................................70Figure 26 DMZ Tutorial: NETWORK > Firewall > Rule Summary: Firewall - Edit  .................................71Figure 27 DMZ Tutorial: SECURITY > Firewall > Rule Summary Example ...........................................72Figure 28 Tutorial: H.323 Phone Setup ..................................................................................................72Figure 29 H.323 Tutorial: NETWORK > LAN > Static DHCP .................................................................73Figure 30 H.323 Tutorial: ADVANCED > ALG ........................................................................................73Figure 31 H.323 Tutorial: ADVANCED > NAT > Port Forwarding ...........................................................74Figure 32 H.323 Tutorial: SECURITY > Firewall > Rule Summary ........................................................74Figure 33 H.323 Tutorial: SECURITY > Firewall > Rule Summary  .......................................................76Figure 34 H.323 Tutorial: SECURITY > Firewall > Rule Summary ........................................................77Figure 35 Tutorial Example: Using NAT with Static Public IP Addresses ...............................................78Figure 36 Tutorial Example: WAN Connection with a Static Public IP Address  .....................................79Figure 37 Tutorial Example: WAN 1 Screen  ..........................................................................................79Figure 38 Tutorial Example: DNS > System ...........................................................................................80
List of FiguresNBG410W3G Series User s Guide22Figure 39 Tutorial Example: DNS > System Edit-1  ...............................................................................80Figure 40 Tutorial Example: DNS > System Edit-2  ...............................................................................81Figure 41 Tutorial Example: DNS > System: Done  ...............................................................................81Figure 42 Tutorial Example: Status .........................................................................................................82Figure 43 Tutorial Example: Mapping Multiple Public IP Addresses to Inside Servers ..........................83Figure 44 Tutorial Example: NAT > NAT Overview  ................................................................................84Figure 45 Tutorial Example: NAT > Address Mapping ............................................................................85Figure 46 Tutorial Example: NAT Address Mapping Edit: One-to-One (1)  ............................................85Figure 47 Tutorial Example: NAT Address Mapping Edit: One-to-One (2)  ............................................86Figure 48 Tutorial Example: NAT Address Mapping Edit: Many-to-One  ...............................................86Figure 49 Tutorial Example: NAT Address Mapping Done   ...................................................................87Figure 50 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer  ............................88Figure 51  Tutorial Example: NAT Address Mapping Edit: Server  .........................................................88Figure 52 Tutorial Example: NAT Port Forwarding .................................................................................89Figure 53 Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer  ............................89Figure 54 Tutorial Example: Firewall Default Rule  ................................................................................90Figure 55 Tutorial Example: Firewall Rule: WAN1 to LAN  .....................................................................90Figure 56 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server  ........................91Figure 57 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server  .........................92Figure 58 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server  .........................93Figure 59 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server  ..........................93Figure 60 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for FTP Server  .........................94Figure 61 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server  ..........................95Figure 62 Tutorial Example: Firewall Rule Summary .............................................................................95Figure 63 Tutorial Example: NAT Address Mapping Done: Game Playing   ..........................................97Figure 64 LAN and WAN  .....................................................................................................................101Figure 65 NETWORK > LAN ................................................................................................................104Figure 66 NETWORK > LAN > Static DHCP ........................................................................................107Figure 67 Physical Network & Partitioned Logical Networks ................................................................108Figure 68 NETWORK > LAN > IP Alias ................................................................................................108Figure 69 NETWORK > LAN > Port Roles ............................................................................................110Figure 70 Port Roles Change Complete ................................................................................................110Figure 71 NETWORK > WAN General  .................................................................................................113Figure 72 NETWORK > WAN > WAN 1 (Ethernet Encapsulation)    .....................................................117Figure 73 NETWORK > WAN > WAN 1 (PPPoE Encapsulation)  ........................................................121Figure 74 NETWORK > WAN > WAN 1 (PPTP Encapsulation)  ..........................................................124Figure 75 NETWORK > WAN > 3G (WAN 2)    ....................................................................................128Figure 76 Traffic Redirect WAN Setup ..................................................................................................132Figure 77 Traffic Redirect LAN Setup ...................................................................................................132Figure 78 NETWORK > WAN > Traffic Redirect ..................................................................................133Figure 79 NETWORK > DMZ  ..............................................................................................................136Figure 80 NETWORK > DMZ > Static DHCP  ......................................................................................138Figure 81 NETWORK > DMZ > IP Alias  ..............................................................................................140
 List of FiguresNBG410W3G Series User s Guide 23Figure 82 DMZ Public Address Example ..............................................................................................141Figure 83 DMZ Private and Public Address Example ..........................................................................142Figure 84 NETWORK > DMZ > Port Roles  .........................................................................................143Figure 85 Example of a Wireless Network ...........................................................................................147Figure 86 WIRELESS > Wi-Fi > Wireless Card  ...................................................................................151Figure 87 WIRELESS > Wi-Fi > Configuring SSID ..............................................................................154Figure 88 WIRELESS > Wi-Fi > Security .............................................................................................155Figure 89 WIRELESS > Wi-Fi > Security: None ...................................................................................156Figure 90 WIRELESS > Wi-Fi > Security: WEP ...................................................................................157Figure 91 WIRELESS > Wi-Fi > Security: 802.1x Only  .......................................................................158Figure 92 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP ..........................................................159Figure 93 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX  ................................................160Figure 94 WIRELESS > Wi-Fi > Security: WPA(2)-PSK .......................................................................161Figure 95 WIRELESS > Wi-Fi > MAC Filter .........................................................................................163Figure 96 Default Firewall Action ..........................................................................................................167Figure 97 SECURITY > FIREWALL > Default Rule  ............................................................................168Figure 98 Default Block Traffic From WAN1 to DMZ Example     .........................................................169Figure 99 Blocking All LAN to WAN IRC Traffic Example  ....................................................................171Figure 100 Limited LAN to WAN IRC Traffic Example ..........................................................................172Figure 101 Using IP Alias to Solve the Triangle Route Problem ..........................................................173Figure 102 SECURITY > FIREWALL > Default Rule  ..........................................................................174Figure 103 SECURITY > FIREWALL > Rule Summary .......................................................................176Figure 104 SECURITY > FIREWALL > Rule Summary > Edit  ............................................................178Figure 105 SECURITY > FIREWALL > Anti-Probing ...........................................................................180Figure 106 Three-Way Handshake .......................................................................................................181Figure 107 SECURITY > FIREWALL > Threshold    ............................................................................182Figure 108 SECURITY > FIREWALL > Service ...................................................................................184Figure 109 Firewall Edit Custom Service .............................................................................................185Figure 110 My Service Firewall Rule Example: Service  ......................................................................186Figure 111 My Service Firewall Rule Example: Edit Custom Service  ..................................................187Figure 112 My Service Firewall Rule Example: Rule Summary ...........................................................187Figure 113 My Service Firewall Rule Example: Rule Edit: Source and Destination Addresses  ..........188Figure 114 My Service Firewall Rule Example: Edit Rule: Service Configuration ................................189Figure 115 My Service Firewall Rule Example: Rule Summary: Completed ........................................190Figure 116 SECURITY > AUTH SERVER > Local User Database ......................................................192Figure 117 SECURITY > AUTH SERVER > RADIUS ..........................................................................193Figure 118 Certificates on Your Computer ............................................................................................196Figure 119 Certificate Details  ...............................................................................................................197Figure 120 Certificate Configuration Overview .....................................................................................197Figure 121 SECURITY > CERTIFICATES > My Certificates  ...............................................................198Figure 122 SECURITY > CERTIFICATES > My Certificates > Details .................................................200Figure 123 SECURITY > CERTIFICATES > My Certificates > Export .................................................202Figure 124 SECURITY > CERTIFICATES > My Certificates > Import .................................................204
List of FiguresNBG410W3G Series User s Guide24Figure 125 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ...............................204Figure 126 SECURITY > CERTIFICATES > My Certificates > Create (Basic) ....................................205Figure 127 SECURITY > CERTIFICATES > My Certificates > Create (Advanced) .............................206Figure 128 SECURITY > CERTIFICATES > Trusted CAs ...................................................................210Figure 129 SECURITY > CERTIFICATES > Trusted CAs > Details ....................................................212Figure 130 SECURITY > CERTIFICATES > Trusted CAs > Import .....................................................215Figure 131 SECURITY > CERTIFICATES > Trusted Remote Hosts ....................................................216Figure 132 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import .....................................217Figure 133 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details .....................................218Figure 134 SECURITY > CERTIFICATES > Directory Servers ............................................................220Figure 135 SECURITY > CERTIFICATES > Directory Server > Add ...................................................221Figure 136 How NAT Works .................................................................................................................227Figure 137 NAT Application With IP Alias ............................................................................................228Figure 138 Port Restricted Cone NAT Example ...................................................................................229Figure 139 ADVANCED > NAT > NAT Overview ..................................................................................231Figure 140 ADVANCED > NAT > Address Mapping .............................................................................233Figure 141 ADVANCED > NAT > Address Mapping > Edit ..................................................................234Figure 142 Multiple Servers Behind NAT Example ..............................................................................237Figure 143 Port Translation Example ...................................................................................................238Figure 144 ADVANCED > NAT > Port Forwarding ...............................................................................239Figure 145 Trigger Port Forwarding Process: Example ........................................................................240Figure 146 ADVANCED > NAT > Port Triggering .................................................................................241Figure 147 Example of Static Routing Topology ...................................................................................243Figure 148 ADVANCED > STATIC ROUTE > IP Static Route ..............................................................244Figure 149 ADVANCED > STATIC ROUTE > IP Static Route > Edit ....................................................245Figure 150 ADVANCED > DNS > System DNS ...................................................................................249Figure 151 ADVANCED > DNS > Add (Address Record) ....................................................................250Figure 152 ADVANCED > DNS > Insert (Name Server Record) ..........................................................251Figure 153 ADVANCED > DNS > Cache .............................................................................................253Figure 154 ADVANCED > DNS > DHCP ..............................................................................................254Figure 155 ADVANCED > DNS > DDNS ..............................................................................................256Figure 156 Secure and Insecure Remote Management From the WAN ..............................................259Figure 157 HTTPS Implementation ......................................................................................................261Figure 158 ADVANCED > REMOTE MGMT > WWW ..........................................................................262Figure 159 Security Alert Dialog Box (Internet Explorer) ......................................................................263Figure 160 Security Certificate 1 (Netscape) ........................................................................................264Figure 161 Security Certificate 2 (Netscape) ........................................................................................264Figure 162 Example: Lock Denoting a Secure Connection ..................................................................265Figure 163 Replace Certificate .............................................................................................................266Figure 164 Device-specific Certificate ..................................................................................................266Figure 165 Common ZyXEL Device Certificate ....................................................................................267Figure 166 SSH Communication Over the WAN Example  ..................................................................267Figure 167 How SSH Works .................................................................................................................268
 List of FiguresNBG410W3G Series User s Guide 25Figure 168 ADVANCED > REMOTE MGMT > SSH .............................................................................269Figure 169 SSH Example 1: Store Host Key ........................................................................................270Figure 170 SSH Example 2: Test  ........................................................................................................270Figure 171 SSH Example 2: Log in ......................................................................................................271Figure 172 Secure FTP: Firmware Upload Example ............................................................................272Figure 173 ADVANCED > REMOTE MGMT > Telnet ..........................................................................272Figure 174 ADVANCED > REMOTE MGMT > FTP .............................................................................273Figure 175 SNMP Management Model ................................................................................................275Figure 176 ADVANCED > REMOTE MGMT > SNMP ..........................................................................276Figure 177 ADVANCED > REMOTE MGMT > DNS .............................................................................278Figure 178 ADVANCED > REMOTE MGMT > CNM ............................................................................279Figure 179 ADVANCED > UPnP ..........................................................................................................282Figure 180 ADVANCED > UPnP > Ports ..............................................................................................283Figure 181 ADVANCED > Custom APP  ..............................................................................................292Figure 182 H.323 ALG Example  ..........................................................................................................295Figure 183 H.323 with Multiple WAN IP Addresses  ............................................................................295Figure 184 SIP ALG Example  .............................................................................................................296Figure 185 ADVANCED > ALG  ...........................................................................................................297Figure 186 LOGS > View Log     ...........................................................................................................301Figure 187 myZyXEL.com: Download Center ......................................................................................303Figure 188 myZyXEL.com: Certificate Download .................................................................................304Figure 189 LOGS > Log Settings .........................................................................................................305Figure 190 LOGS > Reports  ................................................................................................................308Figure 191 LOGS > Reports: Web Site Hits Example ..........................................................................309Figure 192 LOGS > Reports: Host IP Address Example ......................................................................310Figure 193 LOGS > Reports: Protocol/Port Example ............................................................................311Figure 194 MAINTENANCE > General Setup ......................................................................................326Figure 195 MAINTENANCE > Password  ............................................................................................327Figure 196 MAINTENANCE > Time and Date ......................................................................................328Figure 197 Synchronization in Process ................................................................................................330Figure 198 Synchronization is Successful ............................................................................................331Figure 199 Synchronization Fail ...........................................................................................................331Figure 200 MAINTENANCE > Firmware Upload ..................................................................................332Figure 201 Firmware Upload In Process ..............................................................................................332Figure 202 Network Temporarily Disconnected ....................................................................................333Figure 203 Firmware Upload Error .......................................................................................................333Figure 204 MAINTENANCE > Backup and Restore .............................................................................334Figure 205 Configuration Upload Successful .......................................................................................335Figure 206 Network Temporarily Disconnected ....................................................................................335Figure 207 Configuration Upload Error .................................................................................................335Figure 208 Reset Warning Message ....................................................................................................336Figure 209 MAINTENANCE > Restart  .................................................................................................336Figure 210 Wall-mounting Example ......................................................................................................348
List of FiguresNBG410W3G Series User s Guide26Figure 211 Masonry Plug and M4 Tap Screw .......................................................................................348Figure 212 Pop-up Blocker ...................................................................................................................353Figure 213 Internet Options: Privacy ....................................................................................................354Figure 214 Internet Options: Privacy ....................................................................................................355Figure 215 Pop-up Blocker Settings .....................................................................................................355Figure 216 Internet Options: Security ...................................................................................................356Figure 217 Security Settings - Java Scripting .......................................................................................357Figure 218 Security Settings - Java ......................................................................................................357Figure 219 Java (Sun) ..........................................................................................................................358Figure 220 Mozilla Firefox: Tools > Options .........................................................................................359Figure 221 Mozilla Firefox Content Security .........................................................................................359Figure 222 WIndows 95/98/Me: Network: Configuration ......................................................................362Figure 223 Windows 95/98/Me: TCP/IP Properties: IP Address ..........................................................363Figure 224 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ..............................................364Figure 225 Windows XP: Start Menu ....................................................................................................365Figure 226 Windows XP: Control Panel ...............................................................................................365Figure 227 Windows XP: Control Panel: Network Connections: Properties .........................................366Figure 228 Windows XP: Local Area Connection Properties ...............................................................366Figure 229 Windows XP: Internet Protocol (TCP/IP) Properties ..........................................................367Figure 230 Windows XP: Advanced TCP/IP Properties .......................................................................368Figure 231 Windows XP: Internet Protocol (TCP/IP) Properties ..........................................................369Figure 232 Macintosh OS 8/9: Apple Menu ..........................................................................................370Figure 233 Macintosh OS 8/9: TCP/IP .................................................................................................370Figure 234 Macintosh OS X: Apple Menu ............................................................................................371Figure 235 Macintosh OS X: Network ..................................................................................................372Figure 236 Red Hat 9.0: KDE: Network Configuration: Devices  .........................................................373Figure 237 Red Hat 9.0: KDE: Ethernet Device: General   ..................................................................373Figure 238 Red Hat 9.0: KDE: Network Configuration: DNS  ...............................................................374Figure 239 Red Hat 9.0: KDE: Network Configuration: Activate   ........................................................374Figure 240 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0  ................................................375Figure 241 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0    ...................................................375Figure 242 Red Hat 9.0: DNS Settings in resolv.conf    ........................................................................375Figure 243 Red Hat 9.0: Restart Ethernet Card  ..................................................................................375Figure 244 Red Hat 9.0: Checking TCP/IP Properties   .......................................................................376Figure 245 Network Number and Host ID ............................................................................................378Figure 246 Subnetting Example: Before Subnetting ............................................................................380Figure 247 Subnetting Example: After Subnetting ...............................................................................381Figure 248 Peer-to-Peer Communication in an Ad-hoc Network .........................................................389Figure 249 Basic Service Set ...............................................................................................................390Figure 250 Infrastructure WLAN ...........................................................................................................391Figure 251  RTS/CTS ...........................................................................................................................392Figure 252 WPA(2) with RADIUS Application Example .......................................................................399Figure 253 WPA(2)-PSK Authentication ...............................................................................................400
 List of FiguresNBG410W3G Series User s Guide 27Figure 254 Security Certificate .............................................................................................................403Figure 255 Login Screen ......................................................................................................................404Figure 256 Certificate General Information before Import ....................................................................404Figure 257 Certificate Import Wizard 1 .................................................................................................405Figure 258 Certificate Import Wizard 2 .................................................................................................405Figure 259 Certificate Import Wizard 3 .................................................................................................406Figure 260 Root Certificate Store .........................................................................................................406Figure 261 Certificate General Information after Import .......................................................................407Figure 262 ZyXEL Device Trusted CA Screen .....................................................................................408Figure 263 CA Certificate Example ......................................................................................................409Figure 264 Personal Certificate Import Wizard 1 ..................................................................................409Figure 265 Personal Certificate Import Wizard 2 ..................................................................................410Figure 266 Personal Certificate Import Wizard 3 ..................................................................................410Figure 267 Personal Certificate Import Wizard 4 ...................................................................................411Figure 268 Personal Certificate Import Wizard 5 ...................................................................................411Figure 269 Personal Certificate Import Wizard 6 ...................................................................................411Figure 270 Access the ZyXEL Device Via HTTPS ...............................................................................412Figure 271 SSL Client Authentication ...................................................................................................412Figure 272 ZyXEL Device Secure Login Screen ..................................................................................412
List of FiguresNBG410W3G Series User s Guide28
 List of TablesNBG410W3G Series User s Guide 29List of TablesTable 1 NBG410W3G Front Panel Lights  ..............................................................................................39Table 2 NBG412W3G Front Panel Lights  ..............................................................................................40Table 3 Title Bar: Web Configurator Icons  .............................................................................................47Table 4 Web Configurator HOME Screen  ..............................................................................................47Table 5 Screens Summary  ....................................................................................................................52Table 6 HOME > Show Statistics  ...........................................................................................................55Table 7 HOME > Show Statistics > Line Chart  ......................................................................................56Table 8 HOME > DHCP Table  ...............................................................................................................57Table 9 ISP Parameters: Ethernet Encapsulation  .................................................................................60Table 10 ISP Parameters: PPPoE Encapsulation  .................................................................................61Table 11 ISP Parameters: PPTP Encapsulation  ....................................................................................63Table 12 NETWORK > LAN  .................................................................................................................105Table 13 NETWORK > LAN > Static DHCP  ........................................................................................107Table 14 NETWORK > LAN > IP Alias  ................................................................................................109Table 15 NETWORK > LAN > Port Roles  .............................................................................................110Table 16 NETWORK > WAN General  ..................................................................................................114Table 17 Private IP Address Ranges  ....................................................................................................115Table 18 NETWORK > WAN > WAN 1 (Ethernet Encapsulation)  ........................................................118Table 19 NETWORK > WAN > WAN 1 (PPPoE Encapsulation)  .........................................................121Table 20 NETWORK > WAN > WAN 1 (PPTP Encapsulation)  ............................................................124Table 21 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies  .........................................................127Table 22 NETWORK > WAN > 3G (WAN 2)  ........................................................................................129Table 23 NETWORK > WAN > Traffic Redirect  ...................................................................................133Table 24 NETWORK > DMZ  ................................................................................................................136Table 25 NETWORK > DMZ > Static DHCP  ........................................................................................138Table 26 NETWORK > DMZ > IP Alias  ...............................................................................................140Table 27 NETWORK > DMZ > Port Roles  ...........................................................................................143Table 28 Types of Encryption for Each Type of Authentication  ...........................................................150Table 29 WIRELESS > Wi-Fi > Wireless Card  ....................................................................................152Table 30 WIRELESS > Wi-Fi > Configuring SSID  ...............................................................................154Table 31 Security Modes  .....................................................................................................................155Table 32 WIRELESS > Wi-Fi > Security  ..............................................................................................155Table 33 WIRELESS > Wi-Fi > Security: None  ...................................................................................156Table 34 WIRELESS > Wi-Fi > Security: WEP  ....................................................................................157Table 35 WIRELESS > Wi-Fi > Security: 802.1x Only  .........................................................................158Table 36 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP  ...........................................................159Table 37 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX  .................................................160Table 38 WIRELESS > Wi-Fi > Security: WPA(2)-PSK  .......................................................................161
List of TablesNBG410W3G Series User s Guide30Table 39 WIRELESS > Wi-Fi > MAC Filter  ..........................................................................................163Table 40 Blocking All LAN to WAN IRC Traffic Example  .....................................................................171Table 41 Limited LAN to WAN IRC Traffic Example  ............................................................................172Table 42 SECURITY > FIREWALL > Default Rule  ..............................................................................174Table 43 SECURITY > FIREWALL > Rule Summary  ..........................................................................176Table 44 SECURITY > FIREWALL > Rule Summary > Edit  ................................................................179Table 45 SECURITY > FIREWALL > Anti-Probing  ..............................................................................181Table 46 SECURITY > FIREWALL > Threshold  ..................................................................................183Table 47 SECURITY > FIREWALL > Service  ......................................................................................185Table 48 SECURITY > FIREWALL > Service > Add  ...........................................................................186Table 49 SECURITY > AUTH SERVER > Local User Database  .........................................................193Table 50 SECURITY > AUTH SERVER > RADIUS  ............................................................................193Table 51 SECURITY > CERTIFICATES > My Certificates  ..................................................................198Table 52 SECURITY > CERTIFICATES > My Certificates > Details  ...................................................200Table 53 SECURITY > CERTIFICATES > My Certificates > Export  ....................................................202Table 54 SECURITY > CERTIFICATES > My Certificates > Import  ....................................................204Table 55 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12  ..................................204Table 56 SECURITY > CERTIFICATES > My Certificates > Create  ...................................................206Table 57 SECURITY > CERTIFICATES > Trusted CAs  ......................................................................210Table 58 SECURITY > CERTIFICATES > Trusted CAs > Details  .......................................................212Table 59 SECURITY > CERTIFICATES > Trusted CAs Import  ...........................................................215Table 60 SECURITY > CERTIFICATES > Trusted Remote Hosts  ......................................................216Table 61 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import  ........................................217Table 62 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details  .......................................219Table 63 SECURITY > CERTIFICATES > Directory Servers  ..............................................................221Table 64 SECURITY > CERTIFICATES > Directory Server > Add  .....................................................221Table 65 NAT Definitions  .....................................................................................................................225Table 66 NAT Mapping Types  ..............................................................................................................230Table 67 ADVANCED > NAT > NAT Overview  ....................................................................................231Table 68 ADVANCED > NAT > Address Mapping  ...............................................................................233Table 69 ADVANCED > NAT > Address Mapping > Edit  .....................................................................235Table 70 Services and Port Numbers  ..................................................................................................236Table 71 ADVANCED > NAT > Port Forwarding  ..................................................................................239Table 72 ADVANCED > NAT > Port Triggering  ...................................................................................241Table 73 ADVANCED > STATIC ROUTE > IP Static Route  ................................................................245Table 74 ADVANCED > STATIC ROUTE > IP Static Route > Edit  ......................................................245Table 75 ADVANCED > DNS > Add (Address Record)  .......................................................................251Table 76 ADVANCED > REMOTE MGMT > WWW  .............................................................................262Table 77 ADVANCED > REMOTE MGMT > SSH  ...............................................................................269Table 78 ADVANCED > REMOTE MGMT > Telnet  .............................................................................273Table 79 ADVANCED > REMOTE MGMT > FTP  ................................................................................274Table 80 SNMP Traps  ..........................................................................................................................276Table 81 ADVANCED > REMOTE MGMT > SNMP  ............................................................................277
 List of TablesNBG410W3G Series User s Guide 31Table 82 ADVANCED > REMOTE MGMT > DNS  ...............................................................................278Table 83 ADVANCED > REMOTE MGMT > CNM  ...............................................................................279Table 84 ADVANCED > UPnP  .............................................................................................................282Table 85 ADVANCED > UPnP > Ports  ................................................................................................283Table 86 ADVANCED > Custom APP  ..................................................................................................292Table 87 ADVANCED > ALG  ...............................................................................................................297Table 88 LOGS > View Log  .................................................................................................................302Table 89 Log Description Example  ......................................................................................................302Table 90 LOGS > Log Settings  ............................................................................................................306Table 91 LOGS > Reports  ...................................................................................................................308Table 92 LOGS > Reports: Web Site Hits Report  ................................................................................309Table 93 LOGS > Reports: Host IP Address  .......................................................................................310Table 94 LOGS > Reports: Protocol/ Port  .............................................................................................311Table 95 Report Specifications  ............................................................................................................312Table 96 System Maintenance Logs  ....................................................................................................312Table 97 System Error Logs  ................................................................................................................313Table 98 Access Control Logs  .............................................................................................................314Table 99 TCP Reset Logs  ....................................................................................................................314Table 100 Packet Filter Logs  ...............................................................................................................315Table 101 ICMP Logs  ..........................................................................................................................315Table 102 Remote Management Logs  .................................................................................................315Table 103 CDR Logs  ...........................................................................................................................316Table 104 PPP Logs  ............................................................................................................................316Table 105 UPnP Logs  ..........................................................................................................................316Table 106 Attack Logs  .........................................................................................................................317Table 107 3G Logs  ..............................................................................................................................318Table 108 PKI Logs  .............................................................................................................................319Table 109 ACL Setting Notes  ..............................................................................................................321Table 110 ICMP Notes  .........................................................................................................................321Table 111 Syslog Logs  .........................................................................................................................323Table 112 RFC-2408 ISAKMP Payload Types  ....................................................................................324Table 113 MAINTENANCE > General Setup  .......................................................................................326Table 114 MAINTENANCE > Password  ..............................................................................................327Table 115 MAINTENANCE > Time and Date  .......................................................................................328Table 116 MAINTENANCE > Firmware Upload  ...................................................................................332Table 117 Restore Configuration  .........................................................................................................334Table 118 Typical 3G transmission speeds  .........................................................................................344Table 119 Hardware Specifications  ......................................................................................................345Table 120 Firmware Specifications  ......................................................................................................346Table 121 Feature Specifications  .........................................................................................................347Table 122 IP Address Network Number and Host ID Example  ...........................................................378Table 123 Subnet Masks  .....................................................................................................................379Table 124 Maximum Host Numbers  ....................................................................................................379
List of TablesNBG410W3G Series User s Guide32Table 125 Alternative Subnet Mask Notation  .......................................................................................379Table 126 Subnet 1  ..............................................................................................................................381Table 127 Subnet 2  ..............................................................................................................................382Table 128 Subnet 3  ..............................................................................................................................382Table 129 Subnet 4  ..............................................................................................................................382Table 130 Eight Subnets  ......................................................................................................................382Table 131 24-bit Network Number Subnet Planning  ............................................................................383Table 132 16-bit Network Number Subnet Planning  ............................................................................383Table 133 Commonly Used Services  ...................................................................................................385Table 134 IEEE 802.11g  ......................................................................................................................393Table 135 Wireless Security Levels  .....................................................................................................394Table 136 Comparison of EAP Authentication Types  ..........................................................................397Table 137 Wireless Security Relational Matrix  ....................................................................................400
33PART IIntroductionGetting to Know Your ZyXEL Device  (35)Introducing the Web Configurator  (43)Wizard Setup  (59)Tutorials  (65)
34
NBG410W3G Series User s Guide 35CHAPTER  1 Getting to Know Your ZyXELDeviceThis chapter introduces the main features and applications of the ZyXEL Device.1.1  OverviewThe ZyXEL Device is a high-security 3G router with wireless capability. Access the Internet with the 3G connection from any location with 3G coverage, with the option of using a wired WAN connection at the same time. Enhance network security by adding a De-Militarized Zone (DMZ) to your network. This separates devices that are publicly accessible (and less secure) from your LAN. Set up a local network with the four LAN ports and set up a wireless network with IEEE 802.11b or IEEE 802.11g compatible wireless devices. The ZyXEL Device provides the option to easily move devices from your LAN or wireless network to the DMZ. The ZyXEL Device also provides NAT, port forwarding, DHCP server and many other powerful features.The NBG410W3G and NBG412W3G offer similar features. However, the NBG410W3G also supports an internal 3G interface.See Chapter 22 on page 345 for a complete list of features for both devices. 1.2  Applications for the ZyXEL Device Here are some examples of what you can do with your ZyXEL Device. 1.2.1  3G WAN Application With an activated, correctly inserted 3G SIM card you can use the ZyXEL Device to wirelessly access the Internet via a 3G base station. See Section 6.9 on page 126 for more information about 3G.With both the primary WAN (physical WAN port) and 3G connections enabled, you can set one of the WAN connections as a backup.
Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide36Figure 1   3G WAN Application1.2.2  Secure Broadband Internet Access via Cable or DSL Modem For Internet access, connect the WAN Ethernet port to your existing Internet access gateway (company network, or your cable or DSL modem for example). Connect computers or servers to the LAN or DMZ ports for shared Internet access. The ZyXEL Device guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.Figure 2   Secure Internet Access via Cable or DSL Modem1.3  Ways to Manage the ZyXEL DeviceUse any of the following methods to manage the ZyXEL Device. Web Configurator. This is recommended for everyday management of the ZyXEL Device using a (supported) web browser. Command Line Interface. Line commands are mostly used for troubleshooting by service engineers. FTP for firmware upgrades and configuration backup/restore.
 Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide 371.4  Configuring Your ZyXEL Device s Security FeaturesYour ZyXEL Device comes with a variety of security features. This section summarizes these features and provides links to sections in the User!s Guide to configure security settings on your ZyXEL Device. Follow the suggestions below to improve security on your ZyXEL Device and network.  1.4.1  Control Access to Your DeviceEnsure only people with permission can access your ZyXEL Device. Control physical access by locating devices in secure areas, such as locked rooms. Most ZyXEL Devices have a reset button. If an unauthorized person has access to the reset button, they can then reset the device!s password to its default password, log in and reconfigure its settings. Change any default passwords on the ZyXEL Device, such as the password used for accessing the ZyXEL Device!s web configurator (if it has a web configurator). Use a password with a combination of letters and numbers and change your password regularly. Write down the password and put it in a safe place. Avoid setting a long timeout period before the ZyXEL Device!s web configurator automatically times out. A short timeout reduces the risk of unauthorized person accessing the web configurator while it is left idle. See Chapter 20 on page 325 for instructions on changing your password and setting the timeout period. Configure remote management to control who can manage your ZyXEL Device. See Section 15.1 on page 259 for more information. If you enable remote management, ensure you have enabled remote management only on the IP addresses, services or interfaces you intended and that other remote management settings are disabled.1.4.2  Wireless Security Wireless devices are especially vulnerable to attack. If your ZyXEL Device has a wireless function, take the following measures to improve wireless security. Enable wireless security on your ZyXEL Device. Choose the most secure encryption method that all devices on your network support. If you have a RADIUS server, enable IEEE 802.1x or WPA(2) user identification on your network so users must log in. This method is more common in business environments.    Hide your wireless network name (SSID). The SSID can be regularly broadcast and unauthorized users may use this information to access your network.   Enable the MAC filter to allow only trusted users to access your wireless network or deny unwanted users access based on their MAC address. See Section 8.2 on page 148 for directions on these wireless security measures.1.4.3   FirewallSee Section 9.1 on page 167 for more information on the following security measures  Ensure the firewall is turned on. Traffic initiated from your WAN is blocked by default.
Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide38 Set the firewall to block ICMP requests.  Enable do not respond to requests for unauthorized services.  If you have a backup gateway (for example, backup Internet access) on your network, disable the Bypass Triangle Routes feature and enable IP Alias to put your backup gateway on a different subnet. Avoid raising the maximum number of NAT sessions per host unnecessarily as it increases the possibility of unauthorized connections, such as connections caused by a computer virus. 1.4.4  NAT Enable NAT (Network Address Translation) to make devices on your network "invisible# to those outside your network (unless you configure port-forwarding rules for them).   Applications such as games or file-sharing can be configured so they are visible from other networks by using port-forwarding. Ensure only applications you want are configured to port-forward.  See Section 12.1 on page 225 for instructions on these measures.1.4.5  UPnP Disable UPnP (Universal Plug and Play) unless you specifically want applications (for example, games or file-sharing applications) on your network to pass through your firewall unchecked. See Section 16.1 on page 281 for instructions on this measure.1.5  Maintaining Your ZyXEL DeviceDo the following things regularly to keep your ZyXEL Device running. Check the ZyXEL website (www.zyxel.com.tw) regularly for new firmware for your ZyXEL Device. Ensure you download the correct firmware for your model. Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyXEL Device to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the ZyXEL Device. You could simply restore your last configuration.
 Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide 391.5.1  Front Panel LightsFigure 3   Front PanelThe following tables describe the lights. Table 1 describes the light features in NBG410W3G, and Table 2 describes the light features in NBG412W3G.Table 1   NBG410W3G Front Panel LightsLED ICONS COLOR STATUS DESCRIPTIONPOWER OffThe ZyXEL Device is turned off.GreenOnThe ZyXEL Device is ready and running.FlashingThe ZyXEL Device is restarting.RedOnThe power to the ZyXEL Device is too low.LAN/DMZ 10/100OffThe LAN/DMZ is not connected.GreenOnThe ZyXEL Device has a successful 10Mbps Ethernet connection.FlashingThe 10M LAN is sending or receiving packets.OrangeOnThe ZyXEL Device has a successful 100Mbps Ethernet connection.FlashingThe 100M LAN is sending or receiving packets.WAN  OffThe WAN connection is not ready, or has failed.GreenOnThe ZyXEL Device has a successful 10Mbps WAN connection.FlashingThe 10M WAN is sending or receiving packets.OrangeOnThe ZyXEL Device has a successful 100Mbps WAN connection.FlashingThe 100M WAN is sending or receiving packets.Wi-Fi GreenOffThe wireless connection through the built-in Wi-Fi card is not ready, or has failed.OnThe wireless LAN through the built-in wireless LAN card is ready.FlashingThe wireless LAN through the built-in wireless LAN card is sending or receiving packets.
Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide403G OPERATIONGreenOnThe ZyXEL Device has a successful 3G connection.FlashingThe ZyXEL Device has detected an available 3G network, but has not yet connected to it.BlueOnThe ZyXEL Device has a successful 3.5G connectionFlashingThe ZyXEL Device has detected an available 3.5G network, but has not yet connected to it.OrangeOnThe ZyXEL Device has a successful 2G or 2.5G connectionFlashingThe ZyXEL Device has detected an available 2G or 2.5G network, but has not yet connected to it.OffOne (or more) of the following has occurred.!The 3G function is not activated. !The ZyXEL Device is not registered with a 3G network.3G SIGNAL STRENGTHGreenOnThe 3G signal is strong.YellowThe 3G signal is moderate.RedThe 3G signal is weak.OffIf the 3G OPERATION LED is not off, no 3G signal is detected.Table 2   NBG412W3G Front Panel LightsLED ICONS COLOR STATUS DESCRIPTIONPOWER OffThe ZyXEL Device is turned off.GreenOnThe ZyXEL Device is ready and running.FlashingThe ZyXEL Device is restarting.RedOnThe power to the ZyXEL Device is too low.LAN/DMZ 10/100OffThe LAN/DMZ is not connected.GreenOnThe ZyXEL Device has a successful 10Mbps Ethernet connection.FlashingThe 10M LAN is sending or receiving packets.OrangeOnThe ZyXEL Device has a successful 100Mbps Ethernet connection.FlashingThe 100M LAN is sending or receiving packets.WAN  OffThe WAN connection is not ready, or has failed.GreenOnThe ZyXEL Device has a successful 10Mbps WAN connection.FlashingThe 10M WAN is sending or receiving packets.OrangeOnThe ZyXEL Device has a successful 100Mbps WAN connection.FlashingThe 100M WAN is sending or receiving packets.Wi-Fi GreenOffThe wireless connection through the built-in Wi-Fi card is not ready, or has failed.OnThe wireless LAN through the built-in wireless LAN card is ready.FlashingThe wireless LAN through the built-in wireless LAN card is sending or receiving packets.Table 1   NBG410W3G Front Panel Lights (continued)LED ICONS COLOR STATUS DESCRIPTION
 Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide 413G MODE GreenOnThe 3G function is activated.OffThe 3G function is not activated.3G LINK GreenOnThe ZyXEL Device has a successful 3G connection.OffThere is no 3G connectionTable 2   NBG412W3G Front Panel Lights (continued)LED ICONS COLOR STATUS DESCRIPTION
Chapter 1Getting to Know Your ZyXEL DeviceNBG410W3G Series User s Guide42
NBG410W3G Series User s Guide 43CHAPTER  2 Introducing the WebConfiguratorThis chapter describes how to access the ZyXEL Device web configurator and provides an overview of its screens.2.1  Web Configurator OverviewThe web configurator is an HTML-based management interface that allows easy ZyXEL Device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.In order to use the web configurator you need to allow: Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2. JavaScripts (enabled by default). Java permissions (enabled by default).See Appendix A on page 353 if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator. 2.2  Accessing the ZyXEL Device Web Configurator1Make sure your ZyXEL Device hardware is properly connected and prepare your computer/computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).2Launch your web browser.3Type "192.168.1.1" as the URL.4Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login.
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide44Figure 4   Login Screen5You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.Figure 5   Change Password Screen6Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device!s MAC address that will be specific to this device. If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator.Figure 6   Replace Certificate Screen7You should now see the HOME screen (see Figure 9 on page 47).
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 45The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyXEL Device if this happens to you.2.3  Resetting the ZyXEL DeviceIf you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyXEL Device. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234, also.2.3.1  Procedure To Use The Reset ButtonMake sure the POWER LED is on (not blinking) before you begin this procedure. 1Press the RESET button for ten seconds, and then release it. If the POWER LED begins to blink, the defaults have been restored and the ZyXEL Device restarts. Otherwise, go to step 2.2Turn the ZyXEL Device off.3While pressing the RESET button, turn the ZyXEL Device on.4Continue to hold the RESET button. The POWER LED will begin to blink and flicker very quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyXEL Device is now restarting.5Release the RESET button and wait for the ZyXEL Device to finish restarting.2.3.2  Uploading a Configuration File Via Console Port1Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.2Turn off the ZyXEL Device, begin a terminal emulation software session and turn on the ZyXEL Device again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press any key to enter debug mode. 3Enter "y" at the prompt below to go into debug mode.4Enter "atlc" after "Enter Debug Mode" message.5Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. This is an example Xmodem configuration upload using HyperTerminal.
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide46Figure 7   Example Xmodem Upload6After successful firmware upload, enter "atgo" to restart the router.2.4  Navigating the ZyXEL Device Web ConfiguratorThe following summarizes how to navigate the web configurator from the HOME screen.Figure 8   HOME ScreenAs illustrated above, the main screen is divided into these parts: A - title bar B - main window C - navigation panel D - status bar2.4.1  Title BarThe title bar provides some icons in the upper right corner.Type the configuration file s location, or click Browse to search for it.Choose the Xmodem protocol.Then click Send.CDBA
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 47The icons provide the following functions.2.4.2  Main WindowThe main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document.Right after you log in, the HOME screen is displayed.2.4.3  HOME Screen This screen displays general status information about the ZyXEL Device.  WAN 2 refers to the 3G feature on the supported ZyXEL Device.Figure 9   Web Configurator HOME Screen The following table describes the labels in this screen. Table 3   Title Bar: Web Configurator IconsICON  DESCRIPTIONWizardClick this icon to open one of the web configurator wizards. See Chapter 3 on page 59 for more information.HelpClick this icon to open the help page for the current screen.Table 4   Web Configurator HOME ScreenLABEL DESCRIPTIONAutomatic Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.RefreshClick this button to update the status screen statistics immediately.
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide48System InformationSystem NameThis is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyXEL Device.ModelThis is the model name of your ZyXEL Device.Bootbase VersionThis is the bootbase version and the date created.Firmware VersionThis is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.Up TimeThis field displays how long the ZyXEL Device has been running since it last started up. The ZyXEL Device starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 45).System TimeThis field displays your ZyXEL Device s present date (in yyyy-mm-dd format) and time (in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyXEL Device to use it. Click the field label to go to the screen where you can modify the ZyXEL Device s date and time settings.FirewallThis displays whether or not the ZyXEL Device s firewall is activated. Click the field label to go to the screen where you can turn the firewall on or off.System ResourcesFlashThe first number shows how many megabytes of the flash the ZyXEL Device is using.MemoryThe first number shows how many megabytes of the heap memory the ZyXEL Device is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT and the firewall. The second number shows the ZyXEL Device's total heap memory (in megabytes). The bar displays what percent of the ZyXEL Device's heap memory is in use. The bar turns from green to red when the maximum is being approached.SessionsThe first number shows how many sessions are currently open on the ZyXEL Device. This includes all sessions that are currently traversing the ZyXEL Device, terminating at the ZyXEL Device or Initiated from the ZyXEL Device The second number is the maximum number of sessions that can be open at one time. The bar displays what percent of the maximum number of sessions is in use. The bar turns from green to red when the maximum is being approached.CPUThis field displays what percentage of the ZyXEL Device s processing ability is currently used. When this percentage is close to 100%, the ZyXEL Device is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications.InterfacesThis is the port type. Click "+" to expand or "-" to collapse the IP alias drop-down lists.Hold your cursor over an interface s label to display the interface s MAC address.Click an interface s label to go to the screen where you can configure settings for that interface.Table 4   Web Configurator HOME Screen (continued)LABEL DESCRIPTION
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 49StatusFor the LAN and DMZ ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full-duplex refers to a device's ability to send and receive simultaneously, while half-duplex indicates that traffic can flow in only one direction at a time. The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect.For the WAN 1 port, it displays the port speed and duplex setting if you re using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you re using PPPoE encapsulation. For the WAN 2 interface, it displays Connected when the 3G connection is up, Connecting when the 3G card is trying to connect to a network but has not received a response from the base station, Ready to Connect when the 3G connection is idle, Initializing when the ZyXEL Device is configuring the 3G card with AT commands, Disconnecting when the ZyXEL Device is dropping the 3G connection or Down when the 3G connection is down.IP/NetmaskThis shows the port s IP address and subnet mask.IP Assignment For the WAN, if the ZyXEL Device gets its IP address automatically from an ISP, this displays DHCP client when you re using Ethernet encapsulation and IPCP Client when you re using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address.For the LAN or DMZ, DHCP server displays when the ZyXEL Device is set to automatically give IP address information to the computers connected to the LAN. DHCP relay displays when the ZyXEL Device is set to forward IP address assignment requests to another DHCP server. Static displays if the LAN port is using a manually entered static (fixed) IP address. In this case, you must have another DHCP server on your LAN, or else the computers must be manually configured. RenewIf you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP, click Renew to release the WAN port s dynamically assigned IP address and get the IP address afresh. Click Dial to dial up the PPTP, PPPoE or 3G WAN connection. Click Drop to disconnect the PPTP, PPPoE or 3G WAN connection.3G WAN Interface StatusThe fields below display when a 3G card is inserted and WAN 2 is enabled.show detail.../hide detail...Click show detail... to see more information about the 3G connection and 3G card. Click hide detail... to display less information about the 3G connection and 3G card.3G Connection StatusThis displays Down when the 3G connection is down or not activated. This displays Initializing when the ZyXEL Device is configuring the 3G card with AT commands.This displays Ready to Connect when the 3G connection is idle before the ZyXEL Device triggers a call. This displays Connecting when the 3G card is trying to connect to a network but has not received a response from the base station.This displays Connected when the 3G connection is up. This displays Disconnecting when the ZyXEL Device is dropping the 3G connection.This field also displays the type of the network to which the ZyXEL Device is connected. The network type varies depending on the 3G card you inserted and could be UMTS, HSDPA, GPRS or EDGE when you insert a GSM 3G card, or 1xRTT, EVDO Rev.0 or EVDO Rev.A when you insert a CDMA 3G card.Service ProviderThis displays the name of your network service provider or Limited Service when the signal strength is too low or the ISP is limiting your access.Table 4   Web Configurator HOME Screen (continued)LABEL DESCRIPTION
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide50Roaming NetworkThis field is available only when you insert a 3G card that supports the roaming feature.This displays whether the card is able to connect to other ISPs  base stations.Dormant StateThis field is available only when you insert a 3G card that supports the dormant state.This displays whether the card is in dormant state. When there is no data transmitting, a card does not send a radio signal and is in dormant state to reduce bandwidth usage.Signal StrengthThis displays the signal strength of the wireless network in dBm. The status bar shows the strength of the signal. The signal strength mainly depends on the antenna output power and the distance between your ZyXEL Device and the service provider s base station. You can see a signal strength indication even when the ZyXEL Device does not have a 3G connection (because the signal is still there even when the ZyXEL Device is not using it).Last Connection Up TimeThis displays how long the 3G connection has been up.Tx BytesThis displays the total number of data frames transmitted.Rx BytesThis displays the total number of data frames received.3G Card ManufacturerThis displays the manufacturer of your 3G card. 3G Card ModelThis displays the model name of your 3G card.3G Card Firmware RevisionThis displays the version of the firmware currently used in the 3G card.3G Card IMEIThis field is available only when you insert a GSM (Global System for Mobile Communications) or UMTS (Universal Mobile Telecommunications System) 3G card.This displays the International Mobile Equipment Identity (IMEI) which is the serial number of the GSM or UMTS 3G wireless card. The IMEI is a unique 15-digit number used to identify a mobile device.SIM Card IMSIThis field is available only when you insert a GSM or UMTS 3G card. This displays the International Mobile Subscriber Identity (IMSI) stored in the SIM (Subscriber Identity Module) card. The SIM card is installed in a mobile device and used for authenticating a customer to the carrier network. The IMSI is a unique 15-digit number used to identify a user on a network.3G Card ESNThis field is available only when you insert a CDMA (Code Division Multiple Access) 3G card.This shows the ESN (Electronic Serial Number) of the inserted CDMA 3G card. The ESN is the serial number of a CDMA 3G card and is similar to the IMEI on a GSM or UMTS 3G card.Enter PIN code againIf the PIN code you specified in the 3G (WAN 2) screen is not the right one for the card you inserted, this field displays allowing you to enter the correct PIN code. Enter the PIN code (four to eight digits) for the inserted 3G card.ApplyClick Apply to save the correct PIN code and replace the one you specified in the 3G (WAN 2) screen.PUK CodeIf you enter the PIN code incorrectly three times, the SIM card will be blocked by your ISP and you cannot use the account to access the Internet. You should get the PUK (Personal Unblocking Key) code (four to eight digits) from your ISP. Enter the PUK code to enable the SIM card. If an incorrect PUK code is entered 10 times, the SIM card will be disabled permanently. You then need to contact your ISP for a new SIM card.Table 4   Web Configurator HOME Screen (continued)LABEL DESCRIPTION
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 51New PIN CodeConfigure a PIN code for the SIM card. You can specify any four to eight digits to have a new PIN code or enter the previous PIN code.Confirm New PIN CodeEnter the PIN code again for confirmation.ApplyClick Apply to save your changes in this section.Reset budget counters, resume budget controlThis field displays if you have enabled budget control but insert a 3G card with a different user account from the one for which you configured budget control.Select this option to have the ZyXEL Device do budget calculation starting from 0 but use the previous settings.Resume budget controlThis field displays if you have enabled budget control but insert a 3G card with a different user account from the one for which you configured budget control.Select this option to have the ZyXEL Device keep the existing statistics and continue counting.Disable budget controlThis field displays if you have enabled budget control but insert a 3G card with a different user account from the one for which you configured budget control.Select this option to disable budget control. If you want to enable and configure new budget control settings for the new user account, go to the 3G (WAN 2) screen.The ZyXEL Device keeps the existing statistics if you do not change the budget control settings. You could reinsert the original card and enable budget control to have the ZyXEL Device continue counting the budget control statistics.ApplyClick Apply to save your changes in this section.Enter modem unlock codeThis field only displays when you insert a 3G card and the internal modem on the 3G card is blocked.Enter a key to enable the internal modem on your 3G card. By default, the key is the last four digits of your phone number used to dial up the 3G connection. Otherwise, you need to get the key from your service provider.ApplyClick Apply to save your changes in this section.Remaining Time BudgetThis field is available only when you enable budget control in the 3G (WAN 2) screen.This shows the amount of time (in hours and minutes) the 3G connection can still be used before the ZyXEL Device takes the actions you specified in the 3G (WAN 2) screen.Remaining Data BudgetThis field is available only when you enable budget control in the Network > WAN > 3G (WAN 2) screen.This shows how much data (in bytes) can still be transmitted through the 3G connection before the ZyXEL Device takes the actions you specified in the 3G (WAN 2) screen.Note: The budget counters will not be reset when you restore the factory defaults. The budget counters are saved to the flash every hour or when the 3G connection is dropped. If you restart the ZyXEL Device within one hour, any change in the counters will not be saved.Reset time and data budget countersThis button is available only when you enable budget control in the 3G (WAN 2) screen.Click this button to reset the time and data budgets. The count starts over with the 3G connection s full configured monthly time and data budgets. This does not affect the normal monthly budget restart.Table 4   Web Configurator HOME Screen (continued)LABEL DESCRIPTION
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide522.4.4  Navigation PanelAfter you enter the password, use the sub-menus on the navigation panel to configure ZyXEL Device features. The following table describes the sub-menus.Latest Alerts This table displays the five most recent alerts recorded by the ZyXEL Device. You can see more information in the View Log screen, such as the source and destination IP addresses and port numbers of the incoming packets.Date/TimeThis is the date and time the alert was recorded.MessageThis is the reason for the alert.System StatusPort StatisticsClick Port Statistics to see router performance statistics such as the number of packets sent and number of packets received for each port.DHCP TableClick DHCP Table to show current DHCP client information.BandwidthClick Bandwidth to view the ZyXEL Device s bandwidth usage and allotments.Table 4   Web Configurator HOME Screen (continued)LABEL DESCRIPTIONTable 5   Screens SummaryLINK TAB FUNCTIONHOME This screen shows the ZyXEL Device s general device and network status information. Use this screen to access the wizards, statistics and DHCP table.NETWORKLAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.Static DHCP  Use this screen to assign fixed IP addresses on the LAN.IP Alias Use this screen to partition your LAN interface into subnets.Port Roles  Use this screen to change the LAN/DMZ port roles.WAN General This screen allows you to configure operation mode, route priority and connection test. WAN1  Use this screen to configure the WAN1 connection for Internet access.3G (WAN2) Use this screen to configure the WAN2 connection for Internet access.Traffic RedirectUse this screen to configure your traffic redirect properties and parameters.DMZ DMZ Use this screen to configure your DMZ connection.Static DHCP  Use this screen to assign fixed IP addresses on the DMZ.IP Alias Use this screen to partition your DMZ interface into subnets.Port Roles Use this screen to change the LAN/DMZ port roles on the ZyXEL Device.WIRELESS 3G (WAN2) 3G (WAN2) Use this screen to configure the WAN2 connection for Internet access.
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 53Wi-Fi Wireless Card Use this screen to configure the wireless LAN settings.Security Use this screen to configure the Wi-Fi security settings.MAC Filter Use this screen to change MAC filter settings on the ZyXEL DeviceSECURITYFIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction of network traffic to which to apply the ruleRule Summary This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule.Anti-Probing Use this screen to change your anti-probing settings.Threshold Use this screen to configure the threshold for DoS attacks.Service Use this screen to configure custom services.CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests.Trusted CAs Use this screen to view and manage the list of the trusted CAs.Trusted Remote HostsUse this screen to view and manage the certificates belonging to the trusted remote hosts.Directory ServersUse this screen to view and manage the list of the directory servers.AUTH SERVER Local User DatabaseUse this screen to configure the local user account(s) on the ZyXEL Device.RADIUS Configure this screen to use an external server to authenticate wireless users.ADVANCEDNAT NAT Overview Use this screen to enable NAT.Address MappingUse this screen to configure network address translation mapping rules.Port ForwardingUse this screen to configure servers behind the ZyXEL Device.Port  Triggering Use this screen to change your ZyXEL Device s port triggering settings.STATIC ROUTE IP Static Route Use this screen to configure IP static routes.DNS System Use this screen to configure the address and name server records.Cache Use this screen to configure the DNS resolution cache.DHCP Use this screen to configure LAN/DMZ DNS information.DDNS Use this screen to set up dynamic DNS.Table 5   Screens Summary (continued)LINK TAB FUNCTION
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide542.4.5  Port Statistics  Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Automatic Refresh Interval field is configurable.REMOTE MGMTWWW Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyXEL Device.SSH Use this screen to configure through which interface(s) and from which IP address(es) users can use Secure Shell to manage the ZyXEL Device.TELNET Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the ZyXEL Device.FTP Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the ZyXEL Device.SNMP Use this screen to configure your ZyXEL Device s settings for Simple Network Management Protocol management.DNS Use this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the ZyXEL Device.CNM Use this screen to configure and allow your ZyXEL Device to be managed by the Vantage CNM server.UPnP UPnP Use this screen to enable UPnP on the ZyXEL Device. Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyXEL Device.Custom APP Custom APP Use this screen to specify port numbers for the ZyXEL Device to monitor for FTP, HTTP, SMTP, POP3, H323, and SIP traffic.ALG ALG Use this screen to allow certain applications to pass through the ZyXEL Device.LOGS View Log Use this screen to view the logs for the categories that you selected.Log Settings Use this screen to change your ZyXEL Device s log settings.Reports Use this screen to have the ZyXEL Device record and display the network usage reports.MAINTENANCE General This screen contains administrative.Password Use this screen to change your password.Time and Date Use this screen to change your ZyXEL Device s time and date.F/W Upload Use this screen to upload firmware to your ZyXEL DeviceBackup & RestoreUse this screen to backup and restore the configuration or reset the factory defaults to your ZyXEL Device. Restart This screen allows you to reboot the ZyXEL Device without turning the power off.LOGOUT Click this label to exit the web configurator.Table 5   Screens Summary (continued)LINK TAB FUNCTION
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 55Figure 10   HOME > Show StatisticsThe following table describes the labels in this screen.2.4.6  Show Statistics: Line ChartClick the icon in the Show Statistics screen. This screen shows you a line chart of each port!s throughput statistics.Table 6   HOME > Show StatisticsLABEL  DESCRIPTIONClick the icon to display the chart of throughput statistics. PortThese are the ZyXEL Device s interfaces.  StatusFor the WAN interface(s), this displays the port speed and duplex setting if you re using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you re using PPPoE encapsulation. For the LAN or DMZ ports, this displays the port speed and duplex setting. For the Wi-Fi card, this displays the transmission rate when Wi-Fi is enabled or Down when Wi-Fi is disabled.TxPktsThis is the number of transmitted packets on this port.RxPktsThis is the number of received packets on this port.Tx B/sThis displays the transmission speed in bytes per second on this port.Rx B/sThis displays the reception speed in bytes per second on this port.Up TimeThis is the total amount of time the line has been up.System Up TimeThis is the total time the ZyXEL Device has been on.Automatic Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.RefreshClick this button to update the screen s statistics immediately.
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide56Figure 11   HOME > Show Statistics > Line ChartThe following table describes the labels in this screen.2.4.7  DHCP Table Screen   DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.Click Show DHCP Table in the HOME screen. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyXEL Device!s DHCP server.Table 7   HOME > Show Statistics > Line ChartLABEL  DESCRIPTIONClick the icon to go back to the Show Statistics screen.PortSelect the check box(es) to display the throughput statistics of the corresponding interface(s).B/sSpecify the direction of the traffic for which you want to show throughput statistics in this table. Select Tx to display transmitted traffic throughput statistics and the amount of traffic (in bytes). Select Rx to display received traffic throughput statistics and the amount of traffic (in bytes).Throughput RangeSet the range of the throughput (in B/s, KB/s or MB/s) to display.Click Set Range to save this setting back to the ZyXEL Device.
 Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide 57Figure 12   HOME > DHCP TableThe following table describes the labels in this screen.Table 8   HOME > DHCP TableLABEL  DESCRIPTIONInterfaceSelect LAN or DMZ to show the current DHCP client information for the specified interface.# This is the index number of the host computer. IP AddressThis field displays the IP address relative to the # field listed above.Host Name This field displays the computer host name.MAC AddressThe MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation).A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.ReserveSelect the check box in the heading row to automatically select all check boxes or select the check box(es) in each entry to have the ZyXEL Device always assign the selected entry(ies) s IP address(es) to the corresponding MAC address(es) (and host name(s)). You can select up to 128 entries in this table. After you click Apply, the MAC address and IP address also display in the corresponding LAN or DMZ Static DHCP screen (where you can edit them). RefreshClick Refresh to reload the DHCP table.
Chapter 2Introducing the Web ConfiguratorNBG410W3G Series User s Guide58
NBG410W3G Series User s Guide 59CHAPTER  3 Wizard SetupThis chapter provides information on the Wizard Setup screens in the web configurator. 3.1  Wizard Setup Overview The web configurator's setup wizards help you configure Internet connection settings.In the HOME screen, click the wizard icon   to open the Wizard Setup Welcome screen. The following summarizes the wizards you can select: Internet Access SetupClick this link to open a wizard to set up an Internet connection for WAN 1 (the WAN port) on the ZyXEL Device. Figure 13   Wizard Setup Welcome3.2  Internet Access The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don!t have that information.3.2.1  ISP ParametersThe ZyXEL Device offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
Chapter 3Wizard SetupNBG410W3G Series User s Guide60The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field.3.2.1.1  EthernetFor ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyXEL Device firewall rule for those packets. Contact your ISP to find the correct port number.Choose Ethernet when the WAN port is used as a regular Ethernet port.Figure 14   ISP Parameters: Ethernet EncapsulationThe following table describes the labels in this screen.Table 9   ISP Parameters: Ethernet EncapsulationLABEL DESCRIPTIONISP Parameters for Internet AccessEncapsulationYou must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address.The fields below are available only when you select Static.My WAN IP AddressEnter your WAN IP address in this field. My WAN IP Subnet MaskEnter the IP subnet mask in this field.
 Chapter 3Wizard SetupNBG410W3G Series User s Guide 613.2.1.2  PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 15   ISP Parameters: PPPoE EncapsulationThe following table describes the labels in this screen.Gateway IP Address Enter the gateway IP address in this field. First DNS ServerSecond DNS ServerEnter the DNS server's IP address(es) in the field(s) to the right.Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.BackClick Back to return to the previous wizard screen.FinishClick Finish to save your changes and go to the next screen. Table 9   ISP Parameters: Ethernet EncapsulationLABEL DESCRIPTIONTable 10   ISP Parameters: PPPoE EncapsulationLABEL DESCRIPTIONISP Parameter for Internet AccessEncapsulationChoose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider.
Chapter 3Wizard SetupNBG410W3G Series User s Guide623.2.1.3  PPTP EncapsulationPoint-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet.The ZyXEL Device supports one PPTP server connection at any given time.User NameType the user name given to you by your ISP. Password Type the password associated with the user name above.Retype to ConfirmType your password again for confirmation.Nailed-Up Select Nailed-Up if you do not want the connection to time out.Idle TimeoutType the time in seconds that elapses before the router automatically disconnects from the PPPoE server. The default time is 100 seconds.WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address.The fields below are available only when you select Static.My WAN IP AddressEnter your WAN IP address in this field. First DNS ServerSecond DNS ServerEnter the DNS server's IP address(es) in the field(s) to the right.Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.BackClick Back to return to the previous wizard screen.FinishClick Finish to save your changes and go to the next screen. Table 10   ISP Parameters: PPPoE Encapsulation (continued)LABEL DESCRIPTION
 Chapter 3Wizard SetupNBG410W3G Series User s Guide 63Figure 16   ISP Parameters: PPTP EncapsulationThe following table describes the labels in this screen.Table 11   ISP Parameters: PPTP EncapsulationLABEL DESCRIPTIONISP Parameters for Internet AccessEncapsulationSelect PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.User NameType the user name given to you by your ISP. PasswordType the password associated with the User Name above.Retype to ConfirmType your password again for confirmation.Nailed-Up Select Nailed-Up if you do not want the connection to time out.Idle TimeoutType the time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP ConfigurationMy IP AddressType the (static) IP address assigned to you by your ISP.My IP Subnet MaskType the subnet mask assigned to you by your ISP (if given).Server IP AddressType the IP address of the PPTP server.
Chapter 3Wizard SetupNBG410W3G Series User s Guide643.2.2  Internet Access Wizard Setup CompleteThe congratulations screen displays. Click Close to complete the Internet access setup.Figure 17   Internet Access Setup CompleteConnection ID/NameEnter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your xDSL modem. WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address.The fields below are available only when you select Static.My WAN IP AddressEnter your WAN IP address in this field. First DNS ServerSecond DNS ServerEnter the DNS server's IP address(es) in the field(s) to the right.Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.BackClick Back to return to the previous wizard screen.FinishClick Finish to save your changes and go to the next screen. Table 11   ISP Parameters: PPTP EncapsulationLABEL DESCRIPTION
NBG410W3G Series User s Guide 65CHAPTER  4 TutorialsThis section describes how to do the following.1Set up a DMZ (De-Militarized Zone). 2Use an H.323 VoIP phone on your LAN. 3Use NAT (Network Address Translation) with multiple public IP addresses.4Allow multiple game players to connect to the same server.4.1  DMZ OverviewThe DMZ is a separate network for devices that provide services to users on the Internet. Devices such as a web or e-mail server are more prone to security threats as they are more visible from the Internet and more frequently accessed than devices on your LAN. By placing such devices on a DMZ, you can better restrict access to the devices on your LAN.The diagram shows servers on the DMZ which are open to public access but protected by the ZyXEL Device!s firewall. Devices which require greater security are located on the LAN. Figure 18   DMZ OverviewIn this situation a file server is located in the DMZ. The file server is available for public access from the Internet and also from computers located on the LAN.  You can use either public or private IP addresses for your DMZ, however the DMZ must be on a different subnet or network from the LAN. InternetDMZLAN
Chapter 4TutorialsNBG410W3G Series User s Guide664.2  DMZ Setup Example In this example the DMZ uses private IP addresses and the default subnet mask of 255.255.255.0. (See Appendix C on page 377 for information on subnetting.) You can also use a static public IP address for your file server. Figure 19   DMZ Tutorial: DMZ Setup4.2.1  Basic SetupFollow these steps to set up your DMZ with a private or a public IP address. 4.2.1.1  Private IP Address1Click NETWORK > DMZ to open the DMZ screen. In the DMZ TCP/IP field type your DMZ IP address in the IP address field. In the IP Subnet Mask field type the same subnet mask as that used on the LAN. 2Select Server from the drop-down list in the DHCP field to have the ZyXEL Device dynamically assign IP addresses to devices on the DMZ. In the IP Pool Starting Address field type the first available IP address for the DMZ subnetwork. In this example 192.168.2.33 is used. Skip to Section 4.2.1.3 on page 67.4.2.1.2  Public IP AddressEither configure a static IP address on the server directly using the server!s operating system, or follow these steps to set up static DHCP on the ZyXEL Device. 1Click NETWORK > DMZ > Static DHCP to open the Static DHCP screen. 2Type the MAC address of the file server in the MAC Address field and a valid IP address on your DMZ in the IP Address field. In this example the MAC address is 00:A0:C5:00:00:02 and the IP address is 192.168.2.33.3Click Apply. That completes setup of static DHCP on the ZyXEL Device.InternetFile serverWAN1: 123.11.11.11DMZ LAN192.168.2.33192.168.2.0192.168.1.0192.168.1.33Host
 Chapter 4TutorialsNBG410W3G Series User s Guide 67Figure 20   DMZ Tutorial: NETWORK > DMZ > Static DHCP 4.2.1.3  Public and Private IP Addresses1In Windows Networking (NetBIOS over TCP/IP) select Allow between DMZ and LAN. In this example, both the file server on the DMZ and a computer on the LAN use a Windows OS. Enable NetBIOS to allow LAN computers to use Windows programs such as Windows Explorer to access the server on the DMZ.2Click Apply.Figure 21   DMZ Tutorial: NETWORK > DMZ 3Ensure NAT (Network Address Translation) is enabled on your WAN to allow the ZyXEL Device to manage the IP addresses of traffic it routes between networks. Click ADVANCED > NAT. For your WAN connection select . In this example NAT is enabled in the Enable NAT field on WAN1 and SUA is selected. For more information on this screen see Chapter 12 on page 225.
Chapter 4TutorialsNBG410W3G Series User s Guide68Figure 22   DMZ Tutorial: ADVANCED > NAT Overview This completes basic setup of your DMZ.4.2.2  Advanced Setup In this scenario the file server runs an FTP (File Transfer Protocol) download service. Since FTP is not compatible with NAT, you can use the ALG (Application Layer Gateway) to manage FTP. (See Chapter 18 on page 293 for more information.)To allow FTP sessions to be initiated by users on the WAN, port-forwarding is also required (see Section 12.5 on page 235 for more information) and for port-forwarding the file server needs a static IP address.ALG SetupTo turn on the ZyXEL Device!s FTP ALG, click ADVANCED > ALG. Select Enable FTP ALG and click Apply.Figure 23   DMZ Tutorial: ADVANCED > ALG
 Chapter 4TutorialsNBG410W3G Series User s Guide 69Port Forwarding Setup1To configure port forwarding, first configure a static IP on the file server if you haven!t already. See Section 4.2.1.2 on page 66.2Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen.3In the WAN Interface field select the correct WAN for your network. This example uses WAN1.4In the rule row you are configuring select Active.5In the Name field type a descriptive name for the port forwarding rule. This example uses FTP.6In the Incoming Port(s) field type the port number used by the FTP application. This example uses 69.7In the Server IP Address field type the IP address of your file server. This example uses 192.168.1.33.8Click Apply.Figure 24   DMZ Tutorial: ADVANCED > NAT > Port ForwardingThis completes setup of NAT-incompatible services on the server in your DMZ. Now users can access the file server on your DMZ from the Internet.4.3  Firewall Rule SetupYour ZyXEL Device!s firewall default settings provide network security by allowing traffic from the WAN to your DMZ, and blocking traffic from the DMZ to the LAN. However, you can further enhance network security by defining firewall rules specifically for traffic from the WAN to the DMZ.
Chapter 4TutorialsNBG410W3G Series User s Guide70You need to define two rules - one to drop all traffic from the WAN to the DMZ, the other to permit HTTP and FTP traffic from the WAN to the DMZ. This ensures that only HTTP and FTP traffic from the WAN to the DMZ is permitted and all other traffic is blocked.If you have not already done so, define a static IP address for the file server (see step 1 on page69 for instructions). 1Click SECURITY > Firewall > Rule Summary to display the Rule Summary screen. Use this screen to configure firewall rules on traffic between the file server and the WAN. In this example, traffic from WAN1 to the the file server is restricted to HTTP and FTP traffic. 2The Rule Summary screen appears. Select WAN1 and DMZ from the drop-down list in the Packet Direction field and click Refresh. Click the Modify () icon to add a new rule.Figure 25   DMZ Tutorial: SECURITY > Firewall > Rule Summary3The Firewall - Edit screen appears. Type the name of the firewall rule in the Rule Name field. In this example WAN12DMZ - DENY is used.4In the Edit Source Address section select Any Address in the drop-down box in the Address Type field to define the source address of traffic from the Internet as any IP address. 5In the Edit Destination Address section select Single Address in the drop-down box in the Address Type field. Type the destination address of traffic in the Start IP Address field. In this case the WAN1 IP address is used - 123.23.23.23. If you are using a public static IP address for your web server, type the server!s IP address in this field. 6Click Add so that the IP address appears in the Destination Address(es) field.7In the Edit Service section of the Firewall - Edit screen select Any so that they appear in the Selected Service(s) field.8In the Action for Matched Packets field select Drop from the drop-down box.9In the Edit Service section select FTP and click the arrow icon. Then select HTTP and click the arrow icon again so that FTP and HTTP appear in the Selected Service(s) field.10 Click Apply.
 Chapter 4TutorialsNBG410W3G Series User s Guide 71Figure 26   DMZ Tutorial: NETWORK > Firewall > Rule Summary: Firewall - Edit 11 Repeat the firewall rule setup procedure to set up a rule for WAN1 to DMZ traffic with the same source and destination addresses. In the Edit Service section of the Firewall - Edit screen select HTTP and FTP so that they appear in the Selected Service(s) field.12 In the Action for Matched Packets field select Permit from the drop-down list and click Apply.13 In the Rule Summary screen select Any and Any from the drop-down list in the Packet Direction fields and click Refresh to check your firewall rule settings.
Chapter 4TutorialsNBG410W3G Series User s Guide72Figure 27   DMZ Tutorial: SECURITY > Firewall > Rule Summary ExampleThis completes setup of a firewall rules for the file server on your DMZ.4.4  Setting Up a VoIP Phone with H.323You can use the ZyXEL Device to manage calls from your VoIP enabled phone using H.323. The following diagram shows an example of a VoIP phone configured to make calls over the Internet. Figure 28   Tutorial: H.323 Phone SetupTo configure your ZyXEL Device to allow VoIP phone calls using your H.323 phone, you need to set up the H.323 ALG (Application Layer Gateway) and port forwarding, which in turn requires a fixed IP address for your phone.IP Address SettingsFollow these steps to give your phone a fixed IP address.1Click NETWORK > LAN > Static DHCP to open the Static DHCP screen. 2Type the MAC address of your device in the MAC Address field and a valid IP address on your LAN in the IP Address field. In this example the MAC address is 00:A0:C5:00:00:02 and the IP address is 192.168.1.33.3Click Apply.InternetLAN: WAN:192.168.1.33123.23.23.23
 Chapter 4TutorialsNBG410W3G Series User s Guide 73Figure 29   H.323 Tutorial: NETWORK > LAN > Static DHCP4Click NETWORK > LAN to display the LAN screen. Ensure that Server is selected in the drop-down box in the DHCP field.Set up ALGFollow these steps to set up ALG (Application Layer Gateway) to let your ZyXEL Device manage H.323 traffic. (For more information on ALG see Chapter 18 on page 293.)1Click ADVANCED > ALG to display the ALG screen. Select Enable H.323 ALG and click Apply. This configures ALG (Application Layer Gateway) to manage H.323 traffic through your ZyXEL Device.2Click Apply.Figure 30   H.323 Tutorial: ADVANCED > ALGSet up Port Forwarding1Click ADVANCED > NAT > Port Forwarding to display the Port Forwarding screen. 2Select the correct WAN for your network in the WAN Interface field. 3Select Active in the rule row you are configuring.4Type a descriptive name for the port forwarding rule in the Name field. In this example H.323 is used.5Type 1720 in the Incoming Port(s) field. This port number is used for the H.323 services.
Chapter 4TutorialsNBG410W3G Series User s Guide746Type the IP address of your VoIP phone in the Server IP Address field. In this example 192.168.1.33 is used.7Click Apply.Figure 31   H.323 Tutorial: ADVANCED > NAT > Port ForwardingSet up a Firewall Rule1Click SECURITY > Firewall > Rule Summary to display the Rule Summary screen and to configure firewall rules on traffic between the VoIP phone and the WAN. In this example, traffic between the file server and WAN1 is restricted to H.323 traffic. 2The Rule Summary screen appears. Select DMZ and WAN1 from the drop-down list in the Packet Direction field and click Refresh. Click the Modify () icon to add a new rule.Figure 32   H.323 Tutorial: SECURITY > Firewall > Rule Summary3The Firewall - Edit screen appears. Type the name of the firewall rule in the Rule Name field. In this example LAN2WAN1 - H.323 is used.4In the Edit Source Address section select Single Address in the drop-down box in the Address Type field. Type the source address of H.323 traffic in the Start IP Address
 Chapter 4TutorialsNBG410W3G Series User s Guide 75field - 123.23.23.23 and click Add so that the IP address appears in the Destination Address(es) field. If you are using a H.323 server, use its IP address instead.5In the Edit Destination Address section select Single Address in the drop-down box in the Address Type field. Type the destination address of H.323 traffic in the Start IP Address field - 192.168.1.33 and click Add so that the IP address appears in the Source Address(es) field.6In the Edit Service section select H.323 and click the arrow icon so that H.323 appears in the Selected Service(s) field.7Click Apply.
Chapter 4TutorialsNBG410W3G Series User s Guide76Figure 33   H.323 Tutorial: SECURITY > Firewall > Rule Summary 8Repeat the firewall rule setup procedure to add a similar firewall rule for H.323 traffic from the WAN to the LAN, using the same WAN IP address and LAN IP address settings.9In the Rule Summary screen select Any and Any from the drop-down list in the Packet Direction fields and click Refresh to check your firewall rule settings.
 Chapter 4TutorialsNBG410W3G Series User s Guide 77Figure 34   H.323 Tutorial: SECURITY > Firewall > Rule SummaryThat completes setup of your H.323 VoIP phone.4.5  Using NAT with Multiple Public IP AddressesThis section shows you examples of how to set up your ZyXEL Device if you have more than one fixed (static) IP address from your ISP. 4.5.1  Example Parameters and ScenarioThe following table shows the public IP addresses from your ISP and your ZyXEL Device!s LAN IP address. The following figure shows the network you want to set up in this example.  Assign the first public address (1.2.3.4) to the ZyXEL Device!s WAN 1 port. Map the second and third public IP addresses (1.2.3.5 and 1.2.3.6) to the web and mail servers (192.168.1.12 and 192.168.1.13) respectively for traffic in both directions. Map the first public address (1.2.3.4) to outgoing traffic from other local computers. Map the first public address (1.2.3.4) to incoming traffic from WAN 1. Forward FTP traffic using port 21 from WAN 1 to a specific local computer (192.168.1.39). The last public IP address (1.2.3.7) is not mapped to any device and is reserved for future use.Public IP Addresses 1.2.3.4 to 1.2.3.7ZyXEL Device s LAN IP Address 192.168.1.1
Chapter 4TutorialsNBG410W3G Series User s Guide78Figure 35   Tutorial Example: Using NAT with Static Public IP AddressesTo set up this network, we are going to:1Configure the WAN 1 connection to use the first public IP address (1.2.3.4).2Configure NAT address mapping for other public IP addresses (1.2.3.5 and 1.2.3.6).3Configure NAT port forwarding to forward FTP traffic from WAN 1 to a specific computer on your local network.4.5.2  Configuring the WAN Connection with a Static IP AddressThe following table shows the information your ISP gave you for Internet connection.  Follow the steps below to configure your ZyXEL Device for Internet access using PPPoE in this example.FTPFTP 192.168.1.39192.168.1.39192.168.1.12 192.168.1.13MailWeb192.168.1.11.2.3.41.2.3.51.2.3.61.2.3.7WANLAN Mapping rules:192.168.1.12 <---> 1.2.3.5 (1-1)192.168.1.13 <---> 1.2.3.6 (1-1)Other outgoing LAN traffic ---> 1.2.3.4 (M-1)Incoming traffic <--- 1.2.3.4 (Server)Encapsulation PPPoEPublic IP Addresses 1.2.3.4 1.2.3.51.2.3.61.2.3.7Gateway IP Address 1.2.3.89Subnet Mask 255.255.255.0User Name exampleuserPassword abcd1234DNS Server 1.2.1.11.2.1.2
 Chapter 4TutorialsNBG410W3G Series User s Guide 79Figure 36   Tutorial Example: WAN Connection with a Static Public IP Address 1Click NETWORK > WAN > WAN 1. 2Select PPPoE (PPP over Ethernet) from the Encapsulation drop-down list box.3In the ISP Parameters for Internet Access section, enter the information (such as the user name and password) provided by your ISP. If your ISP didn!t give you the service name, leave the field blank.4In the WAN IP Address Assignment section, select Use Fixed IP Address and enter the first fixed public IP address (1.2.3.4 in this example).5Click Apply.Figure 37   Tutorial Example: WAN 1 Screen 6Click ADVANCED > DNS.192.168.1.1 1.2.3.4WANLAN
Chapter 4TutorialsNBG410W3G Series User s Guide807The System screen displays. Click the Insert button to configure the IP address of the DNS server the ZyXEL Device can query to resolve domain names.Figure 38   Tutorial Example: DNS > System8Select Public DNS Server and enter the first DNS server!s IP address given by your ISP. Click Apply.Figure 39   Tutorial Example: DNS > System Edit-1 9Enter the rule number (2) where you want to put the second record and click the Insert button to configure the second DNS server!s IP address as follows. Click Apply.To resolve a domain name, theZyXEL Device checks it against the name server record entries in the order that they appear in this list.
 Chapter 4TutorialsNBG410W3G Series User s Guide 81Figure 40   Tutorial Example: DNS > System Edit-2 10 The DNS > System screen should look as shown.Figure 41   Tutorial Example: DNS > System: Done 11 Go to the Home screen to check your WAN connection status. Make sure the status is not down.
Chapter 4TutorialsNBG410W3G Series User s Guide82Figure 42   Tutorial Example: Status4.5.3  Public IP Address MappingTo have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them.The one-to-one NAT address mapping rules are for both incoming and outgoing connections. The ZyXEL Device forwards traffic that is initiated from either the LAN or the WAN to the destination IP address.The many-to-one or many-to-many NAT address mapping rules are for outgoing connections only. That means only traffic initiated from the LAN or returned packets are allowed to go through the ZyXEL Device.In this example, you create two one-to-one rules to map the internal web server (192.168.1.12) and mail server (192.168.1.13) to different static public IP addresses. The many-to-one rule maps a public IP address (1.2.3.4, that is, the ZyXEL Device!s WAN 1 IP address) to outgoing LAN traffic. It allows other local computers on the same subnet as the ZyXEL Device!s LAN IP address to use this IP address to access the Internet.
 Chapter 4TutorialsNBG410W3G Series User s Guide 83Figure 43   Tutorial Example: Mapping Multiple Public IP Addresses to Inside ServersThe ZyXEL Device applies the rules in the order that you specify. You should put any one-to-one rules before a many-to-one rule. 1Click ADVANCED > NAT.2Enable NAT and select Full Feature for the WAN 1 interface as you have multiple public IP addresses to map to private IP addresses. Click Apply.192.168.1.39192.168.1.39192.168.1.12 192.168.1.13MailWeb1.2.3.41.2.3.51.2.3.61.2.3.7WANLAN Mapping rules:192.168.1.12 <---> 1.2.3.5 (1-1)192.168.1.13 <---> 1.2.3.6 (1-1)Other outgoing LAN traffic ---> 1.2.3.4 (M-1)
Chapter 4TutorialsNBG410W3G Series User s Guide84Figure 44   Tutorial Example: NAT > NAT Overview 3Click the Address Mapping tab.4Select WAN 1.5Click the first rule!s Edit icon () in the Modify column to display the Address Mapping Rule screen.
 Chapter 4TutorialsNBG410W3G Series User s Guide 85Figure 45   Tutorial Example: NAT > Address Mapping6Map a public IP address to the web server.Select the One-to-One type and enter 192.168.1.12 as the local start IP address and 1.2.3.5 as the global start IP address. Click Apply.Figure 46   Tutorial Example: NAT Address Mapping Edit: One-to-One (1) 7Click the second rule!s Edit icon ().8Map a public IP address to the mail server.Select the One-to-One type and enter 192.168.1.13 as the local start IP address and 1.2.3.6 as the global start IP address. Click Apply.
Chapter 4TutorialsNBG410W3G Series User s Guide86Figure 47   Tutorial Example: NAT Address Mapping Edit: One-to-One (2) 9Click the third rule!s Edit icon ().10 Map a public IP address to other outgoing LAN traffic.Select the Many-to-One type and enter 192.168.1.1 as the local start IP address, 192.168.1.254 as the local end IP address and 1.2.3.4 as the global start IP address. Click Apply.Figure 48   Tutorial Example: NAT Address Mapping Edit: Many-to-One 11 After the configurations, the Address Mapping screen looks as shown. You still have one IP address (1.2.3.7) that can be assigned to another internal server when you expand your network.
 Chapter 4TutorialsNBG410W3G Series User s Guide 87Figure 49   Tutorial Example: NAT Address Mapping Done  To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.5.5 on page 89 for more information.4.5.4  Forwarding Traffic from the WAN to a Local ComputerA server NAT address mapping rule allows computers behind the NAT be accessible to the outside world. To have the ZyXEL Device forward incoming traffic to a specific computer on your local network, you should also create a port forwarding (server mapping) rule.In this example, you want to forward FTP traffic using port 21 to the computer with the IP address of 192.168.1.39.
Chapter 4TutorialsNBG410W3G Series User s Guide88Figure 50   Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer 1Click ADVANCED > NAT > Address Mapping.2Click the forth rule!s Edit icon () to configure a server rule.Figure 51    Tutorial Example: NAT Address Mapping Edit: Server 3Click the Port Forwarding tab.4Select WAN 1.5Select the Active check box, enter a descriptive name (FTP for example), incoming port number (21) and 192.168.1.39 as the server IP address. Click Apply.FTPFTP 192.168.1.39192.168.1.39192.168.1.12 192.168.1.13MailWeb1.2.3.41.2.3.51.2.3.61.2.3.7WANLAN Mapping rules:Incoming traffic <--- 1.2.3.4 (Server)
 Chapter 4TutorialsNBG410W3G Series User s Guide 89Figure 52   Tutorial Example: NAT Port Forwarding4.5.5  Allow WAN-to-LAN Traffic through the FirewallBy default, the ZyXEL Device blocks any traffic initiated from the WAN to the LAN. To have the ZyXEL Device forward traffic initiated from WAN 1 to a local computer or server on the LAN, you need to configure a firewall rule to allow it.In this example, you create the firewall rules to allow traffic from the WAN to the following servers on the LAN: Web server Mail server FTP serverFigure 53   Tutorial Example: Forwarding Incoming FTP Traffic to a Local Computer FTPFTP 192.168.1.39192.168.1.39192.168.1.12 192.168.1.13MailWebWANLAN
Chapter 4TutorialsNBG410W3G Series User s Guide901Click SECURITY > FIREWALL.2Make sure the firewall is enabled and traffic from WAN 1 to the LAN is dropped.Figure 54   Tutorial Example: Firewall Default Rule 3Go to the Rule Summary screen.4Select WAN1 to LAN as the packet direction and click Refresh.5Click the insert icon to create a new firewall rule.Figure 55   Tutorial Example: Firewall Rule: WAN1 to LAN
 Chapter 4TutorialsNBG410W3G Series User s Guide 916Configure a firewall rule to allow HTTP traffic from the WAN to the web server.Enter a descriptive name (W-L_Web for example). Select Any in the Destination Address(es) box and click Delete.Select Single Address as the destination address type. Enter 192.168.1.12 and click Add.Figure 56   Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server 7Select HTTP(TCP:80) and HTTPS(TCP:443) in the Available Services box on the left, and click >> to add them to the Selected Service(s) box on the right. Click Apply.
Chapter 4TutorialsNBG410W3G Series User s Guide92Figure 57   Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Web Server 8Click the insert icon to configure a firewall rule to allow traffic from the WAN to the mail server.Enter a descriptive name (W-L_Mail for example). Select Any in the Destination Address(es) box and click Delete.Select Single Address as the destination address type. Enter 192.168.1.13 and click Add.
 Chapter 4TutorialsNBG410W3G Series User s Guide 93Figure 58   Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Mail Server 9Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply.Figure 59   Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server
Chapter 4TutorialsNBG410W3G Series User s Guide9410 Click the insert icon to configure a firewall rule to allow FTP traffic from the WAN to the FTP server.Enter a descriptive name (W-L_FTP for example). Select Any in the Destination Address(es) box and click Delete.Select Single Address as the destination address type. Enter 192.168.1.39 and click Add.Figure 60   Tutorial Example: Firewall Rule: WAN to LAN Address Edit for FTP Server 11 Select FTP(TCP:20,21) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply.
 Chapter 4TutorialsNBG410W3G Series User s Guide 95Figure 61   Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server 12 When you are done, the Rule Summary screen looks as shown.Figure 62   Tutorial Example: Firewall Rule Summary
Chapter 4TutorialsNBG410W3G Series User s Guide964.5.6  Testing the Connections1Open the web browser on one of the local computers and enter any web site!s URL in the address bar. If you can access the web site, your WAN 1 connection and NAT address mapping are configured successfully. If you cannot access it, make sure you entered the correct information in the WAN and NAT Address Mapping screens. Also check that the Internet account is active and the computer!s IP address is in the same subnet as the ZyXEL Device.2Open your web browser and try accessing the web server (1.2.3.5) from the outside network. If you cannot access the web server, make sure the NAT address mapping rule is configured correctly and there is a firewall rule to allow HTTP traffic from the WAN to the web server.3Try accessing the FTP server (1.2.3.4) from the outside network to send or retrieve a file. If you cannot access the FTP server, make sure the NAT port forwarding rule is active and there is a firewall rule to allow FTP traffic from the WAN to FTP server.4.6  Using NAT with Multiple Game PlayersIf two users (behind the ZyXEL Device) want to connect to the same server to play online games at the same time, but the server does not allow more than one login from the same IP address, you can configure a many-to-many rule instead of a many-to-one rule.In this example, you have four static IP addresses (1.2.3.4 to 1.2.3.7) from your ISP. After you set up your WAN connection (see Section 4.5.2 on page 78), use the NAT > Address Mapping screen to map the third and forth public IP addresses to the mail server (192.168.1.12) and web server (192.168.1.13) respectively. The first and second public IP addresses are mapped to other outgoing LAN traffic. See Section 4.5.3 on page 82 for more information about IP address mapping.When you finish configuration, the screen looks as shown.
 Chapter 4TutorialsNBG410W3G Series User s Guide 97Figure 63   Tutorial Example: NAT Address Mapping Done: Game Playing  To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.5.5 on page 89 for more information.
Chapter 4TutorialsNBG410W3G Series User s Guide98
99PART IINetwork LAN Screens  (101)WAN Screens  (111)DMZ Screens  (135)
100
NBG410W3G Series User s Guide 101CHAPTER  5 LAN ScreensThis chapter describes how to configure LAN settings.5.1  LAN, WAN and the ZyXEL DeviceA network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyXEL Device!s LAN ports.  The Wide Area Network (WAN) is another network (most likely the Internet) that you connect to the ZyXEL Device!s WAN port. See Chapter 6 on page 111 for how to use the WAN screens to set up your WAN connection. The LAN and the WAN are two separate networks. The ZyXEL Device controls the traffic that goes between them. The following graphic gives an example. Figure 64   LAN and WAN 5.2  IP Address and Subnet MaskSimilar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) InternetWANLAN
Chapter 5LAN ScreensNBG410W3G Series User s Guide102feature of the ZyXEL Device. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. If you select 192.168.1.0 as the network number; it covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyXEL Device, but make sure that no other device on your network is using that IP address.The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise.5.2.1  Private IP AddressesEvery machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0     $ 10.255.255.255 172.16.0.0   $ 172.31.255.255 192.168.0.0 $ 192.168.255.255You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.5.3  DHCP The ZyXEL Device can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyXEL Device relay DHCP information from another DHCP server. If you disable the ZyXEL Device!s DHCP service, you must have another DHCP server on your LAN, or else the computers must be manually configured.
 Chapter 5LAN ScreensNBG410W3G Series User s Guide 1035.3.1  IP Pool SetupThe ZyXEL Device is pre-configured with a pool of IP addresses for the computers on your LAN. See Chapter 22 on page 345 for the default IP pool range. Do not assign your LAN computers static IP addresses that are in the DHCP pool.5.4  RIP SetupRIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.  RIP Version controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.By default, RIP Direction is set to Both and RIP Version to RIP-1.5.5  MulticastTraditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Chapter 5LAN ScreensNBG410W3G Series User s Guide104The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the ZyXEL Device queries all directly connected networks to gather group membership. After that, the ZyXEL Device periodically updates this information. IP multicasting can be enabled/disabled on the ZyXEL Device LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces.5.6  WINSWINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network!s computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name!s IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server.5.7  LANClick NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyXEL Device!s IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.Figure 65   NETWORK > LAN
 Chapter 5LAN ScreensNBG410W3G Series User s Guide 105The following table describes the labels in this screen.Table 12   NETWORK > LAN LABEL DESCRIPTIONLAN TCP/IP IP AddressType the IP address of your ZyXEL Device in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address.IP Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your ZyXEL Device automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default.RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.MulticastSelect IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.DHCP SetupDHCP DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyXEL Device provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields.Select Relay to have the ZyXEL Device forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field.Select None to stop the ZyXEL Device from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured. IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.Pool SizeThis field specifies the size, or count of the IP address pool.DHCP Server AddressType the IP address of the DHCP server to which you want the ZyXEL Device to relay DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 5LAN ScreensNBG410W3G Series User s Guide1065.8  LAN Static DHCPThis table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.To change your ZyXEL Device!s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown.DHCP WINS Server 1, 2Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.  Windows Networking (NetBIOS over TCP/IP)NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.Allow between LAN and WAN1Select this check box to forward NetBIOS packets from the LAN to WAN 1and from WAN 1 to the LAN. If your firewall is enabled with the default policy set to block WAN 1 to LAN traffic, you also need to enable the default WAN 1 to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to WAN 1 and from WAN 1 to the LAN.Allow between LAN and WAN2Select this check box to forward NetBIOS packets from the LAN to WAN 2 and from WAN 2 to the LAN. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN 2 to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to WAN 2 and from WAN 2 to the LAN.Allow between LAN and DMZSelect this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN. If your firewall is enabled with the default policy set to block DMZ to LAN traffic, you also need to enable the default DMZ to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 12   NETWORK > LAN  (continued)LABEL DESCRIPTION
 Chapter 5LAN ScreensNBG410W3G Series User s Guide 107Figure 66   NETWORK > LAN > Static DHCPThe following table describes the labels in this screen.5.9  LAN IP Alias  IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.Table 13   NETWORK > LAN > Static DHCPLABEL DESCRIPTION#This is the index number of the Static IP table entry (row).MAC AddressType the MAC address of a computer on your LAN.IP AddressType the IP address that you want to assign to the computer on your LAN.Alternatively, click the right mouse button to copy and/or paste the IP address.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
Chapter 5LAN ScreensNBG410W3G Series User s Guide108The ZyXEL Device supports three logical LAN interfaces via its single physical LAN Ethernet interface. The ZyXEL Device itself is the gateway for each of the logical LAN networks.When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets).Make sure that the subnets of the logical networks do not overlap.The following figure shows a LAN divided into subnets A, B, and C.Figure 67   Physical Network & Partitioned Logical NetworksTo change your ZyXEL Device!s IP alias settings, click NETWORK > LAN > IP Alias. The screen appears as shown.Figure 68   NETWORK > LAN > IP AliasEthernetInterfaceA: 192.168.1.1 - 192.168.1.24B: 192.168.2.1 - 192.168.2.24C: 192.168.3.1 - 192.168.3.24
 Chapter 5LAN ScreensNBG410W3G Series User s Guide 109The following table describes the labels in this screen.5.10  LAN Port RolesUse the Port Roles screen to set ports as part of the LAN or DMZ interface. Ports 1~4 on the ZyXEL Device can be part of the LAN or DMZ interface.Do the following if you are configuring from a computer connected to a LAN or DMZ port and changing the port's role:1A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyXEL Device's LAN or DMZ IP address.2Use the appropriate LAN or DMZ IP address to access the ZyXEL Device.To change your ZyXEL Device!s port role settings, click NETWORK > LAN > Port Roles. The screen appears as shown.The radio buttons correspond to Ethernet ports on the front panel of the ZyXEL Device. On the ZyXEL Device, ports 1 to 4 are all LAN ports by default.  Table 14   NETWORK > LAN > IP AliasLABEL DESCRIPTIONEnable IP Alias 1, 2Select the check box to configure another LAN network for the ZyXEL Device.IP AddressEnter the IP address of your ZyXEL Device in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.IP Subnet MaskYour ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.RIP DirectionRIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
Chapter 5LAN ScreensNBG410W3G Series User s Guide110Your changes are also reflected in the DMZ Port Roles screen.Figure 69   NETWORK > LAN > Port RolesThe following table describes the labels in this screen. After you change the LAN or DMZ port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen.Figure 70   Port Roles Change CompleteTable 15   NETWORK > LAN > Port RolesLABEL DESCRIPTIONLANSelect a port s LAN radio button to use the port as part of the LAN. The port will use the ZyXEL Device s LAN IP address and MAC address.DMZSelect a port s DMZ radio button to use the port as part of the DMZ. The port will use the ZyXEL Device s DMZ IP address and MAC address.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
NBG410W3G Series User s Guide 111CHAPTER  6 WAN ScreensThis chapter describes how to configure WAN settings. WAN 2 refers to the 3G card on the supported ZyXEL Device.6.1  WAN Overview Use the WAN General screen to configure operation mode, route priority and connection test for the ZyXEL Device.  Use the WAN 1 screen to configure the WAN1 interface for Internet access on the ZyXEL Device. Use the 3G (WAN 2) screen to configure the WAN2 interface for Internet access on the ZyXEL Device. Use the Traffic Redirect screen to configure an alternative gateway.6.2  Multiple WAN You can use a second connection as a backup to enhance network reliability. The ZyXEL Device has two WAN ports. You can optionally activate the internal 3G card to use the second 3G WAN interface. You can connect one interface to one ISP (or network) and connect the other to a second ISP (or network). The ZyXEL Device's NAT feature allows you to configure sets of rules for one WAN interface and separate sets of rules for the other WAN interface. Refer to Chapter 12 on page 225 for details.You can select through which WAN interface you want to send out traffic from UPnP-enabled applications (see Chapter 16 on page 281). The ZyXEL Device's DDNS lets you select which WAN interface you want to use for each individual domain name. The DDNS high availability feature lets you have the ZyXEL Device use the other WAN interface for a domain name if the configured WAN interface's connection goes down. See Section 14.10.2 on page 256 for details.
Chapter 6WAN ScreensNBG410W3G Series User s Guide1126.3  TCP/IP Priority (Metric)The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost".1The metric sets the priority for the ZyXEL Device's routes to the Internet. Each route must have a unique metric.2The priorities of the WAN interface routes must always be higher than the traffic redirect route priorities.Lets say that you have the WAN operation mode set to active/passive, meaning the ZyXEL Device use the second highest priority WAN interface as a back up. The WAN 1 route has a metric of "2", the WAN 2 route has a metric of "3", and the traffic-redirect route has a metric of "14". In this case, the WAN 1 route acts as the primary default route. If the WAN 1 route fails to connect to the Internet, the ZyXEL Device tries the WAN 2 route next. If the WAN 2 route fails, the ZyXEL Device tries the traffic-redirect route. The traffic redirect route cannot take priority over the WAN 1 and WAN 2 routes.6.4  WAN General Click NETWORK > WAN to open the General screen. Use this screen to configure operation mode, route priority and connection test. WAN 2 refers to the 3G card on the supported ZyXEL Device.
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 113Figure 71   NETWORK > WAN General
Chapter 6WAN ScreensNBG410W3G Series User s Guide114The following table describes the labels in this screen.Table 16   NETWORK > WAN GeneralLABEL DESCRIPTIONActive/Passive (Fail Over) ModeThe ZyXEL Device uses the second highest priority WAN interface as a back up. This means that the ZyXEL Device will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields). The ZyXEL Device will switch to the secondary (second highest priority) WAN interface when the primary WAN interface's connection fails.Fall Back to Primary WAN When PossibleThis field determines the action the ZyXEL Device takes after the primary WAN interface fails and the ZyXEL Device starts using the secondary WAN interface.Select this check box to have the ZyXEL Device change back to using the primary WAN interface when the ZyXEL Device can connect through the primary WAN interface again.Clear this check box to have the ZyXEL Device continue using the secondary WAN interface, even after the ZyXEL Device can connect through the primary WAN interface again. The ZyXEL Device continues to use the secondary WAN interface until it's connection fails (at which time it will change back to using the primary WAN interface if its connection is up.Route PriorityWAN1WAN2Traffic RedirectThe default WAN connection is "1# as your broadband connection via the WAN interface should always be your preferred method of accessing the WAN. The ZyXEL Device switches from WAN interface 1 to WAN interface 2 if WAN interface 1's connection fails and then back to WAN interface 1 when WAN interface 1's connection comes back up. The default priority of the routes is WAN 1, WAN 2 and then Traffic Redirect: You have two choices for an auxiliary connection (WAN 2 and Traffic Redirect) in the event that your regular WAN connection goes down. Connectivity CheckCheck PeriodThe ZyXEL Device tests a WAN connection by periodically sending a ping to either the default gateway or the address in the Ping this Address field.Type a number of seconds (5 to 300) to set the time interval between checks. Allow more time if your destination IP address handles lots of traffic.Check TimeoutType the number of seconds (1 to 10) for your ZyXEL Device to wait for a response to the ping before considering the check to have failed. This setting must be less than the Check Period. Use a higher value in this field if your network is busy or congested.Check Fail ToleranceType how many WAN connection checks can fail (1-10) before the connection is considered "down" (not connected). The ZyXEL Device still checks a "down" connection to detect if it reconnects.Check WAN1/2 ConnectivitySelect the check box to have the ZyXEL Device periodically test the respective WAN interface's connection. Select Ping Default Gateway to have the ZyXEL Device ping the WAN interface's default gateway IP address.Select Ping this Address and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) to have the ZyXEL Device ping that address. For a domain name, use up to 63 alphanumeric characters (hyphens, periods and the underscore are also allowed) without spaces.
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 1156.5  WAN IP Address Assignment Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.Check Traffic Redirection ConnectivitySelect the check box to have the ZyXEL Device periodically test the traffic redirect connection. Select Ping Default Gateway to have the ZyXEL Device ping the backup gateway's IP address.Select Ping this Address and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) to have the ZyXEL Device ping that address. For a domain name, use up to 63 alphanumeric characters (hyphens, periods and the underscore are also allowed) without spaces.Windows Networking (NetBIOS over TCP/IP)NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.Allow between WAN1 and LANSelect this check box to forward NetBIOS packets from WAN 1 to the LAN port and from the LAN port to WAN1. If your firewall is enabled with the default policy set to block WAN 1 to LAN traffic, you also need to enable the default WAN1 to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from WAN 1 to the LAN port and from LAN port to WAN1.Allow between WAN1 and DMZSelect this check box to forward NetBIOS packets from WAN 1 to the DMZ port and from the DMZ port to WAN1. Clear this check box to block all NetBIOS packets going from WAN 1 to the DMZ port and from DMZ port to WAN1.Allow between WAN2 and LANSelect this check box to forward NetBIOS packets from WAN 2 to the LAN port and from the LAN port to WAN2. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN2 to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from WAN 2 to the LAN port and from LAN port to WAN2.Allow between WAN2 and DMZSelect this check box to forward NetBIOS packets from WAN 2 to the DMZ port and from the DMZ port to WAN2. Clear this check box to block all NetBIOS packets going from WAN 2 to the DMZ port and from DMZ port to WAN2.Allow Trigger DialSelect this option to allow NetBIOS packets to initiate calls.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 16   NETWORK > WAN General (continued)LABEL DESCRIPTIONTable 17   Private IP Address Ranges10.0.0.0-10.255.255.255172.16.0.0-172.31.255.255192.168.0.0-192.168.255.255
Chapter 6WAN ScreensNBG410W3G Series User s Guide116You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.6.6  DNS Server Address AssignmentUse DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyXEL Device can get the DNS server addresses in the following ways.1The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.2If your ISP dynamically assigns the DNS server IP addresses (along with the ZyXEL Device!s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. 3You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section 14.5.1 on page 248).6.7  WAN MAC AddressEvery Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom" file.
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 1176.8  WAN 1 Use this screen to change your ZyXEL Device's WAN 1 ISP, IP and MAC settings. Click NETWORK > WAN > WAN 1 to display this screen. The screen differs by the encapsulation.The WAN 1 and WAN 2 IP addresses of a ZyXEL Device with multiple WAN interfaces must be on different subnets. 6.8.1  WAN Ethernet EncapsulationFor ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyXEL Device firewall rule for those packets. Contact your ISP to find the correct port number.The screen shown next is for Ethernet encapsulation. Figure 72   NETWORK > WAN > WAN 1 (Ethernet Encapsulation)
Chapter 6WAN ScreensNBG410W3G Series User s Guide118The following table describes the labels in this screen.Table 18   NETWORK > WAN > WAN 1 (Ethernet Encapsulation)LABEL DESCRIPTIONISP Parameters for Internet AccessEncapsulationYou must choose the Ethernet option when the WAN port is used as a regular Ethernet.Service TypeChoose from Standard, Telstra (RoadRunner Telstra authentication method), RR-Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login. The following fields do not appear with the Standard service type.User NameType the user name given to you by your ISP.PasswordType the password associated with the user name above.Retype to ConfirmType your password again to make sure that you have entered is correctly.Login Server IP AddressType the authentication server IP address here if your ISP gave you one.This field is not available for Telia Login.Login Server (Telia Login only)Type the domain name of the Telia login server, for example login1.telia.com.Relogin Every(min)    (Telia Login only)The Telia server logs the ZyXEL Device out if the ZyXEL Device does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the ZyXEL Device to wait between logins.WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address. My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address. My WAN IP Subnet MaskEnter the IP subnet mask (if your ISP gave you one) in this field if you selected Use Fixed IP Address. Gateway IP Address Enter the gateway IP address (if your ISP gave you one) in this field if you selected Use Fixed IP Address. Advanced SetupEnable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this check box to enable NAT.
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 119RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, the ZyXEL Device will incorporate RIP information that it receives.When set to None, the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both.RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, the RIP Version field is set to RIP-1.Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group $ it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Spoof WAN MAC Address from LANYou can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyXEL Device uses the factory assigned MAC Address to identify itself on the WAN.Otherwise, select the check box next to Spoof WAN MAC Address from LAN and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file. Clone the computer s MAC address $ IP AddressEnter the IP address of the computer on the LAN whose MAC you are cloning.If you clone the MAC address of a computer on your LAN, it is recommended that you clone the MAC address prior to hooking up the WAN port.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 18   NETWORK > WAN > WAN 1 (Ethernet Encapsulation) (continued)LABEL DESCRIPTION
Chapter 6WAN ScreensNBG410W3G Series User s Guide1206.8.2  PPPoE EncapsulationThe ZyXEL Device supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example RADIUS).One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function known as dynamic service selection. This enables the service provider to easily create and offer new IP services for individuals.Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site.By implementing PPPoE directly on the ZyXEL Device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL Device does that part of the task. Furthermore, with NAT, all of the LANs! computers will have access.The screen shown next is for PPPoE encapsulation.
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 121Figure 73   NETWORK > WAN > WAN 1 (PPPoE Encapsulation) The following table describes the labels in this screen.Table 19   NETWORK > WAN > WAN 1 (PPPoE Encapsulation) LABEL DESCRIPTIONISP Parameters for Internet AccessEncapsulationSelect PPPoE for a dial-up connection using PPPoE. Service NameType the PPPoE service name provided to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server.User NameType the user name given to you by your ISP.PasswordType the password associated with the user name above.Retype to ConfirmType your password again to make sure that you have entered is correctly.
Chapter 6WAN ScreensNBG410W3G Series User s Guide122Authentication TypeThe ZyXEL Device supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:CHAP/PAP - Your ZyXEL Device accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyXEL Device accepts CHAP only. PAP - Your ZyXEL Device accepts PAP only. Nailed-Up Select Nailed-Up if you do not want the connection to time out.Idle TimeoutThis value specifies the time in seconds that elapses before the ZyXEL Device automatically disconnects from the PPPoE server.WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address. My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address. Advanced SetupEnable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT.For more information about NAT see Chapter 12 on page 225.RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, the ZyXEL Device will incorporate RIP information that it receives.When set to None, the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both.RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, the RIP Version field is set to RIP-1.Table 19   NETWORK > WAN > WAN 1 (PPPoE Encapsulation) (continued) LABEL DESCRIPTION
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 1236.8.3  PPTP EncapsulationPoint-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation.Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group $ it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Spoof WAN MAC Address from LANYou can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyXEL Device uses the factory assigned MAC Address to identify itself on the WAN.Otherwise, select the check box next to Spoof WAN MAC Address from LAN and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file. Clone the computer s MAC address $ IP AddressEnter the IP address of the computer on the LAN whose MAC you are cloning.If you clone the MAC address of a computer on your LAN, it is recommended that you clone the MAC address prior to hooking up the WAN port.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 19   NETWORK > WAN > WAN 1 (PPPoE Encapsulation) (continued) LABEL DESCRIPTION
Chapter 6WAN ScreensNBG410W3G Series User s Guide124Figure 74   NETWORK > WAN > WAN 1 (PPTP Encapsulation) The following table describes the labels in this screen.Table 20   NETWORK > WAN > WAN 1 (PPTP Encapsulation)LABEL DESCRIPTIONISP Parameters for Internet AccessEncapsulationSet the encapsulation method to PPTP. The ZyXEL Device supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.User NameType the user name given to you by your ISP.PasswordType the password associated with the user name above.Retype to ConfirmType your password again to make sure that you have entered it correctly.
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 125Authentication TypeThe ZyXEL Device supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:CHAP/PAP - Your ZyXEL Device accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyXEL Device accepts CHAP only. PAP - Your ZyXEL Device accepts PAP only. Nailed-upSelect Nailed-Up if you do not want the connection to time out.Idle TimeoutThis value specifies the time in seconds that elapses before the ZyXEL Device automatically disconnects from the PPTP server.PPTP ConfigurationMy IP AddressType the (static) IP address assigned to you by your ISP.My IP Subnet MaskYour ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.Server IP AddressType the IP address of the PPTP server.Connection ID/NameType your identification name for the PPTP server.WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP AddressSelect this option If the ISP assigned a fixed IP address. My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address. Advanced SetupEnable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT.For more information about NAT see Chapter 12 on page 225.RIP DirectionRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only.When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, the ZyXEL Device will incorporate RIP information that it receives.When set to None, the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both.Table 20   NETWORK > WAN > WAN 1 (PPTP Encapsulation) (continued)LABEL DESCRIPTION
Chapter 6WAN ScreensNBG410W3G Series User s Guide1266.9  3G (WAN 2) 3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices. RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, the RIP Version field is set to RIP-1.Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group $ it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Spoof WAN MAC Address from LANYou can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyXEL Device uses the factory assigned MAC Address to identify itself on the WAN.Otherwise, select the check box next to Spoof WAN MAC Address from LAN and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file. Clone the computer s MAC address $ IP AddressEnter the IP address of the computer on the LAN whose MAC you are cloning.If you clone the MAC address of a computer on your LAN, it is recommended that you clone the MAC address prior to hooking up the WAN port.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 20   NETWORK > WAN > WAN 1 (PPTP Encapsulation) (continued)LABEL DESCRIPTION
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 127The actual data rate you obtain varies depending on your 3G card, the signal strength of the service provider s base station, your service plan, etc.If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G, 3G and 3.5G wireless technologies.After you activate 3G on your ZyXEL Device, the 3G connection becomes WAN 2. Refer to the Chapter 22 on page 345 for the type of 3G cards that you can use in the ZyXEL Device along with the corresponding supported features.To change your ZyXEL Device's 3G WAN settings, click NETWORK > WAN > 3G (WAN 2) or WIRELESS > 3G (WAN 2). Table 21   2G, 2.5G, 2.75G, 3G and 3.5G Wireless TechnologiesNAME TYPEMOBILE PHONE AND DATA STANDARDS DATA SPEEDGSM-BASED CDMA-BASED2G Circuit-switchedGSM (Global System for Mobile Communications), Personal Handy-phone System (PHS), etc.Interim Standard 95 (IS-95), the first CDMA-based digital cellular standard pioneered by Qualcomm. The brand name for IS-95 is cdmaOne. IS-95 is also known as TIA-EIA-95.SlowFast2.5GPacket-switchedGPRS (General Packet Radio Services), High-Speed Circuit-Switched Data (HSCSD), etc.CDMA2000 is a hybrid 2.5G / 3G protocol of mobile telecommunications standards that use CDMA, a multiple access scheme for digital radio. CDMA2000 1xRTT (1 times Radio Transmission Technology) is the core CDMA2000 wireless air interface standard. It is also known as 1x, 1xRTT, or IS-2000 and considered to be a 2.5G or 2.75G technology.  2.75GPacket-switchedEnhanced Data rates for GSM Evolution (EDGE), Enhanced GPRS (EGPRS), etc. 3G Packet-switchedUMTS (Universal Mobile Telecommunications System), a third-generation (3G) wireless standard defined in ITUA specification, is sometimes marketed as 3GSM. The UMTS uses GSM infrastructures and W-CDMA (Wideband Code Division Multiple Access) as the air interface.CDMA2000 EV-DO (Evolution-Data Optimized, originally 1x Evolution-Data Only), also referred to as EV-DO, EVDO, or just EV, is an evolution of CDMA2000 1xRTT and enables high-speed wireless connectivity. It is also denoted as IS-856 or High Data Rate (HDR).3.5GPacket-switchedHSDPA (High-Speed Downlink Packet Access) is a mobile telephony protocol, used for UMTS-based 3G networks and allows for higher data transfer speeds. A.The International Telecommunication Union (ITU) is an international organization within which governments and the private sector coordinate global telecom networks and services.
Chapter 6WAN ScreensNBG410W3G Series User s Guide128The WAN 1 and WAN 2 IP addresses of a ZyXEL Device with multiple WAN interfaces must be on different subnets. Figure 75   NETWORK > WAN > 3G (WAN 2)
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 129The following table describes the labels in this screen.Table 22   NETWORK > WAN > 3G (WAN 2)LABEL DESCRIPTIONWAN2 Setup EnableSelect this option to enable WAN 2. The Network Type and Network Selection fields appear.3G Card Configuration 3G Interface This displays the model of the 3G card installed in your ZyXEL Device.Network TypeSelect the type of 3G service and frequency band for your 3G connection. If you are unsure what to select, check with your 3G service provider to find the 3G service available to you in your region.Select Automatically (All bands) to have the card connect to the highest speed network available. Once connected the ZyXEL Device will continue searching for and connecting to the highest speed network as it becomes available.Select UMTS/HSDPA only (WCDMA 2100) to access HSDPA or UMTS networks available at 2100 Mhz in your region. At the time of writing, Europe and Asia offer UMTS or HSDPA using WCDMA 2100. Select GPRS/EDGE (GSM 900/1800) only to access GPRS or EDGE networks available at 900 or 1800 Mhz in your region. At the time of writing, Europe and most of Asia offer GPRS or EDGE using GSM 900/1800. GSM 1800 may also be known as DCS in some countries.Select GSM all to access GPRS or EDGE networks in other GSM frequency bands in other regions.Select WCDMA all to access UMTS or HSDPA networks in other WCDMA frequency bands in other regions. See Table 21 on page 127 for more information.Network Selection Select a 3G service provider for your connection. Otherwise, select Automatically to have the ZyXEL Device use the default settings on the 3G SIM card and connect to your service provider s base station.This shows Automatically by default. Click Scan to have the ZyXEL Device search for and display the available service providers. Ensure you have disconnected your 3G connection as the ZyXEL Device cannot scan for available 3G service providers while it has a 3G connection.This field resets to the default setting (Automatically) if the ZyXEL Device restarts.ISP Parameters for Internet AccessAccess Point Name (APN)Select this option and enter the APN (Access Point Name) if your ISP gives you the APN only. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge methods.You can enter up to 31 ASCII printable characters. Spaces are allowed.Initial String (containing APN) Select this option and enter the initial string and APN if you know how to configure or your ISP provides a string, which would include the APN, to initialize the 3G card.You can enter up to 72 ASCII printable characters. Spaces are allowed.
Chapter 6WAN ScreensNBG410W3G Series User s Guide130Authentication TypeThe ZyXEL Device supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms.Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:CHAP/PAP - Your ZyXEL Device accepts either CHAP or PAP when requested by the ISP. CHAP - Your ZyXEL Device accepts CHAP only. PAP - Your ZyXEL Device accepts PAP only. None - Your ZyXEL Device does not send your user name and password for authentication. The user name and password fields are grayed out. Select this option if your ISP did not give you a user name and password.User NameType the user name (of up to 31 ASCII printable characters) given to you by your service provider.PasswordType the password (of up to 31 ASCII printable characters) associated with the user name above.Retype to ConfirmType your password again to make sure that you have entered is correctly.PIN CodeA PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card.Enter the PIN code (four to eight digits, 0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet.If your ISP disabled PIN code authentication, enter an arbitrary number.This field is available only when you insert a GSM 3G card.Check the HOME screen to see if you have entered the correct PIN.Phone NumberEnter the phone number (dial string) used to dial up a connection to your service provider s base station. Your ISP should provide the dial string.By default, *99# is the dial string for GSM-based networks and #777 is the dial string for CDMA-based networks.Nailed-Up Select Nailed-Up if you do not want the connection to time out.Idle TimeoutThis specifies the time (from 0 to 9999) in seconds that elapses before the ZyXEL Device automatically disconnects from the ISP.WAN IP Address Assignment Get automatically from ISP Select this option if your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP AddressSelect this option if the ISP assigned a fixed IP address. My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP Address. Advanced SetupEnable NAT (Network Address Translation)Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT.For more information about NAT see Chapter 12 on page 225.Table 22   NETWORK > WAN > 3G (WAN 2) (continued)LABEL DESCRIPTION
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 131Enable MulticastSelect this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.Multicast VersionChoose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group $ it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.Enable Budget Control  Select this check box to set a monthly limit for the user account of the installed 3G card. You must insert a 3G card before you enable budget control on the ZyXEL Device.You can set a limit on the total traffic and/or call time. The ZyXEL Device takes the actions you specified when a limit is exceeded during the month.Time BudgetSelect this check box and specify the amount of time (in hours) that the 3G connection can be used within one month.If you change the value after you configure and enable budget control, the ZyXEL Device resets the statistics.Data BudgetSelect this check box and specify how much downstream and/or upstream data (in Mbytes) can be transmitted via the 3G connection within one month.Select Download to set a limit on the downstream traffic (from the ISP to the ZyXEL Device).Select Upload to set a limit on the upstream traffic (from the ZyXEL Device to the ISP).Select Download/Upload to set a limit on the total traffic in both directions.If you change the value after you configure and enable budget control, the ZyXEL Device resets the statistics.Reset time and data budget counters on Select the date on which the ZyXEL Device resets the budget every month. If the date you selected is not available in a month, such as 30th or 31th, the ZyXEL Device resets the budget on the last day of the month.Reset time and data budget countersThis button is available only when you enable budget control in this screen.Click this button to reset the time and data budgets immediately. The count starts over with the 3G connection s full configured monthly time and data budgets. This does not affect the normal monthly budget restart.Actions when over budget Specify the actions the ZyXEL Device takes when the time or data limit is exceeded. Select Log to create a log.Select Alert to create an alert. This option is available only when you select Log.If you select Log, you can also select recurring every to have the ZyXEL Device send a log (and alert if selected) for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log (and alert if selected).Select Allow to permit new 3G connections or Disallow to drop/block new 3G connections.Select Keep to maintain the existing 3G connection or Drop to disconnect it.You cannot select Allow and Drop at the same time. If you select Disallow and Keep, the ZyXEL Device allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected.Table 22   NETWORK > WAN > 3G (WAN 2) (continued)LABEL DESCRIPTION
Chapter 6WAN ScreensNBG410W3G Series User s Guide1326.10  Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyXEL Device still provides firewall protection for the LAN. Figure 76   Traffic Redirect WAN SetupIP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/ZyXEL Device firewall rule that forwards packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). Figure 77   Traffic Redirect LAN SetupActions when over % of time budget or % of data budget Specify the actions the ZyXEL Device takes when the specified percentage of time budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the ZyXEL Device resets the statistics.Select Log to create a log.Select Alert to create an alert. This option is available only when you select Log.If you select Log, you can also select recurring every to have the ZyXEL Device send a log (and alert if selected) for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log (and alert if selected).ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 22   NETWORK > WAN > 3G (WAN 2) (continued)LABEL DESCRIPTIONInternetWANLANBackup Gateway
 Chapter 6WAN ScreensNBG410W3G Series User s Guide 1336.11  Configuring Traffic RedirectTo change your ZyXEL Device!s traffic redirect settings, click NETWORK > WAN > Traffic Redirect. The screen appears as shown.Figure 78   NETWORK > WAN > Traffic RedirectThe following table describes the labels in this screen.InternetWANLANBackup GatewaySubnet 2192.168.2.0 - 192.168.2.24Subnet 1192.168.1.0 - 192.168.1.24Table 23   NETWORK > WAN > Traffic RedirectLABEL DESCRIPTIONActiveSelect this check box to have the ZyXEL Device use traffic redirect if the normal WAN connection goes down.Backup Gateway IP AddressType the IP address of your backup gateway in dotted decimal notation. The ZyXEL Device automatically forwards traffic to this IP address if the ZyXEL Device's Internet connection terminates. ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
Chapter 6WAN ScreensNBG410W3G Series User s Guide134
NBG410W3G Series User s Guide 135CHAPTER  7 DMZ ScreensThis chapter describes how to configure the ZyXEL Device!s DMZ.7.1  DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN. By default the firewall allows traffic between the WAN and the DMZ, traffic from the DMZ to the LAN is denied, and traffic from the LAN to the DMZ is allowed. Internet users can have access to host servers on the DMZ but no access to the LAN, unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user. It is highly recommended that you connect all of your public servers to the DMZ port(s).It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port. Store sensitive information on LAN computers.7.2  Configuring DMZThe DMZ and the connected computers can have private or public IP addresses.When the DMZ uses public IP addresses, the WAN and DMZ ports must use public IP addresses that are on separate subnets. See Appendix C on page 377 for information on IP subnetting. If you do not configure SUA NAT or any full feature NAT mapping rules for the public IP addresses on the DMZ, the ZyXEL Device will route traffic to the public IP addresses on the DMZ without performing NAT. This may be useful for hosting servers for NAT unfriendly applications (see Chapter 12 on page 225 for more information).If the DMZ computers use private IP addresses, use NAT if you want to make them publicly accessible. Like the LAN, the ZyXEL Device can also assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears as shown next.
Chapter 7DMZ ScreensNBG410W3G Series User s Guide136Figure 79   NETWORK > DMZ The following table describes the labels in this screen. Table 24   NETWORK > DMZLABEL DESCRIPTIONDMZ TCP/IPIP AddressType the IP address of your ZyXEL Device s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN and DMZ are on separate subnets.IP Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device 255.255.255.0.RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default.RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.
 Chapter 7DMZ ScreensNBG410W3G Series User s Guide 137MulticastSelect IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.DHCP SetupDHCP DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (workstations) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyXEL Device provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields.Select Relay to have the ZyXEL Device forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field.Select None to stop the ZyXEL Device from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured. IP Pool Starting AddressThis field specifies the first of the contiguous addresses in the IP address pool.Pool SizeThis field specifies the size, or count of the IP address pool.DHCP Server AddressType the IP address of the DHCP server to which you want the ZyXEL Device to relay DHCP requests. Use dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.DHCP WINS Server 1, 2Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.  Windows Networking (NetBIOS over TCP/IP)Allow between DMZ and LANSelect this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN. If your firewall is enabled with the default policy set to block DMZ to LAN traffic, you also need to configure a DMZ to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN.Allow between DMZ and WAN 1Select this check box to forward NetBIOS packets from the DMZ to WAN 1 and from WAN 1 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN 1 and from WAN 1 to the DMZ.Allow between DMZ and WAN 2Select this check box to forward NetBIOS packets from the DMZ to WAN 2 and from WAN 2 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 24   NETWORK > DMZ (continued)LABEL DESCRIPTION
Chapter 7DMZ ScreensNBG410W3G Series User s Guide1387.3  DMZ Static DHCP  This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.To change your ZyXEL Device!s static DHCP settings on the DMZ, click NETWORK > DMZ > Static DHCP. The screen appears as shown.Figure 80   NETWORK > DMZ > Static DHCP The following table describes the labels in this screen.Table 25   NETWORK > DMZ > Static DHCPLABEL DESCRIPTION#This is the index number of the Static IP table entry (row).MAC AddressType the MAC address of a computer on your DMZ.IP AddressType the IP address that you want to assign to the computer on your DMZ.Alternatively, click the right mouse button to copy and/or paste the IP address.
 Chapter 7DMZ ScreensNBG410W3G Series User s Guide 1397.4  DMZ IP Alias  IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.The ZyXEL Device supports three logical DMZ interfaces via its single physical DMZ Ethernet interface. The ZyXEL Device itself is the gateway for each of the logical DMZ networks.The IP alias IP addresses can be either private or public regardless of whether the physical DMZ interface is set to use a private or public IP address. Use NAT if you want to make DMZ computers with private IP addresses publicly accessible (see Chapter 12 on page 225 for more information). When you use IP alias, you can have the DMZ use both public and private IP addresses at the same time.Make sure that the subnets of the logical networks do not overlap.To change your ZyXEL Device!s IP alias settings, click NETWORK > DMZ > IP Alias. The screen appears as shown.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 25   NETWORK > DMZ > Static DHCPLABEL DESCRIPTION
Chapter 7DMZ ScreensNBG410W3G Series User s Guide140Figure 81   NETWORK > DMZ > IP Alias The following table describes the labels in this screen. Table 26   NETWORK > DMZ > IP AliasLABEL DESCRIPTIONEnable IP Alias 1, 2Select the check box to configure another DMZ network for the ZyXEL Device.IP AddressEnter the IP address of your ZyXEL Device in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN and DMZ are on separate subnets.IP Subnet MaskYour ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device.RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.RIP VersionThe RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
 Chapter 7DMZ ScreensNBG410W3G Series User s Guide 1417.5  DMZ Public IP Address ExampleThe following figure shows a simple network setup with public IP addresses on the WAN and DMZ and private IP addresses on the LAN. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and connected servers (D through F) use public IP addresses that are in another subnet. The public IP addresses of the DMZ and WAN ports are in separate subnets.Figure 82   DMZ Public Address Example7.6  DMZ Private and Public IP Address ExampleThe following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and server F use private IP addresses that are in one subnet. The private IP addresses of the LAN and DMZ are on separate subnets. The DMZ port and connected servers (D and E) use public IP addresses that are in one subnet. The public IP addresses of the DMZ and WAN are on separate subnets.Configure one subnet (either the public or the private) in the Network > DMZ screen (see Figure 7.2 on page 135) and configure the other subnet in the Network > DMZ > IP Alias screen (see Figure 7.4 on page 139) to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses.AIP: 192.168.1.3BIP: 192.168.1.4CIP: 192.168.1.5LAN LANIP: 192.168.1.1DIP: a.b.c.i EIP: a.b.c.jFIP: a.b.c.kDMZDMZIP: a.b.c.hWANIP: a.b.d.b
Chapter 7DMZ ScreensNBG410W3G Series User s Guide142Figure 83   DMZ Private and Public Address Example7.7  DMZ Port Roles  Use the Port Roles screen to set ports as part of the LAN and/or DMZ interface. Ports 1~4 on the ZyXEL Device can be part of the LAN and/or DMZ interface. Do the following if you are configuring from a computer connected to a LAN or DMZ port and changing the port's role:1A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyXEL Device's LAN or DMZ IP address.2Use the appropriate LAN or DMZ IP address to access the ZyXEL Device.To change your ZyXEL Device!s port role settings, click NETWORK > DMZ > Port Roles. The screen appears as shown.The radio buttons correspond to Ethernet ports on the front panel of the ZyXEL Device. On the ZyXEL Device, ports 1 to 4 are all LAN ports by default. Your changes are also reflected in the LAN Port Roles screens.AIP: 192.168.1.3BIP: 192.168.1.4CIP: 192.168.1.5LANLANIP: 192.168.1.1DIP: a.b.c.i EIP: a.b.c.jFIP: 10.0.0.2DMZDMZIP: a.b.c.hWANIP: a.b.d.bIP: 10.0.0.1
 Chapter 7DMZ ScreensNBG410W3G Series User s Guide 143Figure 84   NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 27   NETWORK > DMZ > Port RolesLABEL DESCRIPTIONLANSelect a port s LAN radio button to use the port as part of the LAN. The port will use the ZyXEL Device s LAN IP address and MAC address.DMZSelect a port s DMZ radio button to use the port as part of the DMZ. The port will use the ZyXEL Device s DMZ IP address and MAC address.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
Chapter 7DMZ ScreensNBG410W3G Series User s Guide144
145PART IIIWirelessWi-Fi  (147)
146
NBG410W3G Series User s Guide 147CHAPTER  8 Wi-FiThis chapter discusses how to configure wireless LAN on the ZyXEL Device.8.1  Wi-Fi IntroductionYour ZyXEL Device comes with an internal Wi-Fi card, providing AP (access point) functionality, and allowing you to set up a wireless LAN (WLAN). Before you set up your WLAN it is important to understand WLAN and WLAN security concepts.A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN. The following figure provides an example of a wireless network.Figure 85   Example of a Wireless NetworkThe wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your ZyXEL Device is the AP.
Chapter 8Wi-FiNBG410W3G Series User s Guide148Every wireless network must follow these basic guidelines. Every wireless client in the same wireless network must use the same SSID.The SSID is the name of the wireless network. It stands for Service Set IDentity. If two wireless networks overlap, they should use different channels.Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information. Every wireless client in the same wireless network must use security compatible with the AP.Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network.See the WLAN appendix for more detailed information on WLANs.8.2  Wireless Security OverviewThe following sections introduce different types of wireless security you can set up in the wireless network.8.2.1  SSIDNormally, the AP acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the AP does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess.This type of security is fairly weak, however, because there are ways for unauthorized devices to get the SSID. In addition, unauthorized devices can still see the information that is sent in the wireless network.8.2.2  MAC Address FilterEvery wireless client has a unique identification number, called a MAC address.1 A MAC address is usually written using twelve hexadecimal characters2; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each wireless client, see the appropriate User!s Guide or other documentation.1.Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses.2.Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F.
 Chapter 8Wi-FiNBG410W3G Series User s Guide 149You can use the MAC address filter to tell the AP which wireless clients are allowed or not allowed to use the wireless network. If a wireless client is allowed to use the wireless network, it still has to have the correct settings (SSID, channel, and security). If a wireless client is not allowed to use the wireless network, it does not matter if it has the correct settings.This type of security does not protect the information that is sent in the wireless network. Furthermore, there are ways for unauthorized devices to get the MAC address of an authorized wireless client. Then, they can use that MAC address to use the wireless network.8.2.3  User AuthenticationYou can make every user log in to the wireless network before they can use it. This is called user authentication. However, every wireless client in the wireless network has to support IEEE 802.1x to do this.For wireless networks, there are two typical places to store the user names and passwords for each user. In the AP: this feature is called a local user database or a local database. In a RADIUS server: this is a server used in businesses more than in homes.If your AP does not provide a local user database and if you do not have a RADIUS server, you cannot set up user names and passwords for your users.Unauthorized devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.Local user databases also have an additional limitation that is explained in the next section.8.2.4  EncryptionWireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message.
Chapter 8Wi-FiNBG410W3G Series User s Guide150The types of encryption you can choose depend on the type of user authentication. (See Section 8.2.3 on page 149 for information about this.)For example, if the wireless network has a RADIUS server, you can choose WPA or WPA2. If users do not log in to the wireless network, you can choose no encryption, Static WEP, WPA-PSK, or WPA2-PSK.Usually, you should set up the strongest encryption that every wireless client in the wireless network supports. For example, suppose the AP does not have a local user database, and you do not have a RADIUS server. Therefore, there is no user authentication. Suppose the wireless network has two wireless clients. Device A only supports WEP, and device B supports WEP and WPA. Therefore, you should set up Static WEP in the wireless network.It is recommended that wireless clients use WPA-PSK, WPA, or stronger encryption. IEEE 802.1x and WEP encryption are better than none at all, but it is still possible for unauthorized devices to figure out the original information pretty quickly.It is not possible to use WPA-PSK, WPA or stronger encryption with a local user database. In this case, it is better to set up stronger encryption with no authentication than to set up weaker encryption with the local user database.If some wireless clients support WPA and some support WPA2, you should set up WPA2-PSK-Mix or WPA2-Mix (depending on the type of wireless network login) in the ZyXEL Device.Many types of encryption use a key to protect the information in the wireless network. The longer the key, the stronger the encryption. Every wireless client in the wireless network must have the same key.Table 28   Types of Encryption for Each Type of AuthenticationNo Authentication RADIUS ServerWeakest No SecurityStatic WEP802.1x +Static WEPWPA-PSKWPAStrongest WPA2-PSK or WPA2-PSK-MixWPA2 or WPA2-Mix
 Chapter 8Wi-FiNBG410W3G Series User s Guide 1518.2.5  Additional Installation Requirements for Using 802.1x A computer with an IEEE 802.11b/g wireless LAN card.  A computer equipped with a web browser (with JavaScript enabled) and/or Telnet. A wireless station must be running IEEE 802.1x-compliant software. Currently, this is offered in Windows XP.  An optional network RADIUS server for remote user authentication and accounting.8.3  Wireless Card If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device!s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device!s new settings.Click WIRELESS > Wi-Fi to open the Wireless Card screen.Figure 86   WIRELESS > Wi-Fi > Wireless Card
Chapter 8Wi-FiNBG410W3G Series User s Guide152The following table describes the labels in this screen. Table 29   WIRELESS > Wi-Fi > Wireless Card LABEL DESCRIPTIONEnable Wireless CardThe wireless LAN through a wireless LAN card is turned off by default. Before you enable the wireless LAN you should configure security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.Bridge toSelect LAN to use the wireless card as part of the LAN. Select DMZ to use the wireless card as part of the DMZ. The ZyXEL Device restarts after you change the wireless card setting.Note: If you set the wireless card to be part of the LAN or DMZ, you can still use wireless access. The firewall will treat the wireless card as part of the LAN or DMZ respectively.802.11 ModeSelect 802.11b Only to allow only IEEE 802.11b compliant wireless devices to associate with the ZyXEL Device.Select 802.11g Only to allow only IEEE 802.11g compliant wireless devices to associate with the ZyXEL Device.Select 802.11b+g to allow both IEEE802.11b and IEEE802.11g compliant wireless devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced.Choose Channel IDSet the operating frequency/channel depending on your particular region. To manually set the ZyXEL Device to use a channel, select a channel from the drop-down list box. To have the ZyXEL Device automatically select a channel, click Scan instead. ScanClick this button to have the ZyXEL Device automatically select the wireless channel with the lowest interference.RTS/CTS ThresholdIn a wireless network which covers a large area, wireless devices are sometimes not aware of each other s presence. This may cause them to send information to the AP at the same time and result in information colliding and not getting through.RTS/CTS is designed to prevent collisions due to hidden nodes. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. Enter a value between 256 and 2346. Data with a frame size larger than this value will perform the RTS (Request To Send)/CTS (Clear to Send) handshake. The lower the value, the more often the devices must get permission. If the RTS/CTS value is greater than the Fragmentation value, then the RTS/CTS handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.Fragmentation ThresholdThis is the threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2346.Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of APs in an area, decrease the output power to reduce interference with other APs. Select one of the following 100% (full power), 50%, 25%, 12.5% or min (minimum). See the product specifications for more information on your ZyXEL Device s output power.Enable Roaming Roaming allows wireless stations to switch from one access point to another as they move from one coverage area to another. Select this checkbox to enable roaming on the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet.Note: All APs on the same subnet and the wireless clients must have the same SSID to allow roaming.
 Chapter 8Wi-FiNBG410W3G Series User s Guide 1538.3.1  SSID Profile Configure wireless network security by configuring and applying an SSID profile. You can configure multiple profiles but you can only apply one to your network. Use the Wireless Card screen to see information about the SSID profiles on the ZyXEL Device, and use the Wireless Card > Edit screen to configure the SSID profiles.Each SSID profile references the settings configured in the following screens: WIRELESS > Wi-Fi> Security (one of the security profiles). AUTH SERVER > RADIUS (the RADIUS server settings). WIRELESS > Wi-Fi > MAC Filter (the MAC filter list, if activated in the SSID profile).Configure the fields in the above screens to use the settings in an SSID profile. In the Wireless Card screen, click the edit icon next to an SSID profile to display the following screen.Select SSID ProfileAn SSID profile is the set of parameters relating to one of the ZyXEL Device s BSSs. The SSID (Service Set IDentifier) identifies the Service Set with which a wireless client is associated. Wireless clients associating with the access point (AP) must have the same SSID. Note: If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device s new settings.#This field displays the index number of each SSID profile.ActiveChoose a profile to apply to your wireless network by selecting its radio button. NameThis field displays the identification name of each SSID profile on the ZyXEL Device.SSIDThis field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.SecurityThis field indicates which security profile is currently associated with each SSID profile.See Section 8.4 on page 154 for more information.ActionClick the edit  icon next to the profile you want to configure and go to the SSID configuration screen. Click the reset default  icon to clear all user-entered configuration information and return the SSID profile to its factory defaults.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 29   WIRELESS > Wi-Fi > Wireless Card (continued) LABEL DESCRIPTION
Chapter 8Wi-FiNBG410W3G Series User s Guide154Figure 87   WIRELESS > Wi-Fi > Configuring SSIDThe following table describes the labels in this screen.8.4  Configuring Wireless SecurityClick WIRELESS > Wi-Fi > Security to open the Security screen. Use this screen to create security profiles. A security profile is a group of configuration settings which can be assigned to an SSID profile in the Wireless Card screen.The screen changes when you configure a security profile and varies according to the security modes you select. Table 30   WIRELESS > Wi-Fi > Configuring SSIDLABEL DESCRIPTIONNameEnter a name (up to 32 printable 7-bit ASCII characters) identifying this profile.SSIDWhen a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. Hide SSIDSelect Disable if you want the ZyXEL Device to broadcast this SSID (a wireless client scanning for an AP will find this SSID). Alternatively, select Enable to have the ZyXEL Device hide this SSID (a wireless client scanning for an AP will not find this SSID).SecuritySelect a security profile to use with this SSID profile. See Section 8.4 on page 154 for more information.RADIUSThis displays N/A if the security profile you selected does not use RADIUS authentication. See Section 8.4 on page 154 for more information.This displays Radius Configuration if you select a security profile that uses RADIUS authentication. Click Radius Configuration to go to the RADIUS screen where you can view and/or change the RADIUS settings.See Section 10.3 on page 193 for more information.Enable MAC Filtering Select Enable from the drop down list box to activate MAC address filtering.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.
 Chapter 8Wi-FiNBG410W3G Series User s Guide 155The following table describes the security modes you can configure.Figure 88   WIRELESS > Wi-Fi > SecurityThe following table describes the labels in this screen. Table 31   Security ModesSECURITY MODE DESCRIPTIONNoneSelect this to have no data encryption.WEPSelect this to use WEP encryption.802.1x-OnlySelect this to use 802.1x authentication with no data encryption.802.1x-Static64Select this to use 802.1x authentication with a static 64bit WEP key and an authentication server.802.1x-Static128Select this to use 802.1x authentication with a static 128bit WEP key and an authentication server.WPASelect this to use WPA.WPA-PSKSelect this to use WPA with a pre-shared key.WPA2Select this to use WPA2.WPA2-MIXSelect this to use either WPA2 or WPA depending on which security mode the wireless client uses.WPA2-PSKSelect this to use WPA2 with a pre-shared key.WPA2-PSK-MIXSelect this to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses.Table 32   WIRELESS > Wi-Fi > Security LABEL DESCRIPTIONSecurity ProfileIndex This is the index number of the security profile.Profile Name This field displays a name given to a security profile in the Security configuration screen.Security Mode This field displays the security mode this security profile uses.Action Click the edit icon to configure security settings for that profile.Click the reset default icon to clear all user-entered configuration information and return the security profile to its factory defaults.
Chapter 8Wi-FiNBG410W3G Series User s Guide1568.4.1  No SecurityIf you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device within range.Figure 89   WIRELESS > Wi-Fi > Security: NoneThe following table describes the wireless LAN security labels in this screen.8.4.2  Static WEPStatic WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 152-bit WEP keys, but only one key can be used at any one time. In order to configure and enable WEP encryption, click WIRELESS > Wi-Fi > Security > Edit. Table 33   WIRELESS > Wi-Fi > Security: None LABEL DESCRIPTIONName Type a name (up to 32 printable 7-bit ASCII characters) to identify this security profile.Security ModeSelect None to allow wireless clients to communicate with the access points without any data encryption.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.
 Chapter 8Wi-FiNBG410W3G Series User s Guide 157Figure 90   WIRELESS > Wi-Fi > Security: WEPThe following table describes the labels in this screen. 8.4.3  IEEE 802.1x OnlyClick the WIRELESS > Wi-Fi > Security > Edit. Select 8021X-Only from the Security Mode list.Table 34   WIRELESS > Wi-Fi > Security: WEP LABEL DESCRIPTIONName Type a name to identify this security profile.Security ModeSelect WEP from the drop-down list.WEP EncryptionWEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network. Select 64-bit WEP, 128-bit WEP or 152-bit WEP to enable data encryption.  Authentication MethodSelect Shared-Key to have the ZyXEL Device use the default WEP key to authenticate the wireless client to the ZyXEL Device.Select Auto to have the ZyXEL Device switch between the shared-key and open system (the wireless clients and AP do not share a secret key for authentication) modes automatically.The default setting is Auto. Key 1 to Key 4The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless clients must use the same WEP key for data transmission.If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.If you chose 128-bit WEP in the WEP Encryption field, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.If you chose 152-bit WEP in the WEP Encryption field, then enter 16 ASCII characters or 32 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.You can configure up to four keys, but only one key can be activated at any one time. The default key is key 1.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.
Chapter 8Wi-FiNBG410W3G Series User s Guide158Figure 91   WIRELESS > Wi-Fi > Security: 802.1x Only The following table describes the labels in this screen. 8.4.4  IEEE 802.1x + Static WEPClick the WIRELESS > Wi-Fi > Security > Edit. Select 8021X-Static 64 or 8021X-Static128 in the Security Mode field to display the following screen.Table 35   WIRELESS > Wi-Fi > Security: 802.1x Only LABEL DESCRIPTIONName Type a name to identify this security profile.Security ModeSelect 8021X-Only from the drop-down list.ReAuthentication Timer Specify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.Enter a time interval between 600 and 65535 seconds.Authentication Databases Click Local User to go to the Local User Database screen where you can view and/or edit the list of users and passwords. Click RADIUS to go to the RADIUS screen where you can configure the ZyXEL Device to check an external RADIUS server.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.
 Chapter 8Wi-FiNBG410W3G Series User s Guide 159Figure 92   WIRELESS > Wi-Fi > Security: 802.1x + Static WEPThe following table describes the labels in this screen. Table 36   WIRELESS > Wi-Fi > Security: 802.1x + Static WEP LABEL DESCRIPTIONName Type a name to identify this security profile.Security ModeSelect 8021X-Static64 or 8021X-Static128 from the drop-down list.Key 1 to Key 4If you chose 8021X-Static64 in the Security Mode field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.If you chose 8021X-Static128 in the Security Mode field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless clients.ReAuthentication TimerSpecify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.Enter a time interval between 600 and 65535 seconds.Authentication Databases Click Local User to go to the Local User Database screen where you can view and/or edit the list of users and passwords. Click RADIUS to go to the RADIUS screen where you can configure the ZyXEL Device to check an external RADIUS server.
Chapter 8Wi-FiNBG410W3G Series User s Guide1608.4.5  WPA, WPA2, WPA2-MIXClick WIRELESS > Wi-Fi > Security > Edit. Select WPA, WPA2 or WPA2-MIX from the Security Mode list.Figure 93   WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX The following table describes the labels in this screen. ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.Table 36   WIRELESS > Wi-Fi > Security: 802.1x + Static WEP (continued) LABEL DESCRIPTIONTable 37   WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIXLABEL DESCRIPTIONName Type a name to identify this security profile.Security ModeSelect WPA, WPA2 or WPA2-MIX from the drop-down list.ReAuthentication Timer Specify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Idle Timeout The ZyXEL Device automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.Enter a time interval between 600 and 65535 seconds.Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA(2)-PSK mode.
 Chapter 8Wi-FiNBG410W3G Series User s Guide 1618.4.6  WPA-PSK, WPA2-PSK, WPA2-PSK-MIXClick WIRELESS > Wi-Fi > Security > Edit. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX from the Security Mode list.Figure 94   WIRELESS > Wi-Fi > Security: WPA(2)-PSKThe following table describes the labels in this screen. PMK Cache This field is available only when you select WPA2 or WPA2-MIX.When a wireless client moves from one AP s coverage area to another, it performs an authentication procedure (exchanging security information) with the new AP. Instead of re-authenticating a client each time it returns to the AP s coverage area, which can cause delays to time-sensitive applications, the AP and the client can store (or "cache#) and use information about their previous authentication. Select Enable to allow PMK (Pairwise Master Key) caching, or Disable to switch this feature off.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.Table 37   WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX (continued)LABEL DESCRIPTIONTable 38   WIRELESS > Wi-Fi > Security: WPA(2)-PSKLABEL DESCRIPTIONName Type a name to identify this security profile.Security ModeSelect WPA-PSK, WPA2-PSK or WPA2-PSK-MIX from the drop-down list.Pre-Shared KeyThe encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials.Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols). ReAuthentication Timer Specify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds. If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Chapter 8Wi-FiNBG410W3G Series User s Guide1628.5  MAC Filter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the ZyXEL Device (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen.To change your ZyXEL Device!s MAC filter settings, click the WIRELESS > Wi-Fi > MAC Filter. The screen appears as shown.To activate MAC filtering on a profile, select Enable from the Enable MAC Filtering drop-down list box in the Wireless Card > Edit screen and click Apply.Idle Timeout The ZyXEL Device automatically disconnects a wireless client from the wireless network after a period of inactivity. The wireless client needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again. This value is usually smaller when the wireless network is keeping track of how much time each wireless client is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.Enter a time interval between 600 and 65535 seconds.Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA(2)-PSK mode.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.Table 38   WIRELESS > Wi-Fi > Security: WPA(2)-PSK (continued)LABEL DESCRIPTION
 Chapter 8Wi-FiNBG410W3G Series User s Guide 163Figure 95   WIRELESS > Wi-Fi > MAC FilterThe following table describes the labels in this menu.Table 39   WIRELESS > Wi-Fi > MAC FilterLABEL DESCRIPTIONAssociation Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny to block access to the router, MAC addresses not listed will be allowed to access the router. Select Allow to permit access to the router, MAC addresses not listed will be denied access to the router.#This is the index number of the MAC address.User NameEnter a descriptive name for the MAC address.MAC AddressEnter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless stations that are allowed or denied access to the ZyXEL Device in these address fields. ApplyClick Apply to save your changes back to the ZyXEL Device.ResetClick Reset to begin configuring this screen afresh.
Chapter 8Wi-FiNBG410W3G Series User s Guide164
165PART IVSecurityFirewall  (167)Certificates  (195)Authentication Server  (191)
166
NBG410W3G Series User s Guide 167CHAPTER  9 FirewallThis chapter shows you how to configure your ZyXEL Device!s firewall.9.1  Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network. The ZyXEL Device physically separates the LAN, DMZ and the WAN and acts as a secure gateway for all data passing between the networks. The ZyXEL Device protects against Denial of Service (DoS) attacks, prevents theft, destruction and modification of data, and logs events.Enable the firewall to protect your LAN computers from attacks by hackers on the Internet and control access between the LAN, DMZ and WAN. By default the firewall: allows traffic that originates from your LAN computers to go to all of the networks.  blocks traffic that originates on the other networks from going to the LAN.  allows traffic that originates on the WAN to go to the DMZ and protects your DMZ computers against DoS attacks.The following figure illustrates the default firewall action. User A can initiate an IM (Instant Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4).Figure 96   Default Firewall ActionYour customized rules take precedence and override the ZyXEL Device!s default settings. The ZyXEL Device checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyXEL Device takes the action specified in the rule. WANLANInternet3412A
Chapter 9FirewallNBG410W3G Series User s Guide1689.2  Packet Direction MatrixThe ZyXEL Device!s packet direction matrix allows you to apply certain security settings (like firewall) to traffic flowing in specific directions.For example, click SECURITY > FIREWALL to open the following screen. This screen configures general firewall settings. Figure 97   SECURITY > FIREWALL > Default Rule Packets have a source and a destination. The packet direction matrix in the lower part of the screen sets what the ZyXEL Device does with packets traveling in a specific direction that do not match any of the firewall rules.  To set the ZyXEL Device to block traffic from WAN 1 from going to the DMZ interfaces, find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown.A specific interface A specific interface            From                                                                 To
 Chapter 9FirewallNBG410W3G Series User s Guide 169Figure 98   Default Block Traffic From WAN1 to DMZ Example    9.3  Packet Direction ExamplesFirewall rules are grouped based on the direction of travel of packets to which they apply. This section gives some examples of why you might configure firewall rules for specific connection directions. By default, the ZyXEL Device allows packets traveling in the following directions.: LAN to LANThese rules specify which computers on the LAN can manage the ZyXEL Device (remote management) and communicate between networks or subnets connected to the LAN interface (IP alias). You can also configure the remote management settings to allow only a specific computer to manage the ZyXEL Device. LAN to WAN 1These rules specify which computers on the LAN can access which computers or services connected to WAN 1. See Section 9.5 on page 171 for an example.
Chapter 9FirewallNBG410W3G Series User s Guide170By default, the ZyXEL Device drops packets traveling in the following directions.9.4  Security ConsiderationsIncorrectly configuring the firewall may block valid access or introduce security risks to the ZyXEL Device and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.Consider these security ramifications before creating a rule: WAN 1 to LANThese rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN. Allow public access to a Web server on your protected network. You could also block certain IP addresses from accessing it. You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow computers on the WAN to access devices on the LAN. See Section 12.5.3 on page 236 for an example. WAN to WANBy default the ZyXEL Device stops computers connected to WAN1 or WAN2 from managing the ZyXEL Device or using the ZyXEL Device as a gateway to communicate with other computers on the WAN. You could configure one of these rules to allow a WAN computer to manage the ZyXEL Device.You also need to configure the remote management settings to allow a WAN computer to manage the ZyXEL Device.
 Chapter 9FirewallNBG410W3G Series User s Guide 1711Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?2Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?3Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.4Does this rule conflict with any existing rules?Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the web configurator screens.9.5  Firewall Rules ExampleSuppose that your company decides to block all of the LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule.Figure 99   Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following configuration.   The first row blocks LAN access to the IRC service on the WAN.  The second row is the firewall!s default policy that allows all traffic from the LAN to go to the WAN.Table 40   Blocking All LAN to WAN IRC Traffic Example #SOURCE DESTINATIONSCHEDULE SERVICE ACTION1AnyAnyAnyIRCDropDefaultAnyAnyAnyAnyAllowLANWANIRC
Chapter 9FirewallNBG410W3G Series User s Guide172The ZyXEL Device applies the firewall rules in order. So for this example, when the ZyXEL Device receives traffic from the LAN, it checks it against the first rule. If the traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop) and stops checking the firewall rules. Any traffic that does not match the first firewall rule will match the default rule and the ZyXEL Device forwards it.  Now suppose that your company wants to let the CEO use IRC. You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO!s computer. In order to make sure that the CEO!s computer always uses the same IP address, make sure it either: has a static IP address,  or you configure a static DHCP entry for it so the ZyXEL Device always assigns it the same IP address (see Section 5.8 on page 106 for information on static DHCP).  Now you configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO!s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules.Figure 100   Limited LAN to WAN IRC Traffic ExampleYour firewall would have the following configuration.   The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN.  The second row blocks LAN access to the IRC service on the WAN.   The third row is (still) the firewall!s default policy of allowing all traffic from the LAN to go to the WAN.The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic. If the rule that blocks all LAN to WAN IRC traffic came first, the CEO!s IRC traffic would match that rule and the ZyXEL Device would drop it and not check any other firewall rules.Table 41   Limited LAN to WAN IRC Traffic Example#SOURCE DESTINATIONSCHEDULE SERVICE ACTION1192.168.1.7AnyAnyIRCAllow2AnyAnyAnyIRCDropDefaultAnyAnyAnyAnyAllowLAN192.168.1.7CEO WANIRC
 Chapter 9FirewallNBG410W3G Series User s Guide 1739.6  Asymmetrical RoutesIf an alternate gateway on the LAN has an IP address in the same subnet as the ZyXEL Device!s LAN IP address, return traffic may not go through the ZyXEL Device. This is called an asymmetrical or "triangle# route. This causes the ZyXEL Device to reset the connection, as the connection has not been acknowledged.You can have the ZyXEL Device permit the use of asymmetrical route topology on the network (not reset the connection).Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyXEL Device. A better solution is to use IP alias to put the ZyXEL Device and the backup gateway on separate subnets.9.6.1  Asymmetrical Routes and IP AliasYou can use IP alias instead of allowing asymmetrical routes. IP Alias allow you to partition your network into logical sections over the same interface. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.2The ZyXEL Device reroutes the packet to Gateway A, which is in Subnet 2. 3The reply from the WAN goes to the ZyXEL Device. 4The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.  Figure 101   Using IP Alias to Solve the Triangle Route Problem9.7  Firewall Default Rule Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings.12Internet3LANAISP 1ISP 24WANSubnet 1Subnet 2
Chapter 9FirewallNBG410W3G Series User s Guide174Figure 102   SECURITY > FIREWALL > Default Rule The following table describes the labels in this screen. Table 42   SECURITY > FIREWALL > Default Rule LABEL DESCRIPTION0-100%This bar displays the percentage of the ZyXEL Device s firewall rules storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary firewall rules before adding more firewall rules.Enable FirewallSelect this check box to activate the firewall. The ZyXEL Device performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.Note: When you activate the firewall, all current connections through the ZyXEL Device are dropped when you apply your changes.Allow Asymmetrical RouteIf an alternate gateway on the LAN has an IP address in the same subnet as the ZyXEL Device s LAN IP address, return traffic may not go through the ZyXEL Device. This is called an asymmetrical or "triangle# route. This causes the ZyXEL Device to reset the connection, as the connection has not been acknowledged.Select this check box to have the ZyXEL Device permit the use of asymmetrical route topology on the network (not reset the connection). Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyXEL Device. A better solution is to use IP alias to put the ZyXEL Device and the backup gateway on separate subnets. See Section 9.6.1 on page 173 for an example.
 Chapter 9FirewallNBG410W3G Series User s Guide 1759.8  Firewall Rule Summary Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules.The ordering of your rules is very important as rules are applied in the order that they are listed.See Section 9.1 on page 167 for more information about the firewall.From, ToThe firewall rules are grouped by the direction of packet travel. This displays the number of rules for each packet direction. Click the edit icon to go to a summary screen of the rules for that packet direction.Here is an example description of the directions of travel.From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet on the LAN interface of the ZyXEL Device or the ZyXEL Device itself. The ZyXEL Device does not apply the firewall to packets traveling from a LAN computer to another LAN computer on the same subnet.Use the drop-down list box to set the firewall s default actions based on the direction of travel of packets. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.Select Permit to allow the passage of the packets. LogSelect the check box next to a direction of packet travel to create a log when the above action is taken for packets that are traveling in that direction and do not match any of your customized rules.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 42   SECURITY > FIREWALL > Default Rule  (continued)LABEL DESCRIPTION
Chapter 9FirewallNBG410W3G Series User s Guide176Figure 103   SECURITY > FIREWALL > Rule SummaryThe following table describes the labels in this screen.   Table 43   SECURITY > FIREWALL > Rule SummaryLABEL DESCRIPTIONPacket DirectionUse the drop-down list boxes and click Refresh to select a direction of travel of packets for which you want to display firewall rules.+/-In the heading row, click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists for all of the displayed rules.Default PolicyThis field displays the default action you selected in the Default Rule screen for the packet direction displayed.The following fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above.#This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists.NameThis is the name of the firewall rule.ActiveThis field displays whether a firewall is turned on (Y) or not (N). Click the setting to change it.Source AddressThis drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.Destination AddressThis drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.Service TypeThis drop-down list box displays the services to which this firewall rule applies. Custom services have an * before the name. See Appendix D on page 385 for a list of common services.
 Chapter 9FirewallNBG410W3G Series User s Guide 1779.8.1  Firewall Edit Rule    In the Rule Summary screen, click the edit icon or the insert icon to display the Firewall Edit Rule screen. Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels.See Section 9.1 on page 167 for more information about the firewall.ActionThis field displays whether the firewall silently discards packets (Drop), discards packets and sends a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject) or allows the passage of packets (Permit).Sch.This field tells you whether a schedule is specified (Yes) or not (No).LogThis field shows you whether a log is created when packets match this rule (Yes) or not (No).ModifyClick the edit icon to go to the screen where you can edit the rule.Click the delete icon to delete an existing firewall rule. A window displays asking you to confirm that you want to delete the firewall rule. Note that subsequent firewall rules move up by one when you take this action.Click the insert icon to display the screen where you can configure a new firewall rule. The insert icon at the top of the row creates the new firewall rule before the others. The individual firewall rule insert icons create a new firewall rule after the row s firewall rule.Click the move icon, type an index number, and press Enter to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering.Table 43   SECURITY > FIREWALL > Rule SummaryLABEL DESCRIPTION
Chapter 9FirewallNBG410W3G Series User s Guide178Figure 104   SECURITY > FIREWALL > Rule Summary > Edit
 Chapter 9FirewallNBG410W3G Series User s Guide 179The following table describes the labels in this screen.    Table 44   SECURITY > FIREWALL > Rule Summary > EditLABEL DESCRIPTIONRule NameEnter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/Destination AddressAddress TypeDo you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.Start IP AddressEnter the single IP address or the starting IP address in a range here. End IP AddressEnter the ending IP address in a range here.Subnet MaskEnter the subnet mask here, if applicable.AddClick Add to add a new address to the Source or Destination Address(es) box. You can add multiple addresses, ranges of addresses, and/or subnets.ModifyTo edit an existing source or destination address, select it from the box and click Modify.DeleteHighlight an existing source or destination address from the Source or Destination Address(es)  box above and click Delete to remove it.Edit ServiceAvailable/ Selected ServicesHighlight a service from the Available Services box on the left, then click >> to add it to the Selected Service(s) box on the right. To remove a service, highlight it in the Selected Service(s) box on the right, then click <<.Next to the name of a service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type). For example, look at the DNS entry, (UDP/TCP:53) means UDP port 53 and TCP port 53. Click the Service link to go to the Service screen where you can configure custom service ports. See Appendix D on page 385 for a list of commonly used services and port numbers. You can use the [CTRL] key and select multiple services at once.Edit ScheduleDay to ApplySelect everyday or the day(s) of the week to apply the rule.Time of Day to Apply (24-Hour Format)Select All Day or enter the start and end times in the hour-minute format to apply the rule.Actions When MatchedLog Packet Information When MatchedThis field determines if a log for packets that match the rule is created (Yes) or not (No). Go to the Log Settings page and select the Access Control logs category to have the ZyXEL Device record these logs.Send Alert Message to Administrator When MatchedSelect the check box to have the ZyXEL Device generate an alert when the rule is matched.
Chapter 9FirewallNBG410W3G Series User s Guide1809.9  Anti-Probing   Click SECURITY > FIREWALL > Anti-Probing to open the following screen. Configure this screen to help keep the ZyXEL Device hidden from probing attempts. You can specify which of the ZyXEL Device!s interfaces will respond to Ping requests and whether or not the ZyXEL Device is to respond to probing for unused ports. Figure 105   SECURITY > FIREWALL > Anti-ProbingAction for Matched PacketsUse the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.Select Permit to allow the passage of the packets. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) if you want to allow computers on the WAN to access devices on the LAN.Note: You may also need to configure the remote management settings if you want to allow a WAN computer to manage the ZyXEL Device or restrict management from the LAN.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.Table 44   SECURITY > FIREWALL > Rule Summary > EditLABEL DESCRIPTION
 Chapter 9FirewallNBG410W3G Series User s Guide 181The following table describes the labels in this screen.  9.10  Firewall Thresholds   For DoS attacks, the ZyXEL Device uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions.For TCP, half-open means that the session has not reached the established state-the TCP three-way handshake has not yet been completed. Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 106   Three-Way HandshakeFor UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack. Table 45   SECURITY > FIREWALL > Anti-ProbingLABEL DESCRIPTIONRespond to PING onSelect the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface s check box to have the ZyXEL Device not respond to any Ping requests that come into that interface.Do not respond to requests for unauthorized services.Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports. If you select this option, the ZyXEL Device will not respond to port request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device unseen. If this option is not selected, the ZyXEL Device will reply with an ICMP port unreachable packet for a port probe on its unused UDP ports and a TCP reset packet for a port probe on its unused TCP ports. Note that the probing packets must first traverse the ZyXEL Device's firewall rule checks before reaching this anti-probing mechanism. Therefore if a firewall rule stops a probing packet, the ZyXEL Device reacts based on the firewall rule to either send a TCP reset packet for a blocked TCP packet (or an ICMP port-unreachable packet for a blocked UDP packets) or just drop the packets without sending a response packet.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.
Chapter 9FirewallNBG410W3G Series User s Guide1829.10.1  Threshold ValuesIf everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyXEL Device has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyXEL Device is classifying normal traffic as DoS attacks. Factors influencing choices for threshold values are:1The maximum number of opened sessions.2The minimum capacity of server backlog in your LAN network.3The CPU power of servers in your LAN network.4Network bandwidth. 5Type of traffic for certain servers.Reduce the threshold values if your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy). If you often use P2P applications such as file sharing with eMule or eDonkey, it!s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyXEL Device may classify them as DoS attacks.9.11  Threshold ScreenClick SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections. Figure 107   SECURITY > FIREWALL > Threshold
 Chapter 9FirewallNBG410W3G Series User s Guide 183The following table describes the labels in this screen. Table 46   SECURITY > FIREWALL > Threshold LABEL DESCRIPTIONDisable DoS Attack Protection onSelect the check boxes of any interfaces for which you want the ZyXEL Device to not use the Denial of Service protection thresholds. This disables DoS protection on the selected interface.You may want to disable DoS protection for an interface if the ZyXEL Device is treating valid traffic as DoS attacks. Another option would be to raise the thresholds.Denial of Service ThresholdsThe ZyXEL Device measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.One Minute Low This is the rate of new half-open sessions per minute that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.One Minute High This is the rate of new half-open sessions per minute that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the ZyXEL Device deletes half-open sessions as required to accommodate new connection attempts.For example, if you set the one minute high to 100, the ZyXEL Device starts deleting half-open sessions when more than 100 session establishment attempts have been detected in the last minute. It stops deleting half-open sessions when the number of session establishment attempts detected in a minute goes below the number set as the one minute low.Maximum Incomplete LowThis is the number of existing half-open sessions that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.Maximum Incomplete HighThis is the number of existing half-open sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyXEL Device deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number.For example, if you set the maximum incomplete high to 100, the ZyXEL Device starts deleting half-open sessions when the number of existing half-open sessions rises above 100. It stops deleting half-open sessions when the number of existing half-open sessions drops below the number set as the maximum incomplete low.TCP Maximum Incomplete An unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host. Specify the number of existing half-open TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address. Enter a number between 1 and 256. As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth. The ZyXEL Device sends alerts whenever the TCP Maximum Incomplete is exceeded. Action taken when TCP Maximum Incomplete reached thresholdSelect the action that ZyXEL Device should take when the TCP maximum incomplete threshold is reached. You can have the ZyXEL Device either:Delete the oldest half open session when a new connection request comes.orDeny new connection requests for the number of minutes that you specify (between 1 and 256).ApplyClick Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
Chapter 9FirewallNBG410W3G Series User s Guide1849.12  Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyXEL Device.See Section 9.1 on page 167 for more information about the firewall.Figure 108   SECURITY > FIREWALL > Service
 Chapter 9FirewallNBG410W3G Series User s Guide 185The following table describes the labels in this screen.  9.12.1  Firewall Edit Custom Service Click SECURITY > FIREWALL > Service > Add to display the following screen. Use this screen to configure a custom service entry not is not predefined in the ZyXEL Device. See Appendix D on page 385 the user!s guide appendices for a list of commonly used services and port numbers.   See Section 9.1 on page 167 for more information about the firewall.Figure 109   Firewall Edit Custom ServiceTable 47   SECURITY > FIREWALL > ServiceLABEL DESCRIPTIONCustom ServiceThis table shows all configured custom services.#This is the index number of the custom service.Service NameThis is the name of the service.ProtocolThis is the IP protocol type.If you selected Custom, this is the IP protocol value you entered.AttributeThis is the IP port number or ICMP type and code that defines the service.ModifyClick the edit icon to go to the screen where you can edit the service.Click the delete icon to remove an existing service. A window displays asking you to confirm that you want to delete the service. Note that subsequent services move up by one when you take this action.AddClick this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services.Predefined ServiceThis table shows all the services that are already configured for use in firewall rules. See Appendix D on page 385 for a list of common services.#This is the index number of the predefined service.Service NameThis is the name of the service.ProtocolThis is the IP protocol type. There may be more than one IP protocol type.AttributeThis is the IP port number or ICMP type and code that defines the service.
Chapter 9FirewallNBG410W3G Series User s Guide186The following table describes the labels in this screen.9.13  My Service Firewall Rule ExampleThe following Internet firewall rule example allows a hypothetical My Service connection from the Internet.1In the Service screen, click Add to open the Edit Custom Service screen. Figure 110   My Service Firewall Rule Example: Service 2Configure it as follows and click Apply.Table 48   SECURITY > FIREWALL > Service > AddLABEL DESCRIPTIONService NameEnter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the custom service. You cannot use the "("character. Spaces are allowed. IP ProtocolChoose the IP protocol (TCP, UDP, TCP/UDP, ICMP or Custom) that defines your customized service from the drop down list box.If you select Custom, specify the protocol s number. For example, ICMP is 1, TCP is 6, UDP is 17 and so on.Port RangeEnter the port number (from 1 to 255) that defines the customized serviceTo specify one port only, enter the port number in the From field and enter it again in the To field.To specify a span of ports, enter the first port in the From field and enter the last port in the To field. Type/CodeThis field is available only when you select ICMP in the IP Protocol field.The ICMP messages are identified by their types and in some cases codes. Enter the type number in the Type field and select the Code radio button and enter the code number if any.ApplyClick Apply to save your customized settings and exit this screen.CancelClick Cancel to exit this screen without saving.
 Chapter 9FirewallNBG410W3G Series User s Guide 187Figure 111   My Service Firewall Rule Example: Edit Custom Service 3Click Rule Summary. Select WAN1 and LAN from the Packet Direction drop-down list boxes and click Refresh to display existing firewall rules for the selected direction of travel of packets.4Click the insert icon at the top of the row to create the new firewall rule before the others.Figure 112   My Service Firewall Rule Example: Rule Summary5The Edit Rule screen displays. Enter the name of the firewall rule.6Select Any in the Destination Address(es) box and then click Delete.7Configure the destination address fields as follows and click Add.
Chapter 9FirewallNBG410W3G Series User s Guide188Figure 113   My Service Firewall Rule Example: Rule Edit: Source and Destination Addresses 8In the Edit Service section, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done.Custom services show up with an * before their names in the Services list boxes and the Rule Summary screen s Service Type list box.
 Chapter 9FirewallNBG410W3G Series User s Guide 189Figure 114   My Service Firewall Rule Example: Edit Rule: Service ConfigurationRule 1 allows a My Service connection from WAN 1 to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
Chapter 9FirewallNBG410W3G Series User s Guide190Figure 115   My Service Firewall Rule Example: Rule Summary: Completed
NBG410W3G Series User s Guide 191CHAPTER  10 Authentication ServerThis chapter discusses how to configure the ZyXEL Device!s authentication server feature.10.1  Authentication Server OverviewA ZyXEL Device can use either the local user database internal to the ZyXEL Device or an external RADIUS server to authenticate wireless clients. See Appendix E on page 389 for more information about RADIUS.10.2  Local User Database   Click SECURITY > AUTH SERVER to open the Local User Database screen. The local user database is a list of user profiles stored on the ZyXEL Device. The ZyXEL Device can use this list of user profiles to authenticate users. Use this screen to change your ZyXEL Device!s list of user profiles.
Chapter 10Authentication ServerNBG410W3G Series User s Guide192Figure 116   SECURITY > AUTH SERVER > Local User Database
 Chapter 10Authentication ServerNBG410W3G Series User s Guide 193The following table describes the labels in this screen.   10.3  RADIUS   Click SECURITY > AUTH SERVER > RADIUS to open the RADIUS screen. Configure this screen to use an external RADIUS server to authenticate users. Figure 117   SECURITY > AUTH SERVER > RADIUSThe following table describes the labels in this screen.  Table 49   SECURITY > AUTH SERVER > Local User DatabaseLABEL DESCRIPTIONActive Select this check box to enable the user profile.User NameEnter the user name of the user profile.PasswordEnter a password up to 31 characters long for this user profile. ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 50   SECURITY > AUTH SERVER > RADIUSLABEL DESCRIPTIONAuthentication ServerActiveSelect the check box to enable user authentication through an external authentication server.Clear the check box to enable user authentication using the local user profile on the ZyXEL Device. Server IP AddressEnter the IP address of the external authentication server in dotted decimal notation. Port NumberThe default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information.
Chapter 10Authentication ServerNBG410W3G Series User s Guide194KeyEnter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyXEL Device. The key is not sent over the network. This key must be the same on the external authentication server and ZyXEL Device. Accounting ServerActiveSelect the check box to enable user accounting through an external authentication server. Server IP AddressEnter the IP address of the external accounting server in dotted decimal notation. Port NumberThe default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. KeyEnter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyXEL Device. The key is not sent over the network. This key must be the same on the external accounting server and ZyXEL Device.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.Table 50   SECURITY > AUTH SERVER > RADIUSLABEL DESCRIPTION
NBG410W3G Series User s Guide 195CHAPTER  11 CertificatesThis chapter gives background information about public-key certificates and explains how to use them.11.1  Certificates OverviewThe ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner!s identity and public key. Certificates provide a way to exchange public keys for use in authentication. A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyXEL Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows. 1Tim wants to send a private message to Jenny. Tim generates a public-private key pair. What is encrypted with one key can only be decrypted using the other.2Tim keeps the private key and makes the public key openly available.3Tim uses his private key to encrypt the message and sends it to Jenny.4Jenny receives the message and uses Tim!s public key to decrypt it.5Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny!s public key to decrypt the message.The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection. The method used to secure the data that you send through an established connection depends on the type of connection. The certification authority uses its private key to sign certificates. Anyone can then use the certification authority!s public key to verify the certificates.A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked.
Chapter 11CertificatesNBG410W3G Series User s Guide196Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peer!s certificate against a directory server!s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).11.1.1  Advantages of CertificatesCertificates offer the following benefits. The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.  Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.11.2  Self-signed CertificatesYou can have the ZyXEL Device act as a certification authority and sign its own certificates.11.3  Verifying a CertificateBefore you import a trusted CA or trusted remote host certificate into the ZyXEL Device, you should verify that you have the actual certificate. This is especially true of trusted CA certificates since the ZyXEL Device also trusts any valid certificate signed by any of the imported trusted CA certificates.11.3.1  Checking the Fingerprint of a Certificate on Your ComputerA certificate!s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate!s fingerprint to verify that you have the actual certificate. 1Browse to where you have the certificate saved on your computer. 2Make sure that the certificate has a ".cer# or ".crt# file name extension.Figure 118   Certificates on Your Computer3Double-click the certificate!s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.
 Chapter 11CertificatesNBG410W3G Series User s Guide 197Figure 119   Certificate Details 4Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 11.4  Configuration SummaryThis section summarizes how to manage certificates on the ZyXEL Device.Figure 120   Certificate Configuration OverviewUse the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyXEL Device!s CA-signed certificates.Use the Trusted CA screens to save the certificates of trusted CAs to the ZyXEL Device. You can also export the certificates to a computer.Use the Trusted Remote Hosts screens to import self-signed certificates from trusted remote hosts.Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates).
Chapter 11CertificatesNBG410W3G Series User s Guide19811.5  My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyXEL Device!s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray.Figure 121   SECURITY > CERTIFICATES > My Certificates The following table describes the labels in this screen. Table 51   SECURITY > CERTIFICATES > My CertificatesLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.ReplaceThis button displays when the ZyXEL Device has the factory default certificate. The factory default certificate is common to all ZyXEL Devices that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyXEL Device's MAC address.#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. TypeThis field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate. *SELF represents the default self-signed certificate, which the ZyXEL Device uses to sign imported trusted remote host certificates. CERT represents a certificate issued by a certification authority.
 Chapter 11CertificatesNBG410W3G Series User s Guide 199SubjectThis field displays identifying information about the certificate s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. IssuerThis field displays identifying information about the certificate s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.Modify Click the details icon to open a screen with an in-depth list of information about the certificate (or certification request).Click the export icon to save the certificate to a computer. For a certification request, click the export icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the delete icon to remove the certificate (or certification request). A window displays asking you to confirm that you want to delete the certificate.You cannot delete a certificate that one or more features is configured to use.Do the following to delete a certificate that shows *SELF in the Type field. 1. Make sure that no other features, such as HTTPS, SSH are configured to use the *SELF certificate.2.  Click the details icon next to another self-signed certificate (see the description on the Create button if you need to create a self-signed certificate).3.  Select the Default self-signed certificate which signs the imported remote host certificates check box. 4.  Click Apply to save the changes and return to the My Certificates screen.5.  The certificate that originally showed *SELF displays SELF and you can delete it now.Note that subsequent certificates move up by one when you take this action.The poll now icon displays when the ZyXEL Device generates a certification request successfully but the CA does not issue a certificate and sends a pending notification to the ZyXEL Device. If the icon displays, you can manually click the icon to have the ZyXEL Device query the CA (or RA (Registration Authority)) server for a certificate immediately. Otherwise, the ZyXEL Device checks with the server and updates the status periodically. The poll now icon disappears after the ZyWALL gets a certificate or the request has failed permanently due to being rejected by the CA server.ImportClick Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyXEL Device.CreateClick Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request.RefreshClick Refresh to display the current validity status of the certificates.Table 51   SECURITY > CERTIFICATES > My Certificates (continued)LABEL DESCRIPTION
Chapter 11CertificatesNBG410W3G Series User s Guide20011.6  My Certificate Details  Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen (see Figure 121 on page 198). Click the details icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate!s name. If it is a self-signed certificate, you can also set the ZyXEL Device to use the certificate to sign the imported trusted remote host certificates. Figure 122   SECURITY > CERTIFICATES > My Certificates > DetailsThe following table describes the labels in this screen.  Table 52   SECURITY > CERTIFICATES > My Certificates > DetailsLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).Certificate InformationThese read-only fields display detailed information about the certificate. TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate s owner signed the certificate (not a certification authority).  "X.509# means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number.

Navigation menu