ZyXEL Communications NBG410W3G 3G Wireless Router User Manual NBG41xW3G UG V4 03 Ed1 2008 08 15 DRAFT

ZyXEL Communications Corporation 3G Wireless Router NBG41xW3G UG V4 03 Ed1 2008 08 15 DRAFT

Contents

User manual 2 rev2

 Chapter 11CertificatesNBG410W3G Series User s Guide 201Serial NumberThis field displays the certificate s identification number given by the certification authority or generated by the ZyXEL Device.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).IssuerThis field displays identifying information about the certificate s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field.Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. The ZyXEL Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative NameThis field displays the certificate owner%s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key UsageThis field displays for what functions the certificate s key can be used. For example, "DigitalSignature# means that the key can be used to sign certificates and "KeyEncipherment# means that the key can be used to encrypt text.Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority s certificate and   "Path Length Constraint=1# means that there can only be one certification authority in the certificate s path.MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm. SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm. Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authority s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).ApplyClick Apply to save your changes back to the ZyXEL Device. You can only change the name, except in the case of a self-signed certificate, which you can also set to be the default self-signed certificate that signs the imported trusted remote host certificates.CancelClick Cancel to quit and return to the My Certificates screen.Table 52   SECURITY > CERTIFICATES > My Certificates > Details (continued)LABEL DESCRIPTION
Chapter 11CertificatesNBG410W3G Series User s Guide20211.7  My Certificate Export  Click SECURITY > CERTIFICATES > My Certificates and then a certificate!s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the certificate from the ZyXEL Device to a computer. 11.7.1  Certificate File Export FormatsYou can export a certificate in one of these file formats: Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file!s password is not connected to your certificate!s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyXEL Device. Figure 123   SECURITY > CERTIFICATES > My Certificates > ExportThe following table describes the labels in this screen. Table 53   SECURITY > CERTIFICATES > My Certificates > ExportLABEL DESCRIPTIONExport the certificate in binary X.509 format.  Binary X.509 is an ITU-T recommendation that defines the formats for X.509 certificates.Export the certificate along with the corresponding private key in PKCS#12 format. PKCS#12 is a format for transferring public key and private key certificates. You can also password-encrypt the private key in the PKCS #12 file. The file s password is not connected to your certificate s public or private passwords. PasswordType the file s password to use for encrypting the private key. The password is optional, although you must specify one if you want to be able to import the PKCS#12 format certificate into Netscape version 7.2.Retype to confirmType the password to make sure that you have entered it correctly.ApplyClick Apply and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.CancelClick Cancel to quit and return to the My Certificates screen.
 Chapter 11CertificatesNBG410W3G Series User s Guide 20311.8  My Certificate Import  Click SECURITY > CERTIFICATES > My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate from a computer to the ZyXEL Device. You can only import a certificate that matches a corresponding certification request that was generated by the ZyXEL Device (the certification request contains the private key). The certificate you import replaces the corresponding request in the My Certificates screen. One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key.You must remove any spaces from the certificate s filename before you can import it.11.8.1  Certificate File FormatsThe certification authority certificate that you want to import has to be in one of these file formats: Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form. Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. The ZyXEL Device currently allows the importation of a PKS#7 file that contains a single certificate. PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form. Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file!s password is not connected to your certificate!s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyXEL Device. Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.
Chapter 11CertificatesNBG410W3G Series User s Guide204Figure 124   SECURITY > CERTIFICATES > My Certificates > ImportThe following table describes the labels in this screen. When you import a binary PKCS#12 format certificate, another screen displays for you to enter the password.Figure 125   SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12The following table describes the labels in this screen. Table 54   SECURITY > CERTIFICATES > My Certificates > ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browse to find it.Browse Click Browse to find the certificate file you want to upload. ApplyClick Apply to save the certificate on the ZyXEL Device.CancelClick Cancel to quit and return to the My Certificates screen.Table 55   SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12LABEL DESCRIPTIONPasswordType the file s password that was created when the PKCS #12 file was exported. ApplyClick Apply to save the certificate on the ZyXEL Device.CancelClick Cancel to quit and return to the My Certificates screen.
 Chapter 11CertificatesNBG410W3G Series User s Guide 20511.9  My Certificate Create  Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyXEL Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.Figure 126   SECURITY > CERTIFICATES > My Certificates > Create (Basic)
Chapter 11CertificatesNBG410W3G Series User s Guide206Figure 127   SECURITY > CERTIFICATES > My Certificates > Create (Advanced)The following table describes the labels in this screen. Table 56   SECURITY > CERTIFICATES > My Certificates > CreateLABEL DESCRIPTIONCertificate NameType up to 31 ASCII characters (not including spaces) to identify this certificate. Subject InformationUse these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, but the Common Name is mandatory if you click << Basic. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.The fields below display when you click << Basic.
 Chapter 11CertificatesNBG410W3G Series User s Guide 207Common Name Select a radio button to identify the certificate s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address can be up to 31 ASCII characters. The domain name or e-mail address is for identification purposes only and can be any string.Organizational UnitType up to 63 characters to identify the organizational unit or department to which the certificate owner belongs. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces.OrganizationType up to 63 characters to identify the company or group to which the certificate owner belongs. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces.CountryType up to 63 characters to identify the nation where the certificate owner is located. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces.The fields below display when you click Advanced >>.Subject NameYou must configure at least one of these fields.Select an item from the drop-down list box and enter the corresponding information in the field to the right.SN (serial number) - select this and enter the certificate s identification number, such as the ZyXEL Device s MAC address. You can use up to 63 characters.CN (common name) - select this and enter a name to identify the owner of the certificate. You can use up to 63 characters.OU (organizational unit) - select this and enter a unit within the organization to identify the owner of the certificate. You can use up to 63 characters.O (organization) - select this and enter an organization to identify the owner of the certificate. You can use up to 63 characters.DC (domain component) - select this and enter the domain component of a domain to identify the owner of the certificate. For example, if the domain is zyxel.com, the domain component is "zyxel# or "com#. You can use up to 63 characters.L (locality name) - select this and enter the place where the owner of the certificate resides, such as a city or county. You can use up to 63 characters.ST (state or province name) - select this and enter the state or province in which the owner of the certificate resides. You can use up to 63 characters.C (country) - select this and enter the name of the country at which the owner of the certificate resides. You can use up to 63 characters.unstructuredName (PKCS 9 unname) - select this and enter the name of the owner of the certificate as an unstructured ASCII string. You can use up to 63 characters. Check with the certificate s issuing certification authority for their interpretation in this field if you select to apply to a certification authority for a certificate.unstructuredAddress (PKCS 9 unaddr) - select this and enter the address of the owner of the certificate as an unstructured ASCII string. You can use up to 63 characters. Check with the certificate s issuing certification authority for their interpretation in this field if you select to apply to a certification authority for a certificate.MAILTO (PKCS 9 email address) - select this and enter the email address of the owner of the certificate. You can use up to 63 characters. Check with the certificate s issuing certification authority for their interpretation in this field if you select to apply to a certification authority for a certificate.Table 56   SECURITY > CERTIFICATES > My Certificates > Create (continued)LABEL DESCRIPTION
Chapter 11CertificatesNBG410W3G Series User s Guide208Subject Alternative NameSelect a radio button to identify the certificate s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address can be up to 31 ASCII characters. The domain name or e-mail address is for identification purposes only and can be any string.Key LengthSelect a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.<< Basic/Advanced >>Click << Basic to configure basic subject information. Click Advanced >> to configure more subject information for a certificate.Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated.Create a self-signed certificateSelect Create a self-signed certificate to have the ZyXEL Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.Create a certification request and save it locally for later manual enrollmentSelect Create a certification request and save it locally for later manual enrollment to have the ZyXEL Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.Copy the certification request from the My Certificate Details screen (see Section 11.6 on page 200) and then send it to the certification authority.Create a certification request and enroll for a certificate immediately onlineSelect Create a certification request and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority s certificate already imported in the Trusted CAs screen.When you select this option, you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop-down list boxes and enter the certification authority s server address. You also need to fill in the Reference Number and Key if the certification authority requires them. Enrollment ProtocolSelect the certification authority s enrollment protocol from the drop-down list box.Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.CA Server Address Enter the IP address (or URL) of the certification authority server.CA CertificateSelect the certification authority s certificate from the CA Certificate drop-down list box.You must have the certification authority s certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities.Enrollment via an RA If you select Create a certification request and enroll for a certificate immediately online, you can select this option to apply for a certificate through a RA (Registration Authority). The RA is an intermediary authorized by a CA to verify each subscriber s identity and forward the requests to the CA. After the CA signs and issues the certificates, the RA distributes the certificates to the subscribers.Table 56   SECURITY > CERTIFICATES > My Certificates > Create (continued)LABEL DESCRIPTION
 Chapter 11CertificatesNBG410W3G Series User s Guide 209After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyXEL Device is generating the self-signed certificate or certification request. After the ZyXEL Device successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.If you configured the My Certificate Create screen to have the ZyXEL Device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate online.11.10  Trusted CAs   Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL Device to accept as trusted. The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. RA Signing CertificateIf you select Enrollment via an RA, select the CA s RA signing certificate from the drop-down list box. You must have the certificate already imported in the Trusted CAs screen.Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities.RA Encryption CertificateIf you select Enrollment via an RA, select the CA s RA encryption certificate from the drop-down list box. You must have the certificate already imported in the Trusted CAs screen.Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities.Request AuthenticationWhen you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just fill in the Key field if your certification authority uses the SCEP enrollment protocol. Reference NumberEnter the reference number that the certification authority gave you. You can use up to 31 ASCII printable characters. Spaces are allowed.KeyType the key that the certification authority gave you. You can use up to 31 ASCII printable characters. Spaces are allowed.ApplyClick Apply to begin certificate or certification request generation.CancelClick Cancel to quit and return to the My Certificates screen.Table 56   SECURITY > CERTIFICATES > My Certificates > Create (continued)LABEL DESCRIPTION
Chapter 11CertificatesNBG410W3G Series User s Guide210Figure 128   SECURITY > CERTIFICATES > Trusted CAsThe following table describes the labels in this screen. Table 57   SECURITY > CERTIFICATES > Trusted CAsLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. SubjectThis field displays identifying information about the certificate s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.IssuerThis field displays identifying information about the certificate s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.CRL IssuerThis field displays Yes if the certification authority issues CRL (Certificate Revocation Lists) for the certificates that it has issued and you have selected the Check incoming certificates issued by this CA against a CRL check box in the certificate s details screen to have the ZyXEL Device check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays No.
 Chapter 11CertificatesNBG410W3G Series User s Guide 21111.11  Trusted CA Details  Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority!s certificate, change the certificate!s name and set whether or not you want the ZyXEL Device to check a certification authority!s list of revoked certificates before trusting a certificate issued by the certification authority.ModifyClick the details icon to open a screen with an in-depth list of information about the certificate.Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificates. Note that subsequent certificates move up by one when you take this action.ImportClick Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ZyXEL Device.RefreshClick this button to display the current validity status of the certificates.Table 57   SECURITY > CERTIFICATES > Trusted CAs (continued)LABEL DESCRIPTION
Chapter 11CertificatesNBG410W3G Series User s Guide212Figure 129   SECURITY > CERTIFICATES > Trusted CAs > DetailsThe following table describes the labels in this screen.  Table 58   SECURITY > CERTIFICATES > Trusted CAs > DetailsLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).Property Check incoming certificates issued by this CA against a CRLSelect this check box to have the ZyXEL Device check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL).Clear this check box to have the ZyXEL Device not check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL).
 Chapter 11CertificatesNBG410W3G Series User s Guide 213Certification PathClick the Refresh button to have this read-only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate. If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the end entity s own certificate). The ZyXEL Device does not trust the end entity s certificate and displays "Not trusted# in this field if any certificate on the path has expired or been revoked.RefreshClick Refresh to display the certification path.Certificate InformationThese read-only fields display detailed information about the certificate. TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate s owner signed the certificate (not a certification authority).  X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number. Serial NumberThis field displays the certificate s identification number given by the certification authority.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).IssuerThis field displays identifying information about the certificate s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative NameThis field displays the certificate s owner%s IP address (IP), domain name (DNS) or e-mail address (EMAIL).Key UsageThis field displays for what functions the certificate s key can be used. For example, "DigitalSignature# means that the key can be used to sign certificates and "KeyEncipherment# means that the key can be used to encrypt text.Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority s certificate and   "Path Length Constraint=1# means that there can only be one certification authority in the certificate s path.Table 58   SECURITY > CERTIFICATES > Trusted CAs > Details (continued)LABEL DESCRIPTION
Chapter 11CertificatesNBG410W3G Series User s Guide21411.12  Trusted CA Import   Click SECURITY > CERTIFICATES > Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority!s certificate from a computer to the ZyXEL Device. The ZyXEL Device trusts any valid certificate signed by any of the imported trusted CA certificates.You must remove any spaces from the certificate s filename before you can import the certificate.CRL Distribution PointsThis field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).ApplyClick Apply to save your changes back to the ZyXEL Device. You can only change the name and/or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.CancelClick Cancel to quit and return to the Trusted CAs screen.Table 58   SECURITY > CERTIFICATES > Trusted CAs > Details (continued)LABEL DESCRIPTION
 Chapter 11CertificatesNBG410W3G Series User s Guide 215Figure 130   SECURITY > CERTIFICATES > Trusted CAs > ImportThe following table describes the labels in this screen.11.13  Trusted Remote Hosts   Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. This screen displays a list of the certificates of peers that you trust but which are not signed by one of the certification authorities on the Trusted CAs screen.You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyXEL Device automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy.Table 59   SECURITY > CERTIFICATES > Trusted CAs ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browse to find it.Browse Click Browse to find the certificate file you want to upload. ApplyClick Apply to save the certificate on the ZyXEL Device.CancelClick Cancel to quit and return to the Trusted CAs screen.
Chapter 11CertificatesNBG410W3G Series User s Guide216Figure 131   SECURITY > CERTIFICATES > Trusted Remote HostsThe following table describes the labels in this screen.  Table 60   SECURITY > CERTIFICATES > Trusted Remote HostsLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.Issuer (My Default Self-signed Certificate)This field displays identifying information about the default self-signed certificate on the ZyXEL Device that the ZyXEL Device uses to sign the trusted remote host certificates.#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. SubjectThis field displays identifying information about the certificate s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.ModifyClick the details icon to open a screen with an in-depth list of information about the certificate.Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action.ImportClick Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyXEL Device.RefreshClick this button to display the current validity status of the certificates.
 Chapter 11CertificatesNBG410W3G Series User s Guide 21711.14  Trusted Remote Hosts Import   Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen. Follow the instructions in this screen to save a peer!s certificates from a computer to the ZyXEL Device.You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyXEL Device automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy.The trusted remote host certificate must be a self-signed certificate; and you must remove any spaces from its filename before you can import it.Figure 132   SECURITY > CERTIFICATES > Trusted Remote Hosts > ImportThe following table describes the labels in this screen. Table 61   SECURITY > CERTIFICATES > Trusted Remote Hosts > ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browse to find it.Browse Click Browse to find the certificate file you want to upload. ApplyClick Apply to save the certificate on the ZyXEL Device.CancelClick Cancel to quit and return to the Trusted Remote Hosts screen.
Chapter 11CertificatesNBG410W3G Series User s Guide21811.15  Trusted Remote Host Certificate Details   Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host!s certificate and/or change the certificate!s name.Figure 133   SECURITY > CERTIFICATES > Trusted Remote Hosts > Details
 Chapter 11CertificatesNBG410W3G Series User s Guide 219The following table describes the labels in this screen. Table 62   SECURITY > CERTIFICATES > Trusted Remote Hosts > DetailsLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).Certification PathClick the Refresh button to have this read-only text box display the end entity s own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a certificate s issuing certification authority. For a trusted host, the list consists of the end entity s own certificate and the default self-signed certificate that the ZyXEL Device uses to sign remote host certificates. RefreshClick Refresh to display the certification path.Certificate InformationThese read-only fields display detailed information about the certificate. TypeThis field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyXEL Device is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number. Serial NumberThis field displays the certificate s identification number given by the device that created the certificate.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). IssuerThis field displays identifying information about the default self-signed certificate on the ZyXEL Device that the ZyXEL Device uses to sign the trusted remote host certificates.Signature AlgorithmThis field displays the type of algorithm that the ZyXEL Device used to sign the certificate, which is rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative NameThis field displays the certificate s owner%s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key UsageThis field displays for what functions the certificate s key can be used. For example, "DigitalSignature# means that the key can be used to sign certificates and "KeyEncipherment# means that the key can be used to encrypt text.Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority s certificate and   "Path Length Constraint=1# means that there can only be one certification authority in the certificate s path.
Chapter 11CertificatesNBG410W3G Series User s Guide22011.16  Directory Servers  Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen. This screen displays a summary list of directory servers (that contain lists of valid and revoked certificates) that have been saved into the ZyXEL Device. If you decide to have the ZyXEL Device check incoming certificates against the issuing certification authority!s list of revoked certificates, the ZyXEL Device first checks the server(s) listed in the CRL Distribution Points field of the incoming certificate. If the certificate does not list a server or the listed server is not available, the ZyXEL Device checks the servers listed here.Figure 134   SECURITY > CERTIFICATES > Directory ServersMD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm. The ZyXEL Device uses one of its own self-signed certificates to sign the imported trusted remote host certificates. This changes the fingerprint value displayed here (so it does not match the original). See Section 11.3 on page 196 for how to verify a remote host s certificate before you import it into the ZyXEL Device. SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm. The ZyXEL Device uses one of its own self-signed certificates to sign the imported trusted remote host certificates. This changes the fingerprint value displayed here (so it does not match the original). See Section 11.3 on page 196 for how to verify a remote host s certificate before you import it into the ZyXEL Device. Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).ApplyClick Apply to save your changes back to the ZyXEL Device. You can only change the name of the certificate.CancelClick Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen.Table 62   SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued)LABEL DESCRIPTION
 Chapter 11CertificatesNBG410W3G Series User s Guide 221The following table describes the labels in this screen.  11.17  Directory Server Add or Edit   Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen. Click Add (or the details icon) to open the Directory Server Add screen. Use this screen to configure information about a directory server that the ZyXEL Device can access.Figure 135   SECURITY > CERTIFICATES > Directory Server > AddThe following table describes the labels in this screen. Table 63   SECURITY > CERTIFICATES > Directory ServersLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#The index number of the directory server. The servers are listed in alphabetical order.NameThis field displays the name used to identify this directory server. AddressThis field displays the IP address or domain name of the directory server.PortThis field displays the port number that the directory server uses.ProtocolThis field displays the protocol that the directory server uses.ModifyClick the details icon to open a screen where you can change the information about the directory server.Click the delete icon to remove the directory server entry. A window displays asking you to confirm that you want to delete the directory server. Note that subsequent certificates move up by one when you take this action.AddClick Add to open a screen where you can configure information about a directory server so that the ZyXEL Device can access it.Table 64   SECURITY > CERTIFICATES > Directory Server > AddLABEL DESCRIPTIONDirectory Service SettingNameType up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Chapter 11CertificatesNBG410W3G Series User s Guide222Access ProtocolUse the drop-down list box to select the access protocol used by the directory server.LDAP (Lightweight Directory Access Protocol) is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates.AServer AddressType the IP address (in dotted decimal notation) or the domain name of the directory server. Server PortThis field displays the default server port number of the protocol that you select in the Access Protocol field.You may change the server port number if needed, however you must use the same server port number that the directory server uses.389 is the default server port number for LDAP.Login SettingLogin The ZyXEL Device may need to authenticate itself in order to assess the directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority).PasswordType the password (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority).ApplyClick Apply to save your changes back to the ZyXEL Device.CancelClick Cancel to quit configuring this screen and return to the Directory Servers screen.A.At the time of writing, LDAP is the only choice of directory server access protocol.Table 64   SECURITY > CERTIFICATES > Directory Server > AddLABEL DESCRIPTION
223PART VAdvancedNetwork Address Translation (NAT)  (225)Static Route  (243)DNS  (247)Remote Management  (259)UPnP  (281)Custom Application  (291)ALG Screen  (293)
224
NBG410W3G Series User s Guide 225CHAPTER  12 Network Address Translation(NAT)This chapter discusses how to configure NAT on the ZyXEL Device.12.1  NAT Overview   NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 12.1.1  NAT DefinitionsInside/outside denotes where a host is located relative to the ZyXEL Device. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts. Global/local denotes the IP address of a host in a packet as the packet traverses a router. For example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information.Table 65   NAT DefinitionsTERM DESCRIPTIONInside This refers to the host on the LAN.Outside This refers to the host on the WAN.Local This refers to the packet address (source or destination) as the packet travels on the LAN.Global This refers to the packet address (source or destination) as the packet travels on the WAN.
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide226NAT never changes the IP address (either local or global) of an outside host.12.1.2  What NAT DoesIn the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers (for example a web server and a telnet server) on your local network and make them accessible to the outside world. Although you can make designated servers on the LAN accessible to the outside world, it is strongly recommended that you attach those servers to the DMZ port instead. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection. With no servers defined, your ZyXEL Device filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).12.1.3  How NAT WorksEach packet has two addresses % a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 227Figure 136   How NAT Works 12.1.4  NAT ApplicationThe following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyXEL Device can communicate with three distinct WAN networks. More examples follow at the end of this chapter.192.168.1.13192.168.1.10192.168.1.11192.168.1.12 SA192.168.1.10SAIGA1Inside LocalIP Address192.168.1.10192.168.1.11192.168.1.12192.168.1.13Inside Global IP AddressIGA 1IGA 2IGA 3IGA 4NAT TableInternetWANLANInside LocalAddress (ILA)Inside GlobalAddress (IGA)
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide228Figure 137   NAT Application With IP Alias12.1.5  Port Restricted Cone NATZyXEL Device ZyNOS version 4.00 and later uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the following example, the ZyXEL Device maps the source address of all packets sent from internal IP address 1 and port A to IP address 2 and port B on the external network. A host on the external network (IP address 3 and Port C for example) can only send packets to the internal host if the internal host has already sent a packet to the external host!s IP address and port. A server with IP address 1 and port A sends packets to IP address 3, port C and IP address 4, port D. The ZyXEL Device changes the server!s IP address to 2 and port to B. Since 1, A has already sent packets to 3, C and 4, D, they can send packets back to 2, B and the ZyXEL Device will perform NAT on them and send them to the server at IP address 1, port A.Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A.InternetCorporation BNAT Server192.168.3.1LAN3: 192.168.3.XNetwork Server"R&D#=192.168.3.1WAN Addresses:    LAN Addresses: (Default IPs)IGA 1 ---------------> 192.168.1.1IGA 2 ---------------> 192.168.2.1IGA 3 ---------------> 192.168.3.1NAT Server192.168.2.1LAN2: 192.168.2.XNetwork Server"Sales#=192.168.2.1Server inR&D Network=IP3 (IGA 3)NAT Server192.168.1.1LAN2: 192.168.1.XNetwork Server"Admin=192.168.1.1Corporation AServer inSales Network=IP2 (IGA 2)Server inAdmin Network=IP1 (IGA 1)
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 229Figure 138   Port Restricted Cone NAT Example12.1.6  NAT Mapping TypesNAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the ZyXEL Device maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option).  Many to Many Overload: In Many-to-Many Overload mode, the ZyXEL Device maps the multiple local IP addresses to shared global IP addresses. Many One to One: In Many-One-to-One mode, the ZyXEL Device maps each local IP address to a unique global IP address.  Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead.Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. NAT1, A 2, B3, C4, D4, E5
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide230The following table summarizes the NAT mapping types.12.2  Using NATYou must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyXEL Device.12.2.1  SUA (Single User Account) Versus NATSUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyXEL Device also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA or Full Feature in NAT Overview. Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you!re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don!t configure NAT mapping rules to those computers with public IP addresses on the DMZ.12.3  NAT Overview Screen  Click ADVANCED > NAT to open the NAT Overview screen. Table 66   NAT Mapping TypesTYPE IP MAPPINGOne-to-One ILA1   IGA1Many-to-One (SUA/PAT) ILA1   IGA1ILA2   IGA1&Many-to-Many Overload ILA   IGA1ILA2   IGA2ILA3   IGA1ILA4   IGA2&Many-One-to-One ILA1   IGA1ILA2   IGA2ILA3   IGA3&Server Server 1 IP   IGA1Server 2 IP   IGA1Server 3 IP   IGA1
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 231Figure 139   ADVANCED > NAT > NAT OverviewThe following table describes the labels in this screen.  Table 67   ADVANCED > NAT > NAT OverviewLABEL DESCRIPTIONGlobal SettingsMax. Concurrent Sessions This read-only field displays the highest number of NAT sessions that the ZyXEL Device will permit at one time.Max. Concurrent Sessions Per HostUse this field to set the highest number of NAT sessions that the ZyXEL Device will permit a host to have at one time.WAN Operation ModeThis read-only field displays the operation mode of the ZyXEL Device's WAN interfaces.WAN 1, 2 Enable NAT Select this check box to turn on the NAT feature for the WAN interface. Clear this check box to turn off the NAT feature for the WAN interface.Address Mapping RulesSelect SUA if you have just one public WAN IP address for your ZyXEL Device. This lets the ZyXEL Device use its permanent, pre-defined NAT address mapping rules. Select Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device. This lets the ZyXEL Device use the address mapping rules that you configure. This is the equivalent of what used to be called full feature NAT or multi-NAT.The bar displays how many of the ZyXEL Device's possible address mapping rules are configured. The first number shows how many address mapping rules are configured on the ZyXEL Device. The second number shows the maximum number of address mapping rules that can be configured on the ZyXEL Device.
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide23212.4  NAT Address Mapping   Click ADVANCED > NAT > Address Mapping to open the following screen. 12.4.1  What NAT DoesIn the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.See Section 12.1 on page 225 for more on NAT.Use this screen to change your ZyXEL Device!s address mapping settings.  Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6. Port Forwarding RulesThe bar displays how many of the ZyXEL Device's possible port forwarding rules are configured. The first number shows how many port forwarding rules are configured on the ZyXEL Device. The second number shows the maximum number of port forwarding rules that can be configured on the ZyXEL Device.Port Triggering RulesThe bar displays how many of the ZyXEL Device's possible trigger port rules are configured. The first number shows how many trigger port rules are configured on the ZyXEL Device. The second number shows the maximum number of trigger port rules that can be configured on the ZyXEL Device.Copy to WAN 2 (and Copy to WAN 1)Click Copy to WAN 2 (or Copy to WAN 1) to duplicate this WAN interface's NAT port forwarding or trigger port rules on the other WAN interface.Note: Using the copy button overwrites the other WAN interface's existing rules.The copy button is best suited for initial NAT configuration where you have configured NAT port forwarding or trigger port rules for one interface and want to use similar rules for the other WAN interface. You can use the other NAT screens to edit the NAT rules after you copy them from one WAN interface to the other.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.Table 67   ADVANCED > NAT > NAT Overview (continued)LABEL DESCRIPTION
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 233Figure 140   ADVANCED > NAT > Address MappingThe following table describes the labels in this screen. Table 68   ADVANCED > NAT > Address MappingLABEL DESCRIPTIONSUA Address Mapping RulesThis read-only table displays the default address mapping rules.Full Feature Address Mapping RulesWAN Interface Select the WAN interface for which you want to view or configure address mapping rules.#This is the rule index number.Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address. Local IP addresses are N/A for Server port mapping.Local End IP This is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then this field displays 255.255.255.255 as the Local End IP address. This field is N/A for One-to-One and Server mapping types.Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide23412.4.2  NAT Address Mapping Edit Click the edit icon to display the NAT Address Mapping Edit screen. Use this screen to edit an address mapping rule. See Section 12.1 on page 225 for information on NAT and address mapping.Figure 141   ADVANCED > NAT > Address Mapping > EditGlobal End IP This is the ending Inside Global Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-One NAT mapping type.2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. 3. Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses. 4. Many One-to-One mode maps each local IP address to unique global IP addresses. 5. Server allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.Modify Click the edit icon to go to the screen where you can edit the address mapping rule.Click the delete icon to delete an existing address mapping rule. A window display asking you to confirm that you want to delete the address mapping rule. Note that subsequent address mapping rules move up by one when you take this action.Insert Click Insert to insert a new mapping rule before an existing one.Table 68   ADVANCED > NAT > Address Mapping (continued)LABEL DESCRIPTION
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 235The following table describes the labels in this screen.  12.5  Port Forwarding  A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. You can allocate a server IP address that corresponds to a port or a range of ports.Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.12.5.1  Default Server IP AddressIn addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen.Table 69   ADVANCED > NAT > Address Mapping > EditLABEL DESCRIPTIONType Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type.2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature. 3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses. 4. Many One-to-One: Many One-to-One mode maps each local IP address to unique global IP addresses. 5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping.Local End IP This is the end Inside Local IP Address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address. This field is N/A for One-to-One and Server mapping types.Global Start IP This is the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP. Global End IP This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.Apply Click Apply to save your changes.Cancel Click Cancel to exit this screen without saving.
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide236If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.12.5.2  Port Forwarding: Services and Port NumbersThe ZyXEL Device provides the additional safety of the DMZ ports for connecting your publicly accessible servers. This makes the LAN more secure by physically separating it from your public servers. Use the Port Forwarding screen to forward incoming service requests to the server(s) on your local network. The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. 12.5.3  Configuring Servers Behind Port Forwarding (Example)Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet.Table 70   Services and Port NumbersSERVICES PORT NUMBERECHO 7FTP (File Transfer Protocol) 21SMTP (Simple Mail Transfer Protocol) 25DNS (Domain Name System) 53Finger 79HTTP (Hyper Text Transfer protocol or WWW, Web) 80POP3 (Post Office Protocol) 110NNTP (Network News Transport Protocol) 119SNMP (Simple Network Management Protocol) 161SNMP trap 162PPTP (Point-to-Point Tunneling Protocol) 1723
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 237Figure 142   Multiple Servers Behind NAT Example12.5.4  NAT and Multiple WANThe ZyXEL Device has two WAN interfaces. You can configure port forwarding and trigger port rule sets for the first WAN interface and separate sets of rules for the second WAN interface. 12.5.5  Port TranslationThe ZyXEL Device can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the local network. When you use port forwarding without port translation, a single server on the local network can use a specific port number and be accessible to the outside world through a single WAN IP address. When you use port translation with port forwarding, multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address.The following example has two web servers on a LAN. Server A uses IP address 192.168.1.33 and server B uses 192.168.1.34. Both servers use port 80. The letters a.b.c.d represent the WAN port!s IP address. The ZyXEL Device translates port 8080 of traffic received on the WAN port (IP address a.b.c.d) to port 80 and sends it to server A (IP address 192.168.1.33). The ZyXEL Device also translates port 8100 of traffic received on the WAN port (also IP address a.b.c.d) to port 80, but sends it to server B (IP address 192.168.1.34). In this example, anyone wanting to access server A from the Internet must use port 8080. Anyone wanting to access server B from the Internet must use port 8100.A=192.168.1.33D=192.168.1.36C=192.168.1.35B=192.168.1.34InternetWANLAN192.168.1.1 IP Address assigned by ISP
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide238Figure 143   Port Translation Example12.6  Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.Refer to Figure 70 on page 236 for port numbers commonly used for particular services. The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard.A = 192.168.1.33HTTP: 80B = 192.168.1.34HTTP: 80LAN WAN192.168.1.1Port Translation192.168.1.33: 80 <----> a.b.c.d: 8080192.168.1.34: 80 <----> a.b.c.d: 8100
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 239Figure 144   ADVANCED > NAT > Port ForwardingThe following table describes the labels in this screen. Table 71   ADVANCED > NAT > Port ForwardingLABEL DESCRIPTIONWAN Interface Select the WAN interface for which you want to view or configure address mapping rules.Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.Go To Page Choose a page from the drop-down list box to display the corresponding summary page of the port forwarding servers.  #This is the number of an individual port forwarding server entry.Active Select this check box to enable the port forwarding server entry. Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry. Name Enter a name to identify this port-forwarding rule.Incoming Port(s)Enter a port number here. To forward only one port, enter it again in the second field. To specify a range of ports, enter the last port to be forwarded in the second field.Port Translation Enter the port number here to which you want the ZyXEL Device to translate the incoming port. For a range of ports, you only need to enter the first number of the range to which you want the incoming ports translated, the ZyXEL Device automatically calculates the last port of the translated port range.Server IP AddressEnter the inside IP address of the server here.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide24012.7  Port Triggering   Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address. Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyXEL Device records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the ZyXEL Device's WAN port receives a response with a specific port number and protocol ("incoming" port), the ZyXEL Device forwards the traffic to the LAN IP address of the computer that sent the request. After that computer!s connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.For example:Figure 145   Trigger Port Forwarding Process: Example1Jane (A) requests a file from the Real Audio server (port 7070).2Port 7070 is a "trigger# port and causes the ZyXEL Device to record Jane!s computer IP address. The ZyXEL Device associates Jane's computer IP address with the "incoming" port range of 6970-7170.3The Real Audio server responds using a port number ranging between 6970-7170.4The ZyXEL Device forwards the traffic to Jane!s computer IP address. 5Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyXEL Device times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your ZyXEL Device!s trigger port settings.InternetA
 Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide 241Figure 146   ADVANCED > NAT > Port Triggering The following table describes the labels in this screen.  Table 72   ADVANCED > NAT > Port Triggering LABEL DESCRIPTIONWAN InterfaceSelect the WAN interface for which you want to view or configure address mapping rules.#This is the rule index number (read-only).Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces.Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyXEL Device forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Type a port number or the starting port number in a range of port numbers.End Port Type a port number or the ending port number in a range of port numbers.Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyXEL Device to record the IP address of the LAN computer that sent the traffic to a server on the WAN.Start Port Type a port number or the starting port number in a range of port numbers.End Port Type a port number or the ending port number in a range of port numbers.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
Chapter 12Network Address Translation (NAT)NBG410W3G Series User s Guide242
NBG410W3G Series User s Guide 243CHAPTER  13 Static RouteThis chapter shows you how to configure static routes for your ZyXEL Device.13.1  IP Static Route   The ZyXEL Device usually uses the default gateway to route outbound traffic from local computers to the Internet. To have the ZyXEL Device send data to devices not reachable through the default gateway, use static routes.For example, the next figure shows a computer (A) connected to the ZyXEL Device!s LAN interface. The ZyXEL Device routes most traffic from A to the Internet through the default gateway (R1). You create one static route to connect to services offered by your ISP behind router R2. You create another static route to communicate with a separate network behind a router (R3) connected to the LAN.   Figure 147   Example of Static Routing TopologyWANR1R2AR3LAN
Chapter 13Static RouteNBG410W3G Series User s Guide24413.2  IP Static Route Click ADVANCED > STATIC ROUTE to open the IP Static Route screen. The first two static route entries are for default WAN 1 and WAN 2 routes on a ZyXEL Device with multiple WAN interfaces. You cannot modify or delete a static default route.The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address.Figure 148   ADVANCED > STATIC ROUTE > IP Static Route
 Chapter 13Static RouteNBG410W3G Series User s Guide 245The following table describes the labels in this screen. 13.2.1  IP Static Route Edit   Click the edit icon in the IP Static Route screen. The screen shown next appears. Use this screen to configure the required information for a static route.Figure 149   ADVANCED > STATIC ROUTE > IP Static Route > EditThe following table describes the labels in this screen. Table 73   ADVANCED > STATIC ROUTE > IP Static RouteLABEL DESCRIPTION#This is the number of an individual static route.Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No).Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyXEL Device s interface. The gateway helps forward packets to their destinations.Modify Click the edit icon to go to the screen where you can set up a static route on the ZyXEL Device.Click the delete icon to remove a static route from the ZyXEL Device. A window displays asking you to confirm that you want to delete the route. Table 74   ADVANCED > STATIC ROUTE > IP Static Route > EditLABEL DESCRIPTIONRoute Name Enter the name of the IP static route. Leave this field blank to delete this static route.Active This field allows you to activate/deactivate this static route.Destination IP AddressThis parameter specifies the IP network address of the final destination.  Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.IP Subnet Mask  Enter the IP subnet mask here.
Chapter 13Static RouteNBG410W3G Series User s Guide246Gateway IP AddressEnter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.Metric Metric represents the "cost# of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number. Private This parameter determines if the ZyXEL Device will include this route to a remote node in its RIP broadcasts.Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts.Apply Click Apply to save your changes.Cancel Click Cancel to exit this screen without saving.Table 74   ADVANCED > STATIC ROUTE > IP Static Route > EditLABEL DESCRIPTION
NBG410W3G Series User s Guide 247CHAPTER  14 DNSThis chapter shows you how to configure the DNS screens.14.1  DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyXEL Device uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, DDNS and the time server.14.2  DNS Server Address AssignmentThe ZyXEL Device can get the DNS server addresses in the following ways.1The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.2If your ISP dynamically assigns the DNS server IP addresses (along with the ZyXEL Device!s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. 3You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section 14.5.1 on page 248).14.3  DNS ServersThere are three places where you can configure DNS setup on the ZyXEL Device.1Use the DNS System screen to configure the ZyXEL Device to use a DNS server to resolve domain names for ZyXEL Device system features such as DDNS and the time server.2Use the DNS DHCP screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN or DMZ.3Use the REMOTE MGMT DNS screen to configure the ZyXEL Device to accept or discard DNS queries.
Chapter 14DNSNBG410W3G Series User s Guide24814.4  Address RecordAn address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where "www# is the host, "zyxel# is the second-level domain, and "com.tw# is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where "mail" is the host, "myZyXEL" is the second-level domain, and "com.tw" is the top level domain.The ZyXEL Device allows you to configure address records about the ZyXEL Device itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the ZyXEL Device receives a DNS query for an FQDN for which the ZyXEL Device has an address record, the ZyXEL Device can send the IP address in a DNS response without having to query a DNS name server.14.4.1  DNS WildcardEnabling the wildcard feature for your host causes *.yourhost.com to be aliased to the same IP address as yourhost.com. This feature is useful if you want to be able to use, for example, www.yourhost.com and still reach your hostname.14.5  Name Server RecordA name server record contains a DNS server!s IP address. The ZyXEL Device can query the DNS server to resolve domain names for features such as DDNS and the time server. A domain zone may also be included. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.  14.5.1  Private DNS ServerIn cases where you want to use domain names to access Intranet servers on a remote private network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the remote private network.14.6  System ScreenClick ADVANCED > DNS to display the following screen. Use this screen to configure your ZyXEL Device!s DNS address and name server records.
 Chapter 14DNSNBG410W3G Series User s Guide 249Figure 150   ADVANCED > DNS > System DNSThe following table describes the labels in this screen.LABEL DESCRIPTIONAddress RecordAn address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where "www# is the host, "zyxel# is the second-level domain, and "com.tw# is the top level domain. #This is the index number of the address record.FQDNThis is a host s fully qualified domain name.WildcardThis column displays whether or not the DNS wildcard feature is enabled for this domain name.IP AddressThis is the IP address of a host.ModifyClick the edit icon to go to the screen where you can edit the record.Click the delete icon to remove an existing record. A window display asking you to confirm that you want to delete the record. Note that subsequent records move up by one when you take this action.AddClick Add to open a screen where you can add a new address record. Refer to Table 75 on page 251 for information on the fields.Name Server RecordA name server record contains a DNS server s IP address. The ZyXEL Device can query the DNS server to resolve domain names for features such as DDNS and the time server. When the ZyXEL Device needs to resolve a domain name, it checks it against the name server record entries in the order that they appear in this list. A "*# indicates a name server record without a domain zone. The default record is grayed out. The ZyXEL Device uses this default record if the domain name that needs to be resolved does not match any of the other name server records.A name server record with a domain zone is always put before a record without a domain zone. #This is the index number of the name server record.
Chapter 14DNSNBG410W3G Series User s Guide25014.6.1  Adding an Address Record  Click Add in the System screen to open this screen. Use this screen to add an address record.An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. Configure address records about the ZyXEL Device itself or another device to keep a record of DNS names and addresses that people on your network may use frequently. If the ZyXEL Device receives a DNS query for an FQDN for which the ZyXEL Device has an address record, the ZyXEL Device can send the IP address in a DNS response without having to query a DNS name server. See Section 14.4 on page 248 for more on address records.Figure 151   ADVANCED > DNS > Add (Address Record)Domain ZoneA domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. FromThis field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user. DNS ServerThis is the IP address of a DNS server.ModifyClick a triangle icon to move the record up or down in the list. Click the edit icon to go to the screen where you can edit the record.Click the delete icon to remove an existing record. A window display asking you to confirm that you want to delete the record. Note that subsequent records move up by one when you take this action.InsertClick Insert to open a screen where you can insert a new name server record. Refer to Table 76 on page 252 for information on the fields.LABEL DESCRIPTION
 Chapter 14DNSNBG410W3G Series User s Guide 251The following table describes the labels in this screen.  14.6.2  Inserting a Name Server Record  Click Insert in the System screen to open this screen. Use this screen to insert a name server record. A name server record contains a DNS server!s IP address. The ZyXEL Device can query the DNS server to resolve domain names for features such as DDNS and the time server. A domain zone may also be included. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.  Figure 152   ADVANCED > DNS > Insert (Name Server Record)Table 75   ADVANCED > DNS > Add (Address Record)LABEL DESCRIPTIONFQDNType a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where "www# is the host, "zyxel# is the second-level domain, and "com.tw# is the top level domain. IP AddressIf this entry is for one of the WAN ports on a ZyXEL Device with multiple WAN ports, select WAN Interface and select WAN 1 or WAN 2 from the drop-down list box.If this entry is for the WAN port on a ZyXEL Device with a single WAN port, select WAN Interface.For entries that are not for the WAN port(s), select Custom and enter the IP address of the host in dotted decimal notation.Enable WildcardSelect the check box to enable DNS wildcard.ApplyClick Apply to save your changes.CancelClick Cancel to exit this screen without saving.
Chapter 14DNSNBG410W3G Series User s Guide252The following table describes the labels in this screen.14.7  DNS Cache  DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyXEL Device receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyXEL Device received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period. A negative response means that the ZyXEL Device did not receive a response for a query it sent to a DNS server within the five second DNS timeout period. When the ZyXEL Device receives DNS queries, it compares them against the DNS cache before querying a DNS server. If the DNS query matches a positive entry, the ZyXEL Device responses with the IP address from the entry. If the DNS query matches a negative entry, the ZyXEL Device replies that the DNS query failed.14.8  Configure DNS CacheTo configure your ZyXEL Device!s DNS caching, click ADVANCED > DNS > Cache. The screen appears as shown.LABEL DESCRIPTIONDomain ZoneThis field is optional.A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyXEL Device receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.Leave this field blank if all domain zones are served by the specified DNS server(s).DNS ServerSelect the DNS Server(s) from ISP radio button if your ISP dynamically assigns DNS server information. You also need to select an interface through which the ISP provides the DNS server IP address(es). The interface should be activated and set as a DHCP client.The fields below display the (read-only) DNS server IP address(es) that the ISP assigns. N/A displays for any DNS server IP address fields for which the ISP does not assign an IP address. N/A displays for all of the DNS server IP address fields if the ZyXEL Device has a fixed WAN IP address. Select Public DNS Server if you have the IP address of a DNS server. The IP address must be public or a private address on your local LAN. Enter the DNS server's IP address in the field to the right. Public DNS Server entries with the IP address set to 0.0.0.0 are not allowed. Select Private DNS Server if the DNS server has a private IP address and is located in a local network. Enter the DNS server's IP address in the field to the right. With a private DNS server, you must also configure the first DNS server entry for the LAN or DMZ in the DNS DHCP screen to use DNS Relay.Private DNS Server entries with the IP address set to 0.0.0.0 are not allowed.ApplyClick Apply to save your changes.CancelClick Cancel to exit this screen without saving.
 Chapter 14DNSNBG410W3G Series User s Guide 253Figure 153   ADVANCED > DNS > CacheThe following table describes the labels in this screen.LABEL DESCRIPTIONDNS Cache SetupCache Positive DNS ResolutionsSelect the check box to record the positive DNS resolutions in the cache. Caching positive DNS resolutions helps speed up the ZyXEL Device s processing of commonly queried domain names and reduces the amount of traffic that the ZyXEL Device sends out to the WAN.Maximum TTLType the maximum time to live (TTL) (60 to 3600 seconds). This sets how long the ZyXEL Device is to allow a positive resolution entry to remain in the DNS cache before discarding it.Cache Negative DNS ResolutionsCaching negative DNS resolutions helps speed up the ZyXEL Device s processing of commonly queried domain names (for which DNS resolution has failed) and reduces the amount of traffic that the ZyXEL Device sends out to the WAN.Negative Cache PeriodType the time (60 to 3600 seconds) that the ZyXEL Device is to allow a negative resolution entry to remain in the DNS cache before discarding it.ApplyClick Apply to save your changes back to the ZyXEL Device.ResetClick Reset to begin configuring this screen afresh.DNS Cache EntryFlushClick this button to clear the cache manually. After you flush the cache, the ZyXEL Device must query the DNS servers again for any domain names that had been previously resolved.RefreshClick this button to reload the cache.#This is the index number of a record.Cache TypeThis displays whether the response for the DNS request is positive or negative.Domain NameThis is the domain name of a host.
Chapter 14DNSNBG410W3G Series User s Guide25414.9  Configuring DNS DHCP Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyXEL Device sends to its LAN or DMZ DHCP clients.Figure 154   ADVANCED > DNS > DHCPThe following table describes the labels in this screen.IP AddressThis is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries.Remaining Time (sec)This is the number of seconds left before the DNS resolution entry is discarded from the cache.ModifyClick the delete icon to remove the DNS resolution entry from the cache.LABEL DESCRIPTIONLABEL DESCRIPTIONDNS Servers Assigned by DHCP ServerThe ZyXEL Device passes a DNS (Domain Name System) server IP address to the DHCP clients. Selected InterfaceSelect an interface from the drop-down list box to configure the DNS servers for the specified interface.DNSThese read-only labels represent the DNS servers.
 Chapter 14DNSNBG410W3G Series User s Guide 25514.10  Dynamic DNS  Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address. First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key. You must go to the Dynamic DNS service provider s website and register a user account and a domain name before you can use the Dynamic DNS service with your ZyXEL Device.14.10.1  DYNDNS WildcardEnabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.IPSelect From ISP if your ISP dynamically assigns DNS server information (and the ZyXEL Device's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply. Select DNS Relay to have the ZyXEL Device act as a DNS proxy. The ZyXEL Device's LAN or DMZ IP address displays in the field to the right (read-only). The ZyXEL Device tells the DHCP clients on the LAN or DMZ that the ZyXEL Device itself is the DNS server. When a computer on the LAN or DMZ sends a DNS query to the ZyXEL Device, the ZyXEL Device forwards the query to the ZyXEL Device's system DNS server (configured in the DNS System screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you click Apply. Select None if you do not want to configure DNS servers. You must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.LABEL DESCRIPTION
Chapter 14DNSNBG410W3G Series User s Guide256If you have a private WAN IP address, then you cannot use Dynamic DNS.14.10.2  High AvailabilityA DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping.14.11  Configuring Dynamic DNSTo change your ZyXEL Device!s DDNS, click ADVANCED > DNS > DDNS. The screen appears as shown. Figure 155   ADVANCED > DNS > DDNSThe following table describes the labels in this screen.LABEL DESCRIPTIONAccount SetupActiveSelect this check box to use dynamic DNS.Service ProviderThis is the name of your Dynamic DNS service provider.
 Chapter 14DNSNBG410W3G Series User s Guide 257UsernameEnter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed.PasswordEnter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. My Domain NamesDomain Name 1~5Enter the host names in these fields. DDNS TypeSelect the type of service that you are registered for from your Dynamic DNS service provider. Select Dynamic if you have the Dynamic DNS service. Select Static if you have the Static DNS service.Select Custom if you have the Custom DNS service.OfflineThis option is available when Custom is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.WildcardSelect the check box to enable DYNDNS Wildcard.WAN InterfaceSelect the WAN interface to use for updating the IP address of the domain name.IP Address Update PolicySelect Use WAN IP Address to have the ZyXEL Device update the domain name with the WAN interface's IP address.Select Use User-Defined and enter the IP address if you have a static IP address.Select Let DDNS Server Auto Detect only when there are one or more NAT routers between the ZyXEL Device and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address.Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server.HASelect this check box to enable the high availability (HA) feature. High availability has the ZyXEL Device update a domain name with another interface s IP address when the normal WAN interface does not have a connection. The ZyXEL Device will update the domain name with the IP address of whichever WAN interface has a connection, regardless of the setting in the WAN Interface field.Disable this feature and the ZyXEL Device will only update the domain name with an IP address of the WAN interface specified in the WAN Interface field. If that WAN interface does not have a connection, the ZyXEL Device will not update the domain name with another port s IP address.Note: DDNS does not function when the ZyXEL Device uses traffic redirect.ApplyClick Apply to save your changes.ResetClick Reset to begin configuring this screen afresh.LABEL DESCRIPTION
Chapter 14DNSNBG410W3G Series User s Guide258
NBG410W3G Series User s Guide 259CHAPTER  15 Remote ManagementThis chapter provides information on the Remote Management screens.15.1  Remote Management OverviewRemote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers.The following figure shows secure and insecure management of the ZyXEL Device coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure. Figure 156   Secure and Insecure Remote Management From the WANWhen you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 9 on page 167 for details on configuring firewall rules.You can also disable a service on the ZyXEL Device by not allowing access for the service/protocol through any of the ZyXEL Device interfaces.You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.1Console port2SSH LAN WANHTTPTelnetInternetHTTPSSSH
Chapter 15Remote ManagementNBG410W3G Series User s Guide2603Telnet4HTTPS and HTTP15.1.1  Remote Management LimitationsRemote management does not work when:1You have not enabled that service on the interface in the corresponding remote management screen.2You have disabled that service in one of the remote management screens.3The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately.4There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.5There is a firewall rule that blocks it.6A filter is applied (through the commands) to block a Telnet, FTP or Web service.15.1.2  System TimeoutThere is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the MAINTENANCE > General screen.15.2  WWW (HTTP and HTTPS) HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys (see Chapter 11 on page 195 for more information).HTTPS on the ZyXEL Device is used so that you may securely access the ZyXEL Device using the web configurator. The SSL protocol specifies that the SSL server (the ZyXEL Device) must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyXEL Device), whereas the SSL client only should authenticate itself when the SSL server requires it to do so (select Authenticate Client Certificates in the REMOTE MGMT > WWW screen). Authenticate Client Certificates is optional and if selected means the SSL-client must send the ZyXEL Device a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyXEL Device.Please refer to the following figure. 1HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyXEL Device!s WS (web server).
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 2612HTTP connection requests from a web browser go to port 80 (by default) on the ZyXEL Device!s WS (web server).  Figure 157   HTTPS ImplementationIf you disable the HTTP service in the REMOTE MGMT > WWW screen, then the ZyXEL Device blocks all HTTP connection attempts.15.3  WWW Click ADVANCED > REMOTE MGMT to open the WWW screen. Use this screen to configure the ZyXEL Device!s HTTP and HTTPS management settings.
Chapter 15Remote ManagementNBG410W3G Series User s Guide262Figure 158   ADVANCED > REMOTE MGMT > WWWThe following table describes the labels in this screen.  Table 76   ADVANCED > REMOTE MGMT > WWWLABEL DESCRIPTIONHTTPSServer CertificateSelect the Server Certificate that the ZyXEL Device will use to identify itself. The ZyXEL Device is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyXEL Device).  Authenticate Client CertificatesSelect Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the ZyXEL Device by sending the ZyXEL Device a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyXEL Device (see Appendix F on page 403 on importing certificates for details).Server Port The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the ZyXEL Device, for example 8443, then you must notify people who need to access the ZyXEL Device web configurator to use "https://ZyXEL Device IP Address:8443# as the URL.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.You can allow only secure web configurator access by clearing all of the interface check boxes in the HTTP Server Access field and setting the HTTPS Server Access field to an interface(s).Secure Client IP AddressA secure client is a "trusted# computer that is allowed to communicate with the ZyXEL Device using this service.Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.HTTPServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 26315.4  HTTPS ExampleIf you haven!t changed the default HTTPS port on the ZyXEL Device, then in your browser enter "https://ZyXEL Device IP Address/# as the web site address where "ZyXEL Device IP Address# is the IP address or domain name of the ZyXEL Device you wish to access.15.4.1  Internet Explorer Warning MessagesWhen you attempt to access the ZyXEL Device HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyXEL Device. You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked.Figure 159   Security Alert Dialog Box (Internet Explorer)15.4.2  Netscape Navigator Warning MessagesWhen you attempt to access the ZyXEL Device HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyXEL Device.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secure Client IP AddressA secure client is a "trusted# computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.Table 76   ADVANCED > REMOTE MGMT > WWW (continued)LABEL DESCRIPTION
Chapter 15Remote ManagementNBG410W3G Series User s Guide264If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.Select Accept this certificate permanently to import the ZyXEL Device!s certificate into the SSL client.Figure 160   Security Certificate 1 (Netscape)Figure 161   Security Certificate 2 (Netscape)15.4.3  Avoiding the Browser Warning MessagesThe following describes the main reasons that your browser displays warnings about the ZyXEL Device!s HTTPS server certificate and what you can do to avoid seeing the warnings. The issuing certificate authority of the ZyXEL Device!s HTTPS server certificate is not one of the browser!s trusted certificate authorities. The issuing certificate authority of the ZyXEL Device's factory default certificate is the ZyXEL Device itself since the certificate is a self-signed certificate.  For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.  To have the browser trust the certificates issued by a certificate authority, import the certificate authority!s certificate into your operating system as a trusted certificate. Refer to Appendix F on page 403 for details.EXAMPLEEXAMPLEEXAMPLE
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 265 The actual IP address of the HTTPS server (the IP address of the ZyXEL Device!s port that you are trying to access) does not match the common name specified in the ZyXEL Device!s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyXEL Device sends to HTTPS clients.2a  Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. 2b Click CERTIFICATES. Find the certificate and check its Subject column. CN stands for certificate!s common name (see Figure 164 on page 266 for an example).Use this procedure to have the ZyXEL Device use a certificate with a common name that matches the ZyXEL Device!s actual IP address. You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address.2a  Create a new certificate for the ZyXEL Device that uses the IP address (of the ZyXEL Device!s port that you are trying to access) as the certificate!s common name. For example, to use HTTPS to access a LAN port with IP address 192.168.1.1, create a certificate that uses 192.168.1.1 as the common name.2b Go to the remote management WWW screen and select the newly created certificate in the Server Certificate field. Click Apply. 15.4.4  Login ScreenAfter you accept the certificate, the ZyXEL Device login screen appears. The lock displayed in the bottom right of the browser status bar denotes a secure connection.Figure 162   Example: Lock Denoting a Secure ConnectionClick Login and you then see the next screen.The factory default certificate is a common default certificate for all ZyXEL Device models.
Chapter 15Remote ManagementNBG410W3G Series User s Guide266Figure 163   Replace CertificateClick Apply in the Replace Certificate screen to create a certificate using your ZyXEL Device!s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure.Figure 164   Device-specific CertificateClick Ignore in the Replace Certificate screen to use the common ZyXEL Device certificate. You will then see this information in the My Certificates screen.
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 267Figure 165   Common ZyXEL Device Certificate15.5   SSH You can use SSH (Secure SHell) to securely access the ZyXEL Device!s command line interface. Specify which interfaces allow SSH access and from which IP address the access can come. Unlike Telnet or FTP, which transmit data in plaintext (clear or unencrypted text), SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyXEL Device for a management session.Figure 166   SSH Communication Over the WAN Example 15.6  How SSH Works The following table summarizes how a secure connection is established between two remote hosts. SSHA
Chapter 15Remote ManagementNBG410W3G Series User s Guide268Figure 167   How SSH Works1Host IdentificationThe SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.2Encryption MethodOnce the identification is verified, both the client and server must agree on the type of encryption method to use.3Authentication and Data TransmissionAfter the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.15.7  SSH Implementation on the ZyXEL Device Your ZyXEL Device supports SSH version 1.5 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the ZyXEL Device for remote management and file transfer on port 22. Only one SSH connection is allowed at a time.15.7.1  Requirements for Using SSHYou must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyXEL Device over SSH.Data TransmissionAuthentication Pass / FailPassword / User nameEncryption method to useSession KeyHost Identification Pass / FailHost Key, Server KeyConnection requestSSH Server SSH Client
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 26915.8  Configuring SSHClick ADVANCED > REMOTE MGMT > SSH to change your ZyXEL Device!s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.Figure 168   ADVANCED > REMOTE MGMT > SSHThe following table describes the labels in this screen. Table 77   ADVANCED > REMOTE MGMT > SSHLABEL DESCRIPTIONServer Host Key Select the certificate whose corresponding private key is to be used to identify the ZyXEL Device for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 11 on page 195 for details).Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secure Client IP AddressA secure client is a "trusted# computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.
Chapter 15Remote ManagementNBG410W3G Series User s Guide27015.9  Secure Telnet Using SSH ExamplesThis section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyXEL Device. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user!s guide. 15.9.1  Example 1: Microsoft Windows This section describes how to access the ZyXEL Device using the Secure Shell Client program.1Launch the SSH client and specify the connection information (IP address, port number or device name) for the ZyXEL Device. 2Configure the SSH client to accept connection using SSH version 1. 3A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 169   SSH Example 1: Store Host KeyEnter the password to log in to the ZyXEL Device. The CLI main menu displays next. 15.9.2  Example 2: LinuxThis section describes how to access the ZyXEL Device using the OpenSSH client program that comes with most Linux distributions. 1Test whether the SSH service is available on the ZyXEL Device. Enter "telnet 192.168.1.1 22# at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyXEL Device (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the ZyXEL Device.  Figure 170   SSH Example 2: Test $ telnet 192.168.1.1 22Trying 192.168.1.1...Connected to 192.168.1.1.Escape character is '^]'.SSH-1.5-1.0.0
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 2712Enter "ssh  1 192.168.1.1#. This command forces your computer to connect to the ZyXEL Device using SSH version 1. If this is the first time you are connecting to the ZyXEL Device using SSH, a message displays prompting you to save the host information of the ZyXEL Device. Type "yes# and press [ENTER]. Then enter the password to log in to the ZyXEL Device. Figure 171   SSH Example 2: Log in3The CLI main menu displays next. 15.10  Secure FTP Using SSH ExampleThis section shows an example on file transfer using the OpenSSH client program. The configuration and connection steps are similar for other SSH client programs. Refer to your SSH client program user!s guide.1Enter "sftp  1 192.168.1.1#. This command forces your computer to connect to the ZyXEL Device for secure file transfer using SSH version 1. If this is the first time you are connecting to the ZyXEL Device using SSH, a message displays prompting you to save the host information of the ZyXEL Device. Type "yes# and press [ENTER].2Enter the password to login to the ZyXEL Device. 3Use the "put# command to upload a new firmware to the ZyXEL Device.  $ ssh  1 192.168.1.1The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.Administrator@192.168.1.1's password:
Chapter 15Remote ManagementNBG410W3G Series User s Guide272Figure 172   Secure FTP: Firmware Upload Example15.11  Telnet You can use Telnet to access the ZyXEL Device!s command line interface. Specify which interfaces allow Telnet access and from which IP address the access can come.15.12  Configuring TELNETClick ADVANCED > REMOTE MGMT > TELNET to open the following screen. Use this screen to specify which interfaces allow Telnet access and from which IP address the access can come.It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.Figure 173   ADVANCED > REMOTE MGMT > Telnet$ sftp -1 192.168.1.1Connecting to 192.168.1.1...The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.Administrator@192.168.1.1's password:sftp> put firmware.bin rasUploading firmware.bin to /rasRead from remote host 192.168.1.1: Connection reset by peerConnection closed$
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 273The following table describes the labels in this screen. 15.13  FTP   You can use FTP (File Transfer Protocol) to upload and download the ZyXEL Device!s firmware and configuration files, please see the User!s Guide chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.To change your ZyXEL Device!s FTP settings, click ADVANCED > REMOTE MGMT > FTP. The screen appears as shown. Use this screen to specify which interfaces allow FTP access and from which IP address the access can come. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.Figure 174   ADVANCED > REMOTE MGMT > FTPTable 78   ADVANCED > REMOTE MGMT > TelnetLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secure Client IP AddressA secure client is a "trusted# computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh.
Chapter 15Remote ManagementNBG410W3G Series User s Guide274The following table describes the labels in this screen. 15.14  SNMP   Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyXEL Device supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyXEL Device through the network. The ZyXEL Device supports SNMP version one (SNMPv1). The next figure illustrates an SNMP management operation. SNMP is only available if TCP/IP is configured.Table 79   ADVANCED > REMOTE MGMT > FTPLABEL DESCRIPTIONServer Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secure Client IP AddressA secure client is a "trusted# computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings. Reset Click Reset to begin configuring this screen afresh.
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 275Figure 175   SNMP Management ModelAn SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: Get - Allows the manager to retrieve an object variable from the agent.  GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.  Set - Allows the manager to set values for object variables within an agent.  Trap - Used by the agent to inform the manager of some events.15.14.1   Supported MIBsThe ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Chapter 15Remote ManagementNBG410W3G Series User s Guide27615.14.2  SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs:15.14.3  REMOTE MANAGEMENT: SNMP To change your ZyXEL Device!s SNMP settings, click ADVANCED > REMOTE MGMT > SNMP. The screen appears as shown.Figure 176   ADVANCED > REMOTE MGMT > SNMPTable 80   SNMP TrapsTRAP # TRAP NAME DESCRIPTION0coldStart (defined in RFC-1215)A trap is sent after booting (power on).1warmStart (defined in RFC-1215)A trap is sent after booting (software reboot).4authenticationFailure (defined in RFC-1215)A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password).6whyReboot (defined in ZYXEL-MIB)A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).6a For intentional reboot : A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.).6b For fatal error :  A trap is sent with the message of the fatal code if the system reboots because of fatal errors.
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 277The following table describes the labels in this screen. 15.15  DNS  Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 6 on page 111 for more information.Click ADVANCED > REMOTE MGMT > DNS to change your ZyXEL Device!s DNS settings. Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device!s DNS settings.Figure 177   ADVANCED > REMOTE MGMT > DNSTable 81   ADVANCED > REMOTE MGMT > SNMPLABEL DESCRIPTIONSNMP ConfigurationGet Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.Set Community Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests.TrapCommunity Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.Destination Type the IP address of the station to send your SNMP traps to.SNMPService Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Service Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secure Client IP AddressA secure client is a "trusted# computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click Apply to save your customized settings.Reset Click Reset to begin configuring this screen afresh.
Chapter 15Remote ManagementNBG410W3G Series User s Guide278The following table describes the labels in this screen. 15.16  Introducing Vantage CNM Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details.If you allow your ZyXEL Device to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyXEL Device (using either the web configurator or commands) without notifying the Vantage CNM administrator.15.17  Configuring CNM Vantage CNM is disabled on the device by default. Click ADVANCED > REMOTE MGMT > CNM to configure your device!s Vantage CNM settings.Table 82   ADVANCED > REMOTE MGMT > DNSLABEL DESCRIPTIONServer Port The DNS service port number is 53 and cannot be changed here.Service Access Select the interface(s) through which a computer may send DNS queries to the ZyXEL Device.Secure Client IP AddressA secure client is a "trusted# computer that is allowed to send DNS queries to the ZyXEL Device.Select All to allow any computer to send DNS queries to the ZyXEL Device.Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the ZyXEL Device.Apply Click Apply to save your customized settings.Reset Click Reset to begin configuring this screen afresh.
 Chapter 15Remote ManagementNBG410W3G Series User s Guide 279Figure 178   ADVANCED > REMOTE MGMT > CNMThe following table describes the labels in this screen. Table 83   ADVANCED > REMOTE MGMT > CNMLABEL DESCRIPTIONRegistration InformationRegistration StatusThis read only field displays Not Registered when Enable is not selected.It displays Registering when the ZyXEL Device first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server. It will continue to display Registering until it successfully registers with the Vantage CNM server. It will not be able to register with the Vantage CNM server if:The Vantage CNM server is down. The Vantage CNM server IP address is incorrect. The Vantage CNM server is behind a NAT router or firewall that does not forward packets through to the Vantage CNM server. The encryption algorithms and/or encryption keys do not match between the ZyXEL Device and the Vantage CNM server. Last Registration TimeThis field displays the last date (year-month-date) and time (hours-minutes-seconds) that the ZyXEL Device registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server.RefreshClick Refresh to update the registration status and last registration time.Vantage CNM SetupEnableSelect this check box to allow Vantage CNM to manage your ZyXEL Device.Vantage CNM Server AddressIf the Vantage server is on the same subnet as the ZyXEL Device, enter the private or public IP address of the Vantage server.If the Vantage CNM server is on a different subnet to the ZyXEL Device, enter the public IP address of the Vantage server.If the Vantage CNM server is on a different subnet to the ZyXEL Device and is behind a NAT router, enter the WAN IP address of the NAT router here.
Chapter 15Remote ManagementNBG410W3G Series User s Guide28015.17.1  Additional Configuration for Vantage CNMIf you have NAT routers or firewalls between the ZyXEL Device and the Vantage CNM server, you must configure them to forward TCP ports 8080 (HTTP), 443 (HTTPS) and 20 and 21 (FTP). They must also forward UDP ports 1864 and 1865.Encryption AlgorithmThe Encryption Algorithm field is used to encrypt communications between the ZyXEL Device and the Vantage CNM server. Choose from None (no encryption), DES or 3DES. The Encryption Key field appears when you select DES or 3DES. The ZyXEL Device must use the same encryption algorithm as the Vantage CNM server. Encryption KeyType eight alphanumeric characters ("0" to "9", "a" to "z" or "A" to "Z") when you choose the DES encryption algorithm and 24 alphanumeric characters ("0" to "9", "a" to "z" or "A" to "Z") when you choose the 3DES encryption algorithm. The ZyXEL Device must use the same encryption key as the Vantage CNM server. Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.Table 83   ADVANCED > REMOTE MGMT > CNM (continued)LABEL DESCRIPTION
NBG410W3G Series User s Guide 281CHAPTER  16 UPnPThis chapter introduces the Universal Plug and Play feature.16.1  Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.16.1.1  How Do I Know If I'm Using UPnP?UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. 16.1.2  NAT TraversalUPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following: Dynamic port mapping Learning public IP addresses Assigning lease times to mappingsWindows Messenger is an example of an application that supports NAT traversal and UPnP. See Chapter 12 on page 225 for further information about NAT. 16.1.3  Cautions with UPnPThe automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyXEL Device allows multicast messages on the LAN only.
Chapter 16UPnPNBG410W3G Series User s Guide282All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 16.1.4  UPnP and ZyXELZyXEL has achieved UPnP certification from the Universal Plug and Play Forum  UPnP& Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). See the following sections for examples of installing and using UPnP.16.2  Configuring UPnPClick ADVANCED > UPnP to display the UPnP screen. Figure 179   ADVANCED > UPnPThe following table describes the fields in this screen.  Table 84   ADVANCED > UPnPLABEL DESCRIPTIONUPnP SetupDevice Name This identifies the ZyXEL device in UPnP applications.Enable the Universal Plug and Play (UPnP) feature Select this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyXEL Device's IP address (although you must still enter the password to access the web configurator).Allow users to make configuration changes through UPnPSelect this check box to allow UPnP-enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Allow UPnP to pass through FirewallSelect this check box to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).
 Chapter 16UPnPNBG410W3G Series User s Guide 28316.3  Displaying UPnP Port Mapping   Click ADVANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NAT port mapping rules that UPnP creates on the ZyXEL Device. Figure 180   ADVANCED > UPnP > PortsThe following table describes the labels in this screen.  Outgoing WAN InterfaceSelect through which WAN port you want to send out traffic from UPnP-enabled applications. If the WAN port you select loses its connection, the ZyXEL Device attempts to use the other WAN port. If the other WAN port also does not work, the ZyXEL Device drops outgoing packets from UPnP-enabled applications.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.Table 84   ADVANCED > UPnPLABEL DESCRIPTIONTable 85   ADVANCED > UPnP > PortsLABEL DESCRIPTIONReserve UPnP NAT rules in flash after system bootupSelect this check box to have the ZyXEL Device retain UPnP created NAT rules even after restarting. If you use UPnP and you set a port on your computer to be fixed for a specific service (for example FTP for file transfers), this option allows the ZyXEL Device to keep a record when your computer uses UPnP to create a NAT forwarding rule for that service. WAN Interface in UseThis field displays through which WAN interface the ZyXEL Device is currently sending out traffic from UPnP-enabled applications. This field displays None when UPnP is disabled or neither of the WAN ports has a connection.The following read-only table displays information about the UPnP-created NAT mapping rule entries in the ZyXEL Device s NAT routing table.#This is the index number of the UPnP-created NAT mapping rule entry.Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyXEL Device forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port. When this field displays an external IP address, the NAT rule has the ZyXEL Device forward inbound packets to the Internal Client from that IP address only.
Chapter 16UPnPNBG410W3G Series User s Guide28416.4  Installing UPnP in Windows ExampleThis section shows how to install UPnP in Windows Me and Windows XP.  External Port This field displays the port number that the ZyXEL Device "listens# on (on the WAN port) for connection requests destined for the NAT rule s Internal Port and Internal Client. The ZyXEL Device forwards incoming packets (from the WAN) with this port number to the Internal Client on the Internal Port (on the LAN). If the field displays "0#, the ZyXEL Device ignores the Internal Port value and forwards requests on all external port numbers (that are otherwise unmapped) to the Internal Client.Protocol This field displays the protocol of the NAT mapping rule (TCP or UDP). Internal Port This field displays the port number on the Internal Client to which the ZyXEL Device should forward incoming connection requests.Internal Client This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255.255.255.255 for UDP mappings.Enabled This field displays whether or not this UPnP-created NAT mapping rule is turned on. The UPnP-enabled device that connected to the ZyXEL Device and configured the UPnP-created NAT mapping rule on the ZyXEL Device determines whether or not the rule is enabled.Description This field displays a text explanation of the NAT mapping rule. Lease Duration This field displays a dynamic port-mapping rule s time to live (in seconds). It displays "0# if the port mapping is static.Apply Click Apply to save your changes.Refresh Click Refresh update the screen s table.Table 85   ADVANCED > UPnP > Ports (continued)LABEL DESCRIPTION
 Chapter 16UPnPNBG410W3G Series User s Guide 28516.4.1  Installing UPnP in Windows MeFollow the steps below to install UPnP in Windows Me. 1Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. 3In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4Click OK to go back to the Add/Remove Programs Properties window and click Next.  5Restart the computer when prompted.
Chapter 16UPnPNBG410W3G Series User s Guide28616.4.2  Installing UPnP in Windows XPFollow the steps below to install UPnP in Windows XP.16.5  Using UPnP in Windows XP ExampleThis section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device.Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device. 1Click Start, Settings and Control Panel. 2Double-click Network Connections.3In the Network Connections window, click Advanced in the main menu and select Optional Networking Components !. The Windows Optional Networking Components Wizard window displays. 4Select Networking Service in the Components selection box and click Details. 5In the Networking Services window, select the Universal Plug and Play check box. 6Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
 Chapter 16UPnPNBG410W3G Series User s Guide 28716.5.1  Auto-discover Your UPnP-enabled Network Device1Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.2Right-click the icon and select Properties. 3In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. You may edit or delete the port mappings or click Add to manually add port mappings.
Chapter 16UPnPNBG410W3G Series User s Guide288When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.16.5.2  Web Configurator Easy AccessWith UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.4Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray.5Double-click the icon to display your current Internet connection status.
 Chapter 16UPnPNBG410W3G Series User s Guide 289Follow the steps below to access the web configurator.1Click Start and then Control Panel. 2Double-click Network Connections. 3Select My Network Places under Other Places. 4An icon with the description for each UPnP-enabled device displays under Local Network. 5Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays.
Chapter 16UPnPNBG410W3G Series User s Guide2906Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. EXAMPLE
NBG410W3G Series User s Guide 291CHAPTER  17 Custom ApplicationThis chapter covers how to set the ZyXEL Device!s to monitor custom port numbers for specific applications. 17.1  Custom Application Use custom application to have the ZyXEL Device!s ALG feature monitor traffic on custom ports, in addition to the default ports. By default, these ZyXEL Device features monitor traffic for the following protocols on these port numbers. FTP: 21 SIP: 5060 H.323: 1720 SMTP: 25 POP3: 110 HTTP: 80Changes in the Custom APP screen do not apply to the firewall.17.2  Custom Application Configuration Click ADVANCED > Custom APP to open the Custom Application screen. This screen only specifies what port numbers the ZyXEL Device checks for specific protocol traffic. Use other screens to enable or disable the monitoring of the protocol traffic.
Chapter 17Custom ApplicationNBG410W3G Series User s Guide292Figure 181   ADVANCED > Custom APP The following table describes the labels in this screen.  Table 86   ADVANCED > Custom APPLABEL DESCRIPTIONApplication Select the application for which you want the ZyXEL Device to monitor specific ports. You can use the same application in more than one entry. To remove an entry, select Select a Type.Description Enter information about the reason for monitoring custom port numbers for this protocol. Start Port Enter the starting port for the range that the ZyXEL Device is to monitor for this application. If you are only entering a single port number, enter it here.End Port Enter the ending port for the range that the ZyXEL Device is to monitor for this application.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
NBG410W3G Series User s Guide 293CHAPTER  18 ALG ScreenThis chapter covers how to use the ZyXEL Device!s ALG feature to allow certain applications to pass through the ZyXEL Device.18.1  ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. The ZyXEL Device can function as an ALG to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyXEL Device. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets! data payload. The ZyXEL Device examines and uses IP address and port number information embedded in the data stream. When a device behind the ZyXEL Device uses an application for which the ZyXEL Device has ALG service enabled, the ZyXEL Device translates the device!s private IP address inside the data stream to a public IP address. It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application!s traffic to come in from the WAN to the LAN. 18.1.1  ALG and NATThe ZyXEL Device dynamically creates an implicit NAT session for the application!s traffic from the WAN to the LAN.The ALG on the ZyXEL Device supports all NAT mapping types, including One to One, Many to One, Many to Many Overload and Many One to One.18.1.2  ALG and the FirewallThe ZyXEL Device uses the dynamic port that the session uses for data transfer in creating an implicit temporary firewall rule for the session!s traffic. The firewall rule only allows the session!s traffic to go through in the direction that the ZyXEL Device determines from its inspection of the data payload of the application!s packets. The firewall rule is automatically deleted after the application!s traffic has gone through.
Chapter 18ALG ScreenNBG410W3G Series User s Guide29418.1.3  ALG and Multiple WANWhen the ZyXEL Device has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The ZyXEL Device does not automatically change the connection to the secondary WAN interfaces.If the primary WAN connection fails, the client needs to re-initialize the connection through the secondary WAN interfaces to have the connection go through the secondary WAN interfaces. 18.2  FTPFile Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. The FTP ALG allows TCP packets with a port 21 destination to pass through. If the FTP server is located on the LAN, you must also configure NAT port forwarding and firewall rules if you want to allow access to the server from the WAN.18.3  H.323H.323 is a standard teleconferencing protocol suite that provides audio, data and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. NetMeeting uses H.323. 18.4  RTPWhen you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP.18.4.1  H.323 ALG Details The H.323 ALG supports peer-to-peer H.323 calls. The H.323 ALG handles H.323 calls that go through NAT or that the ZyXEL Device routes. You can also make other H.323 calls that do not go through NAT or routing. Examples would be calls between LAN IP addresses that are on the same subnet. The H.323 ALG allows calls to go out through NAT. For example, you could make a call from a private IP address on the LAN to a peer device on the WAN.  You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN or DMZ. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B.
 Chapter 18ALG ScreenNBG410W3G Series User s Guide 295Figure 182   H.323 ALG Example  With multiple WAN IP addresses on the ZyXEL Device, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN or DMZ. For example, you configure firewall and port forwarding rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. Figure 183   H.323 with Multiple WAN IP Addresses  The H.323 ALG operates on TCP packets with a port 1720 destination. The ZyXEL Device allows H.323 audio connections. 18.5  SIPThe Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks.18.5.1  STUNSTUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the VoIP device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the VoIP device to find the public IP address that NAT assigned, so the VoIP device can embed it in the SIP data stream. See RFC 3489 for details on STUN. You do not need to use STUN for devices behind the ZyXEL Device if you enable the SIP ALG.AB1212AB
Chapter 18ALG ScreenNBG410W3G Series User s Guide29618.5.2  SIP ALG Details SIP clients can be connected to the LAN or DMZ. A SIP server must be on the WAN.  You can make and receive calls between the LAN and the WAN, between the DMZ and the WAN. You cannot make a call between the LAN and the LAN, between the LAN and the DMZ, between the DMZ and the DMZ, and so on. The SIP ALG allows UDP packets with a port 5060 destination to pass through. The ZyXEL Device allows SIP audio connections. The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B and the SIP server. Figure 184   SIP ALG Example 18.5.3  SIP Signaling Session TimeoutMost SIP clients have an "expire# mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyXEL Device. If the SIP client does not have this mechanism and makes no calls during the ZyXEL Device SIP timeout default (60 minutes), the ZyXEL Device SIP ALG drops any incoming calls after the timeout period. 18.5.4  SIP Audio Session TimeoutIf no voice packets go through the SIP ALG before the timeout period (default 5 minutes) expires, the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation.18.6  ALG Screen Click ADVANCED > ALG to open the ALG screen. Use the ALG screen to turn individual ALGs off or on and set the SIP timeout. A12B
 Chapter 18ALG ScreenNBG410W3G Series User s Guide 297Figure 185   ADVANCED > ALG The following table describes the labels in this screen.  Table 87   ADVANCED > ALGLABEL DESCRIPTIONEnable FTP ALGSelect this check box to allow FTP sessions to pass through the ZyXEL Device. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail. Enable H.323 ALGSelect this check box to allow H.323 sessions to pass through the ZyXEL Device. H.323 is a protocol used for audio communications over networks. Enable SIP ALGSelect this check box to allow SIP sessions to pass through the ZyXEL Device. SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals over Internet Protocol.SIP Timeout Most SIP clients have an "expire# mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyXEL Device. If the SIP client does not have this mechanism and makes no calls during the ZyXEL Device SIP timeout (default 60 minutes), the ZyXEL Device SIP ALG drops any incoming calls after the timeout period. Enter the SIP signaling session timeout value.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
Chapter 18ALG ScreenNBG410W3G Series User s Guide298
299PART VILogs and MaintenanceLogs Screens  (301)Maintenance  (325)
300
NBG410W3G Series User s Guide 301CHAPTER  19 Logs ScreensThis chapter contains information about configuring general log settings and viewing the ZyXEL Device!s logs. Refer to Section 19.5 on page 312 for example log message explanations.19.1  Configuring View Log The web configurator allows you to look at all of the ZyXEL Device!s logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 19.3 on page 304). Options include logs about system maintenance, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies), attacks (such as DoS) and IPSec.Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Figure 186   LOGS > View Log
Chapter 19Logs ScreensNBG410W3G Series User s Guide302The following table describes the labels in this screen. 19.2  Log Description ExampleThe following is an example of how a log displays in the command line interpreter and a description of the sample log. Refer to the Section 19.5 on page 312 for more log message descriptions and the appendix for details on using the command line interpreter to display logs.#  .time                 source                 destination            notes    message  5|06/08/2004 05:58:20 |172.21.4.187:137      |172.21.255.255:137    |ACCESS BLOCK    Firewall default policy: UDP (W to W/ZW)Table 88   LOGS > View LogLABEL DESCRIPTIONDisplay  The categories that you select in the Log Settings page (see Section 19.3 on page 304) display in the drop-down list box.Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. #This field displays the log number.Time  This field displays the time the log was recorded. See Section 20.4 on page 327 to configure the ZyXEL Device s time and date.Message This field states the reason for the log.Source This field lists the source IP address and the port number of the incoming packet.Destination  This field lists the destination IP address and the port number of the incoming packet.Note This field displays additional information about the log entry. Email Log Now  Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Log Settings, see Section 19.3 on page 304).Refresh Click Refresh to renew the log screen. Clear Log  Click Clear Log to delete all the logs. Table 89   Log Description ExampleLABEL DESCRIPTION#This is log number five.time The log was generated on June 8, 2004 at 5:58 and 20 seconds AM. source The log was generated due to a NetBIOS packet sent from IP address 172.21.4.187 port 137. destination The NetBIOS packet was sent to the 172.21.255.255 subnet port 137. This was a NetBIOS UDP broadcast packet meant to discover devices on the network.
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 30319.2.1  About the Certificate Not Trusted LogmyZyXEL.com and the update server use certificates signed by VeriSign to identify themselves. If the ZyXEL Device does not have a CA certificate signed by VeriSign as a trusted CA, the ZyXEL Device will not trust the certificate from myZyXEL.com and the update server. The ZyXEL Device will generate a log like "Due to error code(11), cert not trusted: SSL/TLS peer certif..." for every time it attempt to establish a (HTTPS) connection with myZyXEL.com and the update server. The V4.00 default configuration file includes a trusted CA certificate signed by VeriSign. If you upgraded to ZyNOS V4.00 firmware without uploading the V4.00 default configuration file, you can download a CA certificate signed by VeriSign from myZyXEL.com and import it into the ZyXEL Device as a trusted CA. This will stop the ZyXEL Device from generating this log every time it attempts to connect with myzyxel.com and the update server.Follow the steps below to download the certificate from myZyXEL.com.1Go to http://www.myZyXEL.com and log in with your account.2Click Download Center and then Certificate Download.Figure 187   myZyXEL.com: Download Center3Click the link in the Certificate Download screen.notes The ZyXEL Device blocked the packet.message The ZyXEL Device blocked the packet in accordance with the firewall s default policy of blocking sessions that are initiated from the WAN. "UDP# means that this was a User Datagram Protocol packet. "W to W/ZW# indicates that the packet was traveling from the WAN to the WAN or the ZyXEL Device. Table 89   Log Description ExampleLABEL DESCRIPTION
Chapter 19Logs ScreensNBG410W3G Series User s Guide304Figure 188   myZyXEL.com: Certificate Download19.3  Configuring Log Settings To change your ZyXEL Device!s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs and/or immediate alerts the ZyXEL Device is to send. An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites or web sites with restricted web features such as cookies, active X and so on. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black.Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent.
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 305Figure 189   LOGS > Log Settings
Chapter 19Logs ScreensNBG410W3G Series User s Guide306The following table describes the labels in this screen.   Table 90   LOGS > Log SettingsLABEL DESCRIPTIONE-mail Log SettingsMail Server  Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyXEL Device sends. Mail Sender Enter the e-mail address that you want to be in the from/sender line of the log e-mail message that the ZyXEL Device sends. If you activate SMTP authentication, the e-mail address must be able to be authenticated by the mail server as well.   Send Log To  Logs are sent to the e-mail address specified in this field. If this field is left blank, logs will not be sent via e-mail. Send Alerts To  Alerts are sent to the e-mail address specified in this field. If this field is left blank, alerts will not be sent via e-mail. Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: DailyWeeklyHourlyWhen Log is FullNone. If you select Weekly or Daily, specify a time of day when the E-mail should be sent. If you select Weekly, then also specify which day of the week the E-mail should be sent. If you select When Log is Full, an alert is sent when the log fills up. If you select None, no log messages are sent. Day for Sending Log Use the drop down list box to select which day of the week to send the logs. Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. SMTP Authentication SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs.User Name Enter the user name (up to 31 characters) (usually the user name of a mail account).Password Enter the password associated with the user name above.Syslog Logging Syslog allows you to send system logs to a server.Syslog logging sends a log to an external syslog server.Active Click Active to enable syslog logging.Syslog Server  Enter the server name or IP address of the syslog server that will log the selected categories of logs.Log Facility  Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details.Active Log and AlertLog Select the categories of logs that you want to record. Logs include alerts.
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 30719.4  Configuring Reports The Reports screen displays which computers on the LAN or DMZ send and receive the most traffic, what kinds of traffic are used the most and which web sites are visited the most often. The ZyXEL Device can record and display the following network usage details: Web sites visited the most often Number of times the most visited web sites were visited The most-used protocols or service ports The amount of traffic for the most used protocols or service ports The LAN or DMZ IP addresses to and/or from which the most traffic has been sent How much traffic has been sent to and from the LAN or DMZ IP addresses to and/or from which the most traffic has been sentThe web site hit count may not be 100% accurate because sometimes when an individual web page loads, it may contain references to other web sites that also get counted as hits.The ZyXEL Device records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyXEL Device may count these as hits, thus the web hit count is not (yet) 100% accurate.Click LOGS > Reports to display the following screen. Send Immediate Alert  Select the categories of alerts for which you want the ZyXEL Device to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.Log ConsolidationActive Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.You can use the sys log consolidate msglist command to see what log messages will be consolidated.Log Consolidation PeriodSpecify the time interval during which the ZyXEL Device merges logs with identical messages into one log. Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.Table 90   LOGS > Log Settings (continued)LABEL DESCRIPTION
Chapter 19Logs ScreensNBG410W3G Series User s Guide308Figure 190   LOGS > Reports Enabling the ZyXEL Device s reporting function decreases the overall throughput by about 1 Mbps.The following table describes the labels in this screen. Table 91   LOGS > Reports LABEL DESCRIPTIONCollect StatisticsSelect the check box and click Apply to have the ZyXEL Device record report data.Send Raw Traffic Statistics to Syslog Server for Analysis Select the check box and click Apply to have the ZyXEL Device send unprocessed traffic statistics to a syslog server for analysis. You must have the syslog server already configured in the Log Settings screen.Apply Click Apply to save your changes to the ZyXEL Device.Reset Click Reset to begin configuring this screen afresh.Interface Select on which interface (LAN or DMZ) the logs will be collected. The logs on the DMZ or LAN IP alias 1 and 2 are also recorded.Report Type Use the drop-down list box to select the type of reports to display.Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited.Protocol/Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports.Host IP Address displays the LAN or DMZ IP addresses to and /or from which the most traffic has been sent and how much traffic has been sent to and from those IP addresses.Refresh Click Refresh to update the report display. The report also refreshes automatically when you close and reopen the screen. Flush Click Flush to discard the old report data and update the report display.
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 309All of the recorded reports data is erased when you turn off the ZyXEL Device.19.4.1  Viewing Web Site HitsIn the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyXEL Device record and display which web sites have been visited the most often and how many times they have been visited.Figure 191   LOGS > Reports: Web Site Hits ExampleThe following table describes the label in this screen.19.4.2  Viewing Host IP AddressIn the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyXEL Device record and display the LAN or DMZ IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.Table 92   LOGS > Reports: Web Site Hits ReportLABEL DESCRIPTIONWeb Site This column lists the domain names of the web sites visited most often from computers on the LAN or DMZ. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first. The ZyXEL Device counts each page viewed in a web site as another hit on the web site.Hits This column lists how many times each web site has been visited. The count starts over at 0 if a web site passes the hit count limit (see Table 95 on page 312).
Chapter 19Logs ScreensNBG410W3G Series User s Guide310Computers take turns using dynamically assigned LAN or DMZ IP addresses. The ZyXEL Device continues recording the bytes sent to or from a LAN or DMZ IP address when it is assigned to a different computer. Figure 192   LOGS > Reports: Host IP Address ExampleThe following table describes the labels in this screen.  19.4.3  Viewing Protocol/PortIn the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyXEL Device record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.Table 93   LOGS > Reports: Host IP AddressLABEL DESCRIPTIONIP Address This column lists the LAN or DMZ IP addresses to and/or from which the most traffic has been sent. The LAN or DMZ IP addresses are listed in descending order with the LAN or DMZ IP address to and/or from which the most traffic was sent listed first.Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN or DMZ. This field displays Outgoing to denote traffic that is going out from the LAN or DMZ to the WAN.Amount This column displays how much traffic has gone to and from the listed LAN or DMZ IP addresses. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic sent to and from the LAN or DMZ IP address. The count starts over at 0 if the total traffic sent to and from a LAN or DMZ IP passes the bytes count limit (see Table 95 on page 312).
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 311Figure 193   LOGS > Reports: Protocol/Port ExampleThe following table describes the labels in this screen.  Table 94   LOGS > Reports: Protocol/ PortLABEL DESCRIPTIONProtocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyXEL Device. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN or DMZ. This field displays Outgoing to denote traffic that is going out from the LAN or DMZ to the WAN.Amount This column lists how much traffic has been sent and/or received for each protocol or service port. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 95 on page 312).
Chapter 19Logs ScreensNBG410W3G Series User s Guide31219.4.4  System Reports SpecificationsThe following table lists detailed specifications on the reports feature.19.5  Log DescriptionsThis section provides descriptions of example log messages. Table 95   Report SpecificationsLABEL DESCRIPTIONNumber of web sites/protocols or ports/IP addresses listed:20Hit count limit: Up to 232 hits can be counted per web site. The count starts over at 0 if it passes four billion.Bytes count limit:Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes.Table 96   System Maintenance LogsLOG MESSAGE DESCRIPTIONTime calibration is successfulThe router has adjusted its time based on information from the time server.Time calibration failed The router failed to get information from the time server.WAN interface gets IP: %s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.DHCP client IP expired A DHCP client's IP address has expired.DHCP server assigns %s The DHCP server assigned an IP address to a client.Successful WEB login Someone has logged on to the router's web configurator interface.WEB login failed Someone has failed to log on to the router's web configurator interface.Successful TELNET login Someone has logged on to the router via telnet.TELNET login failed Someone has failed to log on to the router via telnet.Successful FTP login Someone has logged on to the router via FTP.FTP login failed Someone has failed to log on to the router via FTP.NAT Session Table is Full! The maximum number of NAT session table entries has been exceeded and the table is full.Starting Connectivity MonitorStarting Connectivity Monitor.Time initialized by Daytime ServerThe router got the time and date from the Daytime server.Time initialized by Time serverThe router got the time and date from the time server.Time initialized by NTP serverThe router got the time and date from the NTP server.
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 313Connect to Daytime server failThe router was not able to connect to the Daytime server.Connect to Time server fail The router was not able to connect to the Time server.Connect to NTP server fail The router was not able to connect to the NTP server.Too large ICMP packet has been droppedThe router dropped an ICMP packet that was too large.Configuration Change: PC = 0x%x, Task ID = 0x%xThe router is saving configuration changes.Successful SSH login Someone has logged on to the router s SSH server.SSH login failed Someone has failed to log on to the router s SSH server.Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol.HTTPS login failed Someone has failed to log on to the router's web configurator interface using HTTPS protocol.DNS server %s was not responding to last 32 consecutive queries!The specified DNS server did not respond to the last 32 consecutive queries.DDNS update IP:%s (host %d) successfullyThe device updated the IP address of the specified DDNS host name.SMTP successfully The device sent an e-mail.Table 97   System Error LogsLOG MESSAGE DESCRIPTION%s exceeds the max. number of session per host!This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.setNetBIOSFilter: calloc errorThe router failed to allocate memory for the NetBIOS filter settings.readNetBIOSFilter: calloc errorThe router failed to allocate memory for the NetBIOS filter settings.WAN connection is down. A WAN connection is down. You cannot access the network through this interface.DHCP Server cannot assign the static IP %S (out of range).The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the specified static DHCP IP addresses are no longer valid.The DHCP static IP %s is conflict.The static DHCP IP address conflicts with another host.SMTP fail (%s) The device failed to send an e-mail (error message included).SMTP authentication fail (%s)The device failed to authenticate with the SMTP server (error message included).Table 96   System Maintenance Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19Logs ScreensNBG410W3G Series User s Guide314  Table 98   Access Control LogsLOG MESSAGE DESCRIPTIONFirewall default policy: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting.Firewall rule [NOT] match:[ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>, <rule:%d>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The router blocked a packet that didn't have a corresponding NAT table entry.Router sent blocked web site message: TCPThe router sent a message to notify a user that the router blocked access to a web site that the user requested.Exceed maximum sessions per host (%d).The device blocked a session because the host's connections exceeded the maximum sessions per host.Firewall allowed a packet that matched a NAT session: [ TCP | UDP ]A packet from the WAN (TCP or UDP) matched a cone NAT session and the device forwarded it to the LAN.Table 99   TCP Reset LogsLOG MESSAGE DESCRIPTIONUnder SYN flood attack, sent TCP RSTThe router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen. Peer TCP state out of order, sent TCP RSTThe router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.Firewall session time out, sent TCP RSTThe router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout:  3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 seconds
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 315  For type and code details, see Table 110 on page 321.Exceed MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > "Maximum Incomplete High#, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < "Maximum Incomplete Low#.Access block, sent TCP RSTThe router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst").Table 100   Packet Filter LogsLOG MESSAGE DESCRIPTION[ TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set: %d, rule: %d)Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.Table 101   ICMP LogsLOG MESSAGE DESCRIPTIONFirewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>ICMP access matched the default policy and was blocked or forwarded according to the user's setting.Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>ICMP access matched (or didn t match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Triangle route packet forwarded: ICMPThe firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: ICMPThe router blocked a packet that didn t have a corresponding NAT table entry.Unsupported/out-of-order ICMP: ICMPThe firewall does not support this kind of ICMP packets or the ICMP packets are out of order.Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.Table 102   Remote Management LogsLOG MESSAGE DESCRIPTIONRemote Management: FTP denied Attempted use of FTP service was blocked according to remote management settings.Remote Management: TELNET denied Attempted use of TELNET service was blocked according to remote management settings.Remote Management: HTTP or UPnP deniedAttempted use of HTTP or UPnP service was blocked according to remote management settings.Remote Management: WWW denied Attempted use of WWW service was blocked according to remote management settings.Table 99   TCP Reset Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19Logs ScreensNBG410W3G Series User s Guide316    Remote Management: HTTPS denied Attempted use of HTTPS service was blocked according to remote management settings.Remote Management: SSH denied Attempted use of SSH service was blocked according to remote management settings.Remote Management: ICMP Ping response deniedAttempted use of ICMP service was blocked according to remote management settings.Remote Management: SNMP denied Attempted use of SNMP service was blocked according to remote management settings.Remote Management: DNS denied Attempted use of DNS service was blocked according to remote management settings.Table 103   CDR LogsLOG MESSAGE DESCRIPTIONboard %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %sThe router received the setup requirements for a call. "call# is the reference (count) number of the call. "dev# is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or "ch# is the call channel ID. For example, "board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.board %d line %d channel %d, call %d, %s C02 OutCall Connected %d %sThe PPPoE, PPTP or dial-up call is connected.board %d line %d channel %d, call %d, %s C02 Call TerminatedThe PPPoE, PPTP or dial-up call was disconnected.Table 104   PPP LogsLOG MESSAGE DESCRIPTIONppp:LCP Starting The PPP connection s Link Control Protocol stage has started.ppp:LCP Opening The PPP connection s Link Control Protocol stage is opening.ppp:CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening.ppp:IPCP StartingThe PPP connection s Internet Protocol Control Protocol stage is starting.ppp:IPCP Opening The PPP connection s Internet Protocol Control Protocol stage is opening.ppp:LCP Closing The PPP connection s Link Control Protocol stage is closing.ppp:IPCP Closing The PPP connection s Internet Protocol Control Protocol stage is closing.Table 105   UPnP LogsLOG MESSAGE DESCRIPTIONUPnP pass through Firewall UPnP packets can pass through the firewall.Table 102   Remote Management LogsLOG MESSAGE DESCRIPTION
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 317For type and code details, see Table 110 on page 321.Table 106   Attack LogsLOG MESSAGE DESCRIPTIONattack [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.attack ICMP (type:%d, code:%d)The firewall detected an ICMP attack. land [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.land ICMP (type:%d, code:%d)The firewall detected an ICMP land attack. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected an IP spoofing attack on the WAN port.ip spoofing - WAN ICMP (type:%d, code:%d)The firewall detected an ICMP IP spoofing attack on the WAN port. icmp echo : ICMP (type:%d, code:%d)The firewall detected an ICMP echo attack. syn flood TCP The firewall detected a TCP syn flood attack.ports scan TCP The firewall detected a TCP port scan attack.teardrop TCP The firewall detected a TCP teardrop attack.teardrop UDP The firewall detected an UDP teardrop attack.teardrop ICMP (type:%d, code:%d)The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack.NetBIOS TCP The firewall detected a TCP NetBIOS attack.ip spoofing - no routing entry [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall classified a packet with no source routing entry as an IP spoofing attack.ip spoofing - no routing entry ICMP (type:%d, code:%d)The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack.vulnerability ICMP (type:%d, code:%d)The firewall detected an ICMP vulnerability attack. traceroute ICMP (type:%d, code:%d)The firewall detected an ICMP traceroute attack. ports scan UDP The firewall detected a UDP port scan attack.Firewall sent TCP packet in response to DoS attack TCPThe firewall sent TCP packet in response to a DoS attackICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack.ICMP Time Exceed ICMP The firewall detected an ICMP Time Exceed attack.ICMP Destination Unreachable ICMPThe firewall detected an ICMP Destination Unreachable attack.ping of death. ICMP The firewall detected an ICMP ping of death attack.smurf ICMP The firewall detected an ICMP smurf attack.
Chapter 19Logs ScreensNBG410W3G Series User s Guide318 IP address in FTP port command is different from the client IP address. It maybe a bounce attack.The IP address in an FTP port command is different from the client IP address. It may be a bounce attack.Fragment packet size is smaller than the MTU size of output interface.The fragment packet size is smaller than the MTU size of output interface.Table 107   3G LogsLOG MESSAGE DESCRIPTIONSIM/3G interface mismatch: %s.The ID number of the currently selected interface or SIM card is different from the previous one configured for budget control.Preconfigured SIM card/3G interface doesn"t match inserted card. Might need to reconfigure budget control settings.The 3G interface is different from the previous one configured for budget control. You may need to reconfigure budget control settings specific to the current user account.Budget counters are reset, budget control is resumed.The ZyXEL Device restarted budget calculation from 0 after resetting the existing statistics.Budget control is resumed.  The ZyXEL Device kept the existing budget control statistics and continue a counting.Budget control is disabled. Budget control is deactivated for the user account of the 3G interface on the ZyXEL Device.Skip 3G SIM authentication because 3G configuration is not set.The ZyXEL Device skipped SIM card authentication because the PIN code is not specified or SIM card authentication is disabled.3G SIM authentication failed because of no response from SIM card.SIM card authentication failed because the ZyXEL Device received a SIM busy message three times when querying for the card status.3G SIM card PIN code is incorrect.The specified PIN code does not match the 3G interface.SIM card not inserted or damaged.There is no SIM card inserted or the SIM card is damaged.3G connection has been dropped - %s.The 3G connection has been dropped due to the specific reason, such as idle timeout, manual disconnection, failure to get an IP address, switching to WAN 1, ping check failure, connection reset, and so on.Warning: (%IMSI% or %ESN%) Over time budget! (budget = %CONFIGURED_BUDGET% hours, used = %USED_VOLUME%(2 decimals) hours).This shows that the preconfigured time budget was exceeded. This also displays the ID number of the selected 3G interface or SIM card and the 3G connection s usage time in hours.Warning: (%IMSI% or %ESN%) Over %THRESHOLD%% of time budget (%REMAIN_BUDGET%(2 decimals) hours remain in %CONFIGURED_BUDGET% hours budget).This shows that the specified percentage of the time budget was exceeded. This also displays the ID number of the selected 3G interface or SIM card and the amount of time (in hours) the 3G connection can still be used.Table 106   Attack Logs (continued)LOG MESSAGE DESCRIPTION
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 319 Warning: (%ESN% or %IMSI%) Over data budget! (budget =%CONFIGURED_BUDGET%(2 decimals Mbytes, used = %USED_VOLUME%(2 decimals) Mbytes).This shows that the preconfigured data limit was exceeded. The ID number of the selected 3G interface or SIM card is displayed. The amount of data (in Mbytes) sent and/or received (depending on your configuration) through the 3G connection is also displayed.Warning: (%ESN% or %IMSI%) Over %THRESHOLD%% of data budget (%REMAIN_BUDGET%(2 decimals) Mbytes remain in %CONFIGURED_BUDGET% Mbytes budget).This shows that the specified percentage of data limit was exceeded. This also displays the ID number of the selected 3G interface or SIM card and how much data (in Mbytes) can still be transmitted through the 3G connection.Table 108   PKI LogsLOG MESSAGE DESCRIPTIONEnrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port.Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server s IP address and port.Failed to resolve <SCEP CA server url>The SCEP online certificate enrollment failed because the certification authority server s address cannot be resolved.Enrollment successful The CMP online certificate enrollment was successful. The Destination field records the certification authority server s IP address and port.Enrollment failed The CMP online certificate enrollment failed. The Destination field records the certification authority server s IP address and port.Failed to resolve <CMP CA server url>The CMP online certificate enrollment failed because the certification authority server s IP address cannot be resolved.Rcvd ca cert: <subject name>The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd user cert: <subject name>The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd CRL <size>: <issuer name>The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd ARL <size>: <issuer name>The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received ca certThe router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received user certThe router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received CRLThe router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field.Table 107   3G Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 19Logs ScreensNBG410W3G Series User s Guide320 Failed to decode the received ARLThe router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field.Rcvd data <size> too large! Max size allowed: <max size>The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.Cert trusted: <subject name>The router has verified the path of the certificate with the listed subject name.Due to <reason codes>, cert not trusted: <subject name>Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. Please see Table 113 on page 320 for the corresponding descriptions of the codes.CODE DESCRIPTION1Algorithm mismatch between the certificate and the search constraints.2Key usage mismatch between the certificate and the search constraints.3Certificate was not valid in the time interval.4(Not used)5Certificate is not valid.6Certificate signature was not verified correctly.7Certificate was revoked by a CRL.8Certificate was not added to the cache.9Certificate decoding failed.10 Certificate was not found (anywhere).11 Certificate chain looped (did not find trusted root).12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing).14 (Not used)15 CRL is too old.16 CRL is not valid.17 CRL signature was not verified correctly.18 CRL was not found (anywhere).19 CRL was not added to the cache.20 CRL decoding failed.21 CRL is not currently valid, but in the future.22 CRL contains duplicate serial numbers.23 Time interval is not continuous.24 Time information not available.25 Database method failed due to timeout.26 Database method failed.Table 108   PKI Logs (continued)LOG MESSAGE DESCRIPTION
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 321 27 Path was not verified.28 Maximum path length reached.Table 109   ACL Setting NotesPACKET DIRECTION DIRECTION DESCRIPTION(L to W)LAN to WANACL set for packets traveling from the LAN to the WAN.(W to L)WAN to LANACL set for packets traveling from the WAN to the LAN.(D to L)DMZ to LANACL set for packets traveling from the DMZ to the LAN.(D to W)DMZ to WANACL set for packets traveling from the DMZ to the WAN.(W to D)WAN to DMZACL set for packets traveling from the WAN to the DMZ.(L to D)LAN to DMZACL set for packets traveling from the LAN to the DMZ.(L to L/ZW)LAN to LAN/ZyXEL DeviceACL set for packets traveling from the LAN to the LAN or the ZyXEL Device.(W to W/ZW)WAN to WAN/ZyXEL DeviceACL set for packets traveling from the WAN to the WAN or the ZyXEL Device.(D to D/ZW)DMZ to DMZ/ZyXEL DeviceACL set for packets traveling from the DMZ to the DM or the ZyXEL Device.Table 110   ICMP NotesTYPE CODE DESCRIPTION0Echo Reply0Echo reply message3Destination Unreachable0Net unreachable1Host unreachable2Protocol unreachable3Port unreachable4A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)5Source route failed4Source Quench0A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.5Redirect0Redirect datagrams for the Network1Redirect datagrams for the Host2Redirect datagrams for the Type of Service and Network3Redirect datagrams for the Type of Service and Host8EchoCODE DESCRIPTION
Chapter 19Logs ScreensNBG410W3G Series User s Guide3220Echo message11 Time Exceeded0Time to live exceeded in transit1Fragment reassembly time exceeded12 Parameter Problem0Pointer indicates the error13 Timestamp0Timestamp request message14 Timestamp Reply0Timestamp reply message15 Information Request0Information request message16 Information Reply0Information reply messageTable 110   ICMP Notes (continued)TYPE CODE DESCRIPTION
 Chapter 19Logs ScreensNBG410W3G Series User s Guide 32319.6  Syslog LogsThere are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs.  Table 111   Syslog LogsLOG MESSAGE DESCRIPTIONEvent Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address>" cat="<category>"This message is sent by the system ("RAS" displays as the system name if you haven t configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU > LOGS > Log Settings page. The severity is the log s syslog class. The definition of messages and notes are defined in the other log tables. The "devID# is the MAC address of the router s LAN port. The "cat# is the same as the category in the router s logs.Traffic Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="Traffic Log" note="Traffic Log" devID="<mac address>" cat="Traffic Log" duration=seconds sent=sentBytes rcvd=receiveBytes dir="<from:to>" protoID=IPProtocolID proto="serviceName" trans="IPSec/Normal"This message is sent by the device when the connection (session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display "Traffic Log". The "proto" field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN", "LAN:DMZ", "LAN:DEV" for example).Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1>" ob_mac="<mac address>" msg="<msg>"  note="<note>" devID="<mac address>" cat="<category>"This message is sent by the device ("RAS" displays as the system name if you haven t configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU > LOGS > Log Settings page. The severity is the log s syslog class. The definition of messages and notes are defined in the other log tables. OB is the Out Break flag and the mac address of the Out Break PC.Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>"  ob="0|1" ob_mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="Anti Virus" encode="< uu | b64 >"This message is sent by the device ("RAS" displays as the system name if you haven t configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU > LOGS > Log Settings page. The severity is the log s syslog class. The "encode" message indicates the mail attachments encoding method. The definition of messages and notes are defined in the Anti-Virus log descriptions.
Chapter 19Logs ScreensNBG410W3G Series User s Guide324The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1>" ob_mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="IDP" class="<idp class>" sid="<idp sid> act="<idp action>" count="1"This message is sent by the device ("RAS" displays as the system name if you haven t configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU > LOGS > Log Settings page. The severity is the log s syslog class. The definition of messages and notes are defined in the IDP log descriptions.Event Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" ob="<0|1>" ob_mac="<mac address>" msg="<msg>" note="<note>" devID="<mac address>" cat="Anti Spam" 1stReIP="<IP>"This message is sent by the device ("RAS" displays as the system name if you haven t configured one) at the time when this syslog is generated. The facility is defined in the web MAIN MENU > LOGS > Log Settings page. The severity is the log s syslog class. 1stReIP is the IP address of the first mail relay server. The definition of messages and notes are defined in the Anti-Spam log descriptions.Table 112   RFC-2408 ISAKMP Payload TypesLOG DISPLAY PAYLOAD TYPESA Security AssociationPROP ProposalTRANS TransformKE Key ExchangeID IdentificationCER CertificateCER_REQ Certificate RequestHASH HashSIG SignatureNONCE NonceNOTFY NotificationDEL DeleteVID Vendor IDTable 111   Syslog Logs (continued)LOG MESSAGE DESCRIPTION
NBG410W3G Series User s Guide 325CHAPTER  20 MaintenanceThis chapter displays information on the maintenance screens.20.1  Maintenance OverviewThe maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyXEL Device. 20.2  General Setup and System NameGeneral Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".  In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name. In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name. In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyXEL Device System Name.20.2.1  General Setup Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information.
Chapter 20MaintenanceNBG410W3G Series User s Guide326Figure 194   MAINTENANCE > General SetupThe following table describes the labels in this screen. 20.3  Configuring Password Click MAINTENANCE > Password to open the following screen. Use this screen to change the ZyXEL Device!s management password.Table 113   MAINTENANCE > General SetupLABEL DESCRIPTIONGeneral SetupSystem Name Choose a descriptive name for identification purposes. It is recommended you enter your computer s "Computer name# in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-# and underscores "_" are accepted.Domain Name The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name), the domain name can be assigned from the ZyXEL Device via DHCP.Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name.Administrator Inactivity TimerType how many minutes a management session (via the web configurator) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
 Chapter 20MaintenanceNBG410W3G Series User s Guide 327Figure 195   MAINTENANCE > Password The following table describes the labels in this screen.   20.4  Time and Date The ZyXEL Device!s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyXEL Device.To change your ZyXEL Device!s time and date, click MAINTENANCE > Time and Date. The screen appears as shown. Use this screen to configure the ZyXEL Device!s time based on your local time zone. Table 114   MAINTENANCE > PasswordLABEL DESCRIPTIONOld Password Type the default password or the existing password you use to access the system in this field. If you forget the password, you may have to use the hardware RESET button. This restores the default password of 1234.New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type.Retype to Confirm Type the new password again for confirmation.Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.
Chapter 20MaintenanceNBG410W3G Series User s Guide328Figure 196   MAINTENANCE > Time and DateThe following table describes the labels in this screen.  Table 115   MAINTENANCE > Time and DateLABEL DESCRIPTIONCurrent Time and DateCurrent Time  This field displays the ZyXEL Device s present time.Current Date  This field displays the ZyXEL Device s present date.Time and Date SetupManual Select this radio button to enter the time and date manually. If you configure a new time and date, Time Zone and Daylight Saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.New Time (hh:mm:ss)This field displays the last updated time from the time server or the last time configured manually.When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. New Date        (yyyy-mm-dd)This field displays the last updated date from the time server or the last date configured manually.When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.Get from Time ServerSelect this radio button to have the ZyXEL Device get the time and date from the time server you specified below.
 Chapter 20MaintenanceNBG410W3G Series User s Guide 329Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.The main difference between them is the format. Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868).  Time Server AddressEnter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information.Synchronize Now Click this button to have the ZyXEL Device get the time and date from a time server (see the Time Server Address field). This also saves your changes (including the time server address).Time Zone SetupTime Zone Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Enable Daylight Saving Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Select this option if you use Daylight Saving Time.Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time starts in most parts of the United States on the second Sunday of March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Second, Sunday, March and type 2 in the o'clock field.Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, November and type 2 in the o'clock field.Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes.Reset Click Reset to begin configuring this screen afresh.Table 115   MAINTENANCE > Time and Date (continued)LABEL DESCRIPTION
Chapter 20MaintenanceNBG410W3G Series User s Guide33020.5  Pre-defined NTP Time Server PoolsWhen you turn on the ZyXEL Device for the first time, the date and time start at 2000-01-01 00:00:00. The ZyXEL Device then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools. These are virtual clusters of time servers that use a round robin method to provide different NTP servers to clients.  The ZyXEL Device continues to use the NTP time server pools if you do not specify a time server or it cannot synchronize with the time server you specified. The ZyXEL Device can use the NTP time server pools regardless of the time protocol you select.When the ZyXEL Device uses the NTP time server pools, it randomly selects one pool and tries to synchronize with a server in it. If the synchronization fails, then the ZyXEL Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time server pools have been tried.20.5.1  Resetting the TimeThe ZyXEL Device resets the time in the following instances: When you click Synchronize Now. On saving your changes.  When the ZyXEL Device starts up. 24-hour intervals after starting.20.5.2  Time Server SynchronizationClick the Synchronize Now button to get the time and date from the predefined time server or the time server you specified in the Time Server Address field. When the System Time and Date Synchronization in Process screen appears, wait up to one minute.Figure 197   Synchronization in ProcessClick the Return button to go back to the Time and Date screen after the time and date is updated successfully.
 Chapter 20MaintenanceNBG410W3G Series User s Guide 331Figure 198   Synchronization is SuccessfulIf the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.Figure 199   Synchronization Fail20.6  F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "NBG410W3G.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Click MAINTENANCE > F/W UPLOAD. Follow the instructions in this screen to upload firmware to your ZyXEL Device. Only upload firmware for your specific model!
Chapter 20MaintenanceNBG410W3G Series User s Guide332Figure 200   MAINTENANCE > Firmware UploadThe following table describes the labels in this screen.Do not turn off the ZyXEL Device while firmware upload is in progress!After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyXEL Device again. Figure 201   Firmware Upload In ProcessThe ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.Table 116   MAINTENANCE > Firmware UploadLABEL DESCRIPTIONFile Path  Type in the location of the file you want to upload in this field or click Browse ... to find it.Browse...  Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload  Click Upload to begin the upload process. This process may take up to two minutes.
 Chapter 20MaintenanceNBG410W3G Series User s Guide 333Figure 202   Network Temporarily DisconnectedAfter two minutes, log in again and check your new firmware version in the HOME screen.If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.Figure 203   Firmware Upload Error20.7  Backup and Restore  Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.
Chapter 20MaintenanceNBG410W3G Series User s Guide334Figure 204   MAINTENANCE > Backup and Restore20.7.1  Backup Configuration Backup configuration allows you to back up (save) the ZyXEL Device!s current configuration to a file on your computer. Once your ZyXEL Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the ZyXEL Device!s current configuration to your computer.20.7.2  Restore Configuration Load a configuration file from your computer to your ZyXEL Device.Do not turn off the ZyXEL Device while configuration file upload is in progress.Table 117   Restore ConfigurationLABEL DESCRIPTIONFile Path  Type in the location of the file you want to upload in this field or click Browse ... to find it.Browse...  Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload  Click Upload to begin the upload process.
 Chapter 20MaintenanceNBG410W3G Series User s Guide 335After you see a "restore configuration successful# screen, you must then wait one minute before logging into the ZyXEL Device again. Figure 205   Configuration Upload SuccessfulThe ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.Figure 206   Network Temporarily DisconnectedIf you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer!s IP address.If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 207   Configuration Upload Error20.7.3  Back to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the ZyXEL Device to its factory defaults as shown on the screen. The following warning screen appears.
Chapter 20MaintenanceNBG410W3G Series User s Guide336Figure 208   Reset Warning MessageYou can also press the hardware RESET button to reset the factory defaults of your ZyXEL Device. Refer to Section 2.3 on page 45 for more information on the RESET button.20.8  Restart Screen System restart allows you to reboot the ZyXEL Device without turning the power off. Click MAINTENANCE > Restart. Click Restart to have the ZyXEL Device reboot. Restart is different to reset; (see Section 20.7.3 on page 335) reset returns the device to its default configuration.Figure 209   MAINTENANCE > Restart
337PART VIITroubleshooting and SpecificationsTroubleshooting  (339)Product Specifications  (345)
338
NBG410W3G Series User s Guide 339CHAPTER  21 TroubleshootingThis chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories.  Power, Hardware Connections, and LEDs ZyXEL Device Access and Login Internet Access 3G Connection21.1  Power, Hardware Connections, and LEDsThe ZyXEL Device does not turn on. None of the LEDs turn on.1Make sure the ZyXEL Device is turned on. 2Make sure you are using the power adaptor or cord included with the ZyXEL Device.3Make sure the power adaptor is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure the power source is turned on.4Turn the ZyXEL Device off and on or disconnect and re-connect the power adaptor to the ZyXEL Device. 5If the problem continues, contact the vendor.One of the LEDs does not behave as expected.1Make sure you understand the normal behavior of the LED. See Section 1.5.1 on page 39.2Check the hardware connections. See the Quick Start Guide. 3Inspect your cables for damage. Contact the vendor to replace any damaged cables.4Turn the ZyXEL Device off and on or disconnect and re-connect the power adaptor to the ZyXEL Device. 5If the problem continues, contact the vendor.
Chapter 21TroubleshootingNBG410W3G Series User s Guide34021.2  ZyXEL Device Access and LoginI forgot the LAN IP address for the ZyXEL Device.1The default LAN IP address is 192.168.1.1.2Use the console port to log in to the ZyXEL Device. 3If you changed the IP address and have forgotten it, you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the ZyXEL Device (it depends on the network), so enter this IP address in your Internet browser. 4If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 45.I forgot the password.1The default password is 1234.2If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 45.I cannot see or access the Login screen in the web configurator.1Make sure you are using the correct IP address. The default LAN IP address is 192.168.1.1. Use the ZyXEL Device!s LAN IP address when configuring from the LAN. Use the ZyXEL Device!s WAN IP address when configuring from the WAN. If you changed the LAN IP address (Section 5.7 on page 104), use the new IP address. If you changed the LAN IP address and have forgotten it, see the troubleshooting suggestions for I forgot the LAN IP address for the ZyXEL Device.2Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5.1 on page 39. 3Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix A on page 353.4Make sure your computer's Ethernet adapter is installed and functioning properly.5Make sure your computer is in the same subnet as the ZyXEL Device. (If you know that there are routers between your computer and the ZyXEL Device, skip this step.)
 Chapter 21TroubleshootingNBG410W3G Series User s Guide 341 If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Appendix B on page 361. Your ZyXEL Device is a DHCP server by default.  6Reset the device to its factory defaults, and try to access the ZyXEL Device with the default IP address. See Section 2.3 on page 45. 7If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.Advanced Suggestions Try to access the ZyXEL Device using another service, such as Telnet. If you can access the ZyXEL Device, check the remote management settings, and firewall rules to find out why the ZyXEL Device does not respond to HTTP.  If your computer is connected to the WAN port or is connected wirelessly, use a computer that is connected to a LAN port. You may also need to clear your Internet browser!s cache.In Internet Explorer, click Tools and then Internet Options to open the Internet Options screen. In the General tab, click Delete Files. In the pop-up window, select the Delete all offline content check box and click OK. Click OK in the Internet Options screen to close it. If you disconnect your computer from one device and connect it to another device that has the same IP address, your computer!s ARP (Address Resolution Protocol) table may contain an entry that maps the management IP address to the previous device!s MAC address). In Windows, use arp -d at the command prompt to delete all entries in your computer!s ARP table.I can see the Login screen, but I cannot log in to the ZyXEL Device.1Make sure you have entered the password correctly. The default password is 1234. These fields are case-sensitive, so make sure [Caps Lock] is not on. 2You cannot log in to the web configurator while someone is using Telnet, or the console port to access the ZyXEL Device. Log out of the ZyXEL Device in the other session, or ask the person who is logged in to log out.3Turn the ZyXEL Device off and on or disconnect and re-connect the power adaptor or cord to the ZyXEL Device. 4If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 45.I cannot Telnet to the ZyXEL Device.See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.
Chapter 21TroubleshootingNBG410W3G Series User s Guide342I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.21.3  Internet AccessI cannot get a WAN IP address from the ISP.1The ISP provides the WAN IP address after authenticating you. Authentication may be through the user name and password, the MAC address or the host name.The username and password apply to PPPoE and PPPoA encapsulation only. Make sure that you have entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN setup chapter (web configurator).2Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 3If the problem continues, contact your ISP.I cannot access the Internet.1Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5.1 on page 39.2Make sure you entered your ISP account information correctly in the wizard, or WAN screen. These fields are case-sensitive, so make sure [Caps Lock] is not on. 3If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP. 4Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 5If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the ZyXEL Device), but my Internet connection is not available anymore.
 Chapter 21TroubleshootingNBG410W3G Series User s Guide 3431Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5.1 on page 39. 2If you use PPPoA or PPPoE encapsulation, check the idle time-out setting. Refer to the Chapter 6 on page 111. 3Reboot the ZyXEL Device. 4If the problem continues, contact your ISP. The Internet connection is slow or intermittent.1There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.5.1 on page 39. If the ZyXEL Device is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. 2Check the signal strength. If the signal strength is low, try moving the ZyXEL Device closer to the AP if possible, and look around to see if there are any devices that might be interfering with the wireless network (for example, microwaves, other wireless networks, and so on).3Reboot the ZyXEL Device. 4If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.21.4  3G ConnectionThe 3G OPERATION LED is off. Check the 3G SIM card is correctly inserted. See the Quick Start Guide for instructions. Check your 3G settings are correctly configured in the 3G screen, including your PIN, user name and password (if required) and telephone number (required). Use the information provided by your 3G ISP for your 3G user account.  If you have used a different 3G SIM card with this device previously, the 3G card may have stored the settings for your previous SIM card. Ensure you have entered the correct settings for your current SIM card and click Apply.  Check that you have selected the correct 3G interface in the 3G (WAN2) screen. Check the HOME screen. An error message displays in the HOME screen if you have entered the incorrect PIN in the 3G (WAN2) screen. Check your 3G connection status in the HOME screen. If WAN2 has no IP address, click Dial to request your 3G ISP for an IP address. Check your 3G account status with your 3G service provider.
Chapter 21TroubleshootingNBG410W3G Series User s Guide344The 3G SIGNAL STRENGTH LED shows the 3G signal is weak or not available. Check that your 3G service provider has coverage in your area.  Check that in the 3G (WAN2) screen you have selected the correct 3G service for your area. In some areas certain kinds of 3G may not be available. Move the ZyXEL Device away from any structures such as large buildings or tunnels that may be blocking the 3G signal.  Move the ZyXEL Device away from devices that cause radio signal interference, such as microwave ovens and high voltage power lines. Check that the ZyXEL Device!s antenna is fully extended and is pointing upwards. The 3G OPERATION LED is on but my 3G connection is slow or non-existent. Check that WAN2 has an IP address in the HOME page. Click Dial (several times if necessary) to obtain a WAN2 IP address.  Try moving to an area with better reception. If the signal quality is poor, the 3G modem will time out before obtaining an IP address.  Check that you have enabled NAT in the 3G (WAN2) screen. Actual download speeds usually differ from maximum advertised speeds. Typical data rates are as follows. If your average download speeds are much lower then the typical data rates given below, check the 3G SIGNAL STRENGTH LED.  If the 3G SIGNAL STRENGTH LED shows a weak signal, follows\ the suggestions given in The 3G SIGNAL STRENGTH LED shows the 3G signal is weak or not available. If it shows a strong signal, contact your 3G service provider for more help.Table 118   Typical 3G transmission speedsPACKET DATA SERVICE THEORETICAL MAXIMUM DATA RATE TYPICAL DATA RATEEDGEUpload236 kbps100~130 kbpsDownload236 kbps100~130 kbpsUMTSUpload384 kbps100~300 kbpsDownload384 kbps100~300 kbpsHSDPAUpload384 kbps100~300 kbpsDownload3.6 MbpsUp to 2 Mbps
NBG410W3G Series User s Guide 345CHAPTER  22 Product SpecificationsThis chapter gives details about your ZyXEL Device!s hardware and firmware features.22.1  General ZyXEL Device SpecificationsThe following tables summarize the ZyXEL Device!s hardware and firmware features.Table 119   Hardware SpecificationsDimensions 190 (W) x 150 (D) x 33 (H) mm Weight 380 gPower Specification 12V DC 1.5 AEthernet InterfaceLAN/DMZ Four LAN/DMZ auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet ports.WAN One auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet port.Reset Button Restores factory default settings.Internal 3G module  SierraWireless MC8775 (NBG410W3G only)USB slot The USB port is reserved for future usage. It cannot transmit signals simultaneously with the internal 3G module.SIM Card Slot  For installing a 3G SIM card (NBG410W3G only).AntennaNBG410W3G:One internal 3.6 dBi antenna One external 850/900/1800/1900/2100 MHz 3G antennaNBG412W3G:One external 3.6 dBi antenna  Distance between the centers of the holes (for wall mounting) on the device s back.165.75 mmScrew size for wall-mountingM 4*10 Tap Screw, see Figure 210 on page 348.Operation Environment  Temperature: 0º C ~ 40º CHumidity: 20% ~ 95% (non-condensing)Storage Environment  Temperature: -30º ~ 60º CHumidity: 20% ~ 95% RH (non-condensing)Certifications EMC: FCC Part 15 Class B, CE-EMC Class B, C-Tick Class BSafety: CSA International, (UL60950-1, CSA60950-1, EN60950-1, IEC60950-1)
Chapter 22Product SpecificationsNBG410W3G Series User s Guide346Table 120   Firmware Specifications FEATURE DESCRIPTIONDefault IP Address 192.168.1.1Default Subnet Mask 255.255.255.0 (24 bits)Default Password 1234Default DHCP Pool 192.168.1.33 to 192.168.1.160 Device ManagementUse the web configurator to easily configure the rich range of features on the ZyXEL Device.3G (2.5G) FunctionalitySupports UMTS, HSDPA, UMTS, EDGE 3G and GPRS 2.5G standards.Wi-Fi FunctionalityAllows the IEEE 802.11b and/or IEEE 802.11g wireless clients to connect to the ZyXEL Device wirelessly. Enable wireless security (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network. Firmware UpgradeDownload new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyXEL Device.Note: Only upload firmware for your specific model!Configuration Backup & RestorationMake a copy of the ZyXEL Device s configuration. You can put it back on the ZyXEL Device later if you decide to revert back to an earlier configuration.Network Address Translation (NAT)Each computer on your network must have its own unique IP address. Use NAT to convert your public IP address(es) to multiple private IP addresses for the computers on your network.Port ForwardingIf you have a server (mail or web server for example) on your network, you can use this feature to let people access it from the Internet.DHCP (Dynamic Host Configuration Protocol)Use this feature to have the ZyXEL Device assign IP addresses, an IP default gateway and DNS servers to computers on your network.Dynamic DNS SupportWith Dynamic DNS (Domain Name System) support, you can use a fixed URL, www.zyxel.com for example, with a dynamic IP address. You must register for this service with a Dynamic DNS service provider.IP MulticastIP multicast is used to send traffic to a specific group of computers. The ZyXEL Device supports versions 1 and 2 of IGMP (Internet Group Management Protocol) used to join multicast groups (see RFC 2236).IP AliasIP alias allows you to subdivide a physical network into logical networks over the same Ethernet interface with the ZyXEL Device itself as the gateway for each subnet.Time and DateGet the current time and date from an external server when you turn on your ZyXEL Device. You can also set the time manually. These dates and times are then used in logs.Logging and TracingUse packet tracing and logs for troubleshooting. You can send logs from the ZyXEL Device to an external syslog server.PPPoEPPPoE mimics a dial-up Internet access connection.PPTP EncapsulationPoint-to-Point Tunneling Protocol (PPTP) enables secure transfer of data through a Virtual Private Network (VPN). The ZyXEL Device supports one PPTP connection at a time.Universal Plug and Play (UPnP)A UPnP-enabled device can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.
 Chapter 22Product SpecificationsNBG410W3G Series User s Guide 347 22.2  Wall-mounting InstructionsComplete the following steps to hang your ZyXEL Device on a wall.See Table 119 on page 345 for the size of screws to use and how far apart to place them.1Select a position free of obstructions on a sturdy wall. 2Drill two holes for the screws. RoadRunner SupportThe ZyXEL Device supports Time Warner s RoadRunner Service in addition to standard cable modem services.FirewallYou can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example.Remote ManagementThis allows you to decide whether a service (HTTP or FTP traffic for example) from a computer on a network (LAN or WAN for example) can access the ZyXEL Device.Table 121   Feature Specifications FEATURE SPECIFICATIONLocal User Database Entries32Static DHCP Table Entries32Static Routes30Concurrent Sessions (NAT sessions)3,000 Address Mapping Rules10Port Forwarding Rules20DNS Address Record Entries30DNS Name Server Record Entries16Firewall Throughput (with NAT) 12 MbpsOutput Power (Maximum)IEEE 802.11b: 16 dBm at 11 Mbps CCK, QPSK, BPSKIEEE 802.11g: 13 dBm at 54 Mbps OFDMTable 120   Firmware Specifications FEATURE DESCRIPTION
Chapter 22Product SpecificationsNBG410W3G Series User s Guide348Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws.3Do not insert the screws all the way into the wall. Leave a small gap of about 0.5 cm between the heads of the screws and the wall. 4Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyXEL Device with the connection cables. 5Align the holes on the back of the ZyXEL Device with the screws on the wall. Hang the ZyXEL Device on the screws.Figure 210   Wall-mounting ExampleThe following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). Figure 211   Masonry Plug and M4 Tap Screw
 Chapter 22Product SpecificationsNBG410W3G Series User s Guide 34922.3  Power Adaptor Specifications     NORTH AMERICAN PLUG STANDARDSAC POWER ADAPTOR MODELPSA18R-120P (ZA)-RINPUT POWER100-240VAC, 50/60HZ, 0.5AOUTPUT POWER12VDC, 1.5A POWER CONSUMPTION18 W MAX. SAFETY STANDARDSUL, CUL (UL 60950-1 FIRST EDITIONCSA C22.2 NO. 60950-1-03 1ST.)EUROPEAN PLUG STANDARDSAC POWER ADAPTOR MODELPSA18R-120P (ZE)-RINPUT POWER100-240VAC, 50/60HZ, 0.5AOUTPUT POWER12VDC, 1.5A POWER CONSUMPTION18 W MAX. SAFETY STANDARDSTUV, CE (EN 60950-1)UNITED KINGDOM PLUG STANDARDSAC POWER ADAPTOR MODELPSA18R-120P (ZK)-RINPUT POWER100-240VAC, 50/60HZ, 0.5AOUTPUT POWER12VDC, 1.5A POWER CONSUMPTION18 W MAX. SAFETY STANDARDSTUV (BS EN 60950-1)
Chapter 22Product SpecificationsNBG410W3G Series User s Guide350
351PART VIIIAppendices and IndexThe appendices provide general information. Some details may not apply to your ZyXEL Device.Pop-up Windows, JavaScripts and Java Permissions  (353)Setting up Your Computer!s IP Address  (361)IP Addresses and Subnetting  (377)Common Services  (385)Wireless LANs  (389)Importing Certificates  (403)Legal Information  (415)Customer Support  (419)Index  (425)
352
NBG410W3G Series User s Guide 353APPENDIX  A Pop-up Windows, JavaScriptsand Java PermissionsIn order to use the web configurator you need to allow: Web browser pop-up windows from your device. JavaScripts (enabled by default). Java permissions (enabled by default).Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.Internet Explorer Pop-up BlockersYou may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device!s IP address.Disable Pop-up Blockers1In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 212   Pop-up BlockerYou can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1In Internet Explorer, select Tools, Internet Options, Privacy.
Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide3542Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 213   Internet Options: Privacy3Click Apply to save this setting.Enable Pop-up Blockers with ExceptionsAlternatively, if you only want to allow pop-up windows from your device, see the following steps.1In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2Select Settings!to open the Pop-up Blocker Settings screen.
 Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide 355Figure 214   Internet Options: Privacy3Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://#. For example, http://192.168.167.1. 4Click Add to move the IP address to the list of Allowed sites.Figure 215   Pop-up Blocker Settings
Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide3565Click Close to return to the Privacy screen. 6Click Apply to save this setting. JavaScriptsIf pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 216   Internet Options: Security 2Click the Custom Level... button. 3Scroll down to Scripting. 4Under Active scripting make sure that Enable is selected (the default).5Under Scripting of Java applets make sure that Enable is selected (the default). 6Click OK to close the window.
 Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide 357Figure 217   Security Settings - Java ScriptingJava Permissions1From Internet Explorer, click Tools, Internet Options and then the Security tab. 2Click the Custom Level... button. 3Scroll down to Microsoft VM. 4Under Java permissions make sure that a safety level is selected.5Click OK to close the window.Figure 218   Security Settings - Java
Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide358JAVA (Sun)1From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2Make sure that Use Java 2 for <applet> under Java (Sun) is selected.3Click OK to close the window.Figure 219   Java (Sun)Mozilla FirefoxMozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in the screen that appears.
 Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide 359Figure 220   Mozilla Firefox: Tools > OptionsClick Content.to show the screen below. Select the check boxes as shown in the following screen.Figure 221   Mozilla Firefox Content Security
Appendix APop-up Windows, JavaScripts and Java PermissionsNBG410W3G Series User s Guide360
NBG410W3G Series User s Guide 361APPENDIX  B Setting up Your Computer s IPAddressAll computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems.After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device!s LAN port.Windows 95/98/MeClick Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide362Figure 222   WIndows 95/98/Me: Network: ConfigurationInstalling ComponentsThe Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.If you need the adapter:1In the Network window, click Add.2Select Adapter and then click Add.3Select the manufacturer and model of your network adapter and then click OK.If you need TCP/IP:1In the Network window, click Add.2Select Protocol and then click Add.3Select Microsoft from the list of manufacturers.4Select TCP/IP from the list of network protocols and then click OK.If you need Client for Microsoft Networks:1Click Add.2Select Client and then click Add.3Select Microsoft from the list of manufacturers.4Select Client for Microsoft Networks from the list of network clients and then click OK.5Restart your computer so the changes you made take effect.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 363Configuring 1In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties2Click the IP Address tab. If your IP address is dynamic, select Obtain an IP address automatically.  If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.Figure 223   Windows 95/98/Me: TCP/IP Properties: IP Address3Click the DNS Configuration tab. If you do not know your DNS information, select Disable DNS. If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide364Figure 224   Windows 95/98/Me: TCP/IP Properties: DNS Configuration4Click the Gateway tab. If you do not know your gateway!s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add.5Click OK to save and close the TCP/IP Properties window.6Click OK to close the Network window. Insert the Windows CD if prompted.7Turn on your ZyXEL Device and restart your computer when prompted.Verifying Settings1Click Start and then Run.2In the Run window, type "winipcfg" and then click OK to open the IP Configuration window.3Select your network adapter. You should see your computer's IP address, subnet mask and default gateway.Windows 2000/NT/XPThe following example figures use the default Windows XP GUI theme.1Click start (Start in Windows 2000/NT), Settings, Control Panel.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 365Figure 225   Windows XP: Start Menu2In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT).Figure 226   Windows XP: Control Panel3Right-click Local Area Connection and then click Properties.
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide366Figure 227   Windows XP: Control Panel: Network Connections: Properties4Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties.Figure 228   Windows XP: Local Area Connection Properties5The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). If you have a dynamic IP address click Obtain an IP address automatically. If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.  Click Advanced.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 367Figure 229   Windows XP: Internet Protocol (TCP/IP) Properties6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.Do one or more of the following if you want to configure additional IP addresses: In the IP Settings tab, in IP addresses, click Add. In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. Repeat the above two steps for each IP address you want to add. Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. Click Add.  Repeat the previous three steps for each default gateway you want to add. Click OK when finished.
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide368Figure 230   Windows XP: Advanced TCP/IP Properties7In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 369Figure 231   Windows XP: Internet Protocol (TCP/IP) Properties8Click OK to close the Internet Protocol (TCP/IP) Properties window.9Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.10  Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).11 Turn on your ZyXEL Device and restart your computer (if prompted).Verifying Settings1Click Start, All Programs, Accessories and then Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.Macintosh OS 8/9 1Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel.
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide370Figure 232   Macintosh OS 8/9: Apple Menu2Select Ethernet built-in from the Connect via list.Figure 233   Macintosh OS 8/9: TCP/IP3For dynamically assigned settings, select Using DHCP Server from the Configure: list.4For statically assigned settings, do the following: From the Configure box, select Manually.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 371 Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box.5Close the TCP/IP Control Panel.6Click Save if prompted, to save changes to your configuration.7Turn on your ZyXEL Device and restart your computer (if prompted).Verifying SettingsCheck your TCP/IP properties in the TCP/IP Control Panel window.Macintosh OS X1Click the Apple menu, and click System Preferences to open the System Preferences window.Figure 234   Macintosh OS X: Apple Menu2Click Network in the icon bar.    Select Automatic from the Location list. Select Built-in Ethernet from the Show list.  Click the TCP/IP tab.3For dynamically assigned settings, select Using DHCP from the Configure list.
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide372Figure 235   Macintosh OS X: Network4For statically assigned settings, do the following: From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box.5Click Apply Now and close the window.6Turn on your ZyXEL Device and restart your computer (if prompted).Verifying SettingsCheck your TCP/IP properties in the Network window.Linux This section shows you how to configure your computer!s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 373Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE)Follow the steps below to configure your computer IP address using the KDE. 1Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.Figure 236   Red Hat 9.0: KDE: Network Configuration: Devices 2Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 237   Red Hat 9.0: KDE: Ethernet Device: General
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide374 If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list.  If you have a static IP address, click Statically set IP Addresses and fill in the  Address, Subnet mask, and Default Gateway Address fields. 3Click OK to save the changes and close the Ethernet Device General screen. 4If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 238   Red Hat 9.0: KDE: Network Configuration: DNS 5Click the Devices tab. 6Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens.Figure 239   Red Hat 9.0: KDE: Network Configuration: Activate  7After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen.Using Configuration FilesFollow the steps below to edit the network configuration files and set your computer IP address. 1Assuming that you have only one network card on the computer, locate the ifconfig-eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field.  The following figure shows an example.
 Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide 375Figure 240   Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0  If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 241   Red Hat 9.0: Static IP Address Setting in ifconfig-eth0   2If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified.Figure 242   Red Hat 9.0: DNS Settings in resolv.conf   3After you edit and save the configuration files, you must restart the network card. Enter ./network restart in the /etc/rc.d/init.d directory. The following figure shows an example.Figure 243   Red Hat 9.0: Restart Ethernet Card DEVICE=eth0ONBOOT=yesBOOTPROTO=dhcpUSERCTL=noPEERDNS=yesTYPE=EthernetDEVICE=eth0ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.1.10NETMASK=255.255.255.0USERCTL=noPEERDNS=yesTYPE=Ethernetnameserver 172.23.5.1nameserver 172.23.5.2[root@localhost init.d]# network restartShutting down interface eth0:                 [OK]Shutting down loopback interface:             [OK]Setting network parameters:                   [OK]Bringing up loopback interface:               [OK]Bringing up interface eth0:                   [OK]
Appendix BSetting up Your Computer s IP AddressNBG410W3G Series User s Guide376Verifying SettingsEnter ifconfig in a terminal screen to check your TCP/IP properties.  Figure 244   Red Hat 9.0: Checking TCP/IP Properties  [root@localhost]# ifconfig eth0      Link encap:Ethernet  HWaddr 00:50:BA:72:5B:44            inet addr:172.23.19.129  Bcast:172.23.19.255  Mask:255.255.255.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:717 errors:0 dropped:0 overruns:0 frame:0          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:100           RX bytes:730412 (713.2 Kb)  TX bytes:1570 (1.5 Kb)          Interrupt:10 Base address:0x1000 [root@localhost]#
NBG410W3G Series User s Guide 377APPENDIX  C IP Addresses and SubnettingThis appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.Introduction to IP AddressesOne part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered.StructureAn IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal.The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID.
Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide378Figure 245   Network Number and Host IDHow much of the IP address is the network number and how much is the host ID varies according to the subnet mask.  Subnet MasksA subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term "subnet# is short for "sub-network#.A subnet mask has 32 bits. If a bit in the subnet mask is a "1# then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is "0# then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal).By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.Subnet masks can be referred to by the size of the network number part (the bits with a "1# value). For example, an "8-bit mask# means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes.Table 122   IP Address Network Number and Host ID Example1ST OCTET:(192)2ND OCTET:(168)3RD OCTET:(1)4TH OCTET(2)IP Address (Binary)11000000101010000000000100000010Subnet Mask (Binary) 111111111111111111111111 00000000Network Number 110000001010100000000001Host ID00000010
 Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide 379Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Network SizeThe size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network  (192.168.1.255 with a 24-bit subnet mask, for example).As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:NotationSince the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a "/# followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 123   Subnet MasksBINARYDECIMAL1ST OCTET2ND OCTET3RD OCTET 4TH OCTET8-bit mask 11111111 00000000 00000000 00000000 255.0.0.016-bit mask 11111111 11111111 00000000 00000000 255.255.0.024-bit mask 11111111 11111111 11111111 00000000 255.255.255.029-bit mask 11111111 11111111 11111111 11111000 255.255.255.248Table 124   Maximum Host NumbersSUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS8 bits255.0.0.024 bits224 $ 21677721416 bits255.255.0.016 bits216 $ 26553424 bits255.255.255.08 bits28 $ 225429 bits255.255.255.2483 bits23 $ 26Table 125   Alternative Subnet Mask NotationSUBNET MASK ALTERNATIVE NOTATIONLAST OCTET (BINARY)LAST OCTET (DECIMAL)255.255.255.0 /24 0000 0000 0255.255.255.128 /25 1000 0000 128
Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide380SubnettingYou can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 % 2 or 254 possible hosts.The following figure shows the company network before subnetting.  Figure 246   Subnetting Example: Before SubnettingYou can "borrow# one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25).The "borrowed# host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub-networks, A and B. 255.255.255.192 /26 1100 0000 192255.255.255.224 /27 1110 0000 224255.255.255.240 /28 1111 0000 240255.255.255.248 /29 1111 1000 248255.255.255.252 /30 1111 1100 252Table 125   Alternative Subnet Mask Notation (continued)SUBNET MASK ALTERNATIVE NOTATIONLAST OCTET (BINARY)LAST OCTET (DECIMAL)
 Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide 381Figure 247   Subnetting Example: After SubnettingIn a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 % 2 or 126 possible hosts (a host ID of all zeroes is the subnet!s address itself, all ones is the subnet!s broadcast address).192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254.Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to "borrow# two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnet!s broadcast address). Table 126   Subnet 1IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address (Decimal) 192.168.1. 0IP Address (Binary) 11000000.10101000.00000001.  00000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.0Lowest Host ID: 192.168.1.1Broadcast Address: 192.168.1.63Highest Host ID: 192.168.1.62
Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide382Example: Eight SubnetsSimilarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet.Table 127   Subnet 2IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 64IP Address (Binary) 11000000.10101000.00000001.  01000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.64Lowest Host ID: 192.168.1.65Broadcast Address: 192.168.1.127Highest Host ID: 192.168.1.126Table 128   Subnet 3IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 128IP Address (Binary) 11000000.10101000.00000001.  10000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.128Lowest Host ID: 192.168.1.129Broadcast Address: 192.168.1.191Highest Host ID: 192.168.1.190Table 129   Subnet 4IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 192IP Address (Binary) 11000000.10101000.00000001. 11000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.192Lowest Host ID: 192.168.1.193Broadcast Address: 192.168.1.255Highest Host ID: 192.168.1.254Table 130   Eight SubnetsSUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESSBROADCAST ADDRESS10130 312 32 33 62 633 64 65 94 954 96 97 126 127
 Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide 383Subnet PlanningThe following table is a summary for subnet planning on a network with a 24-bit network number.The following table is a summary for subnet planning on a network with a 16-bit network number. 5128 129 158 1596 160 161 190 1917 192 193 222 2238 224 225 254 255Table 130   Eight Subnets (continued)SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESSBROADCAST ADDRESSTable 131   24-bit Network Number Subnet PlanningNO. "BORROWED# HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.255.128 (/25) 2 1262 255.255.255.192 (/26) 4 623 255.255.255.224 (/27) 8 304 255.255.255.240 (/28) 16 145 255.255.255.248 (/29) 32 66 255.255.255.252 (/30) 64 27 255.255.255.254 (/31) 128 1Table 132   16-bit Network Number Subnet PlanningNO. "BORROWED# HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.128.0 (/17) 2 327662 255.255.192.0 (/18) 4 163823 255.255.224.0 (/19) 8 81904 255.255.240.0 (/20) 16 40945 255.255.248.0 (/21) 32 20466 255.255.252.0 (/22) 64 10227 255.255.254.0 (/23) 128 5108 255.255.255.0 (/24) 256 2549 255.255.255.128 (/25) 512 12610 255.255.255.192 (/26) 1024 6211 255.255.255.224 (/27) 2048 3012 255.255.255.240 (/28) 4096 1413 255.255.255.248 (/29) 8192 6
Appendix CIP Addresses and SubnettingNBG410W3G Series User s Guide384Configuring IP AddressesWhere you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the ZyXEL Device.  Once you have decided on the network number, pick an IP address for your ZyXEL Device that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise.Private IP AddressesEvery machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0     $ 10.255.255.255 172.16.0.0   $ 172.31.255.255 192.168.0.0 $ 192.168.255.255You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.14 255.255.255.252 (/30) 16384 215 255.255.255.254 (/31) 32768 1Table 132   16-bit Network Number Subnet Planning (continued)NO. "BORROWED# HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET
NBG410W3G Series User s Guide 385APPENDIX  D Common ServicesThe following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site.  Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number. Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers. If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number. If the Protocol is USER, this is the IP protocol number. Description: This is a brief explanation of the applications that use this service or the situations in which this service is used.Table 133   Commonly Used ServicesNAME PROTOCOL PORT(S) DESCRIPTIONAH (IPSEC_TUNNEL)User-Defined 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service.AIM/New-ICQ TCP 5190 AOL s Internet Messenger service. It is also used as a listening port by ICQ.AUTH TCP 113 Authentication protocol used by some servers.BGP TCP 179 Border Gateway Protocol.BOOTP_CLIENT UDP 68 DHCP Client.BOOTP_SERVER UDP 67 DHCP Server.CU-SEEME TCPUDP764824032A popular videoconferencing solution from White Pines Software.DNS TCP/UDP 53 Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.ESP (IPSEC_TUNNEL)User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Appendix DCommon ServicesNBG410W3G Series User s Guide386FTP TCPTCP2021File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323 TCP 1720 NetMeeting uses this protocol.HTTP TCP 80 Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.ICMP User-Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes.ICQ UDP 4000 This is a popular Internet chat program.IGMP (MULTICAST) User-Defined 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts.IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management.IRC TCP/UDP 6667 This is another popular Internet chat program.MSN Messenger TCP 1863 Microsoft Networks  messenger service uses this protocol. NEW-ICQ TCP 5190 An Internet chat program.NEWS  TCP 144 A protocol for news groups.NFS UDP 2049 Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING User-Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL (GRE)User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel.RCMD TCP 512 Remote Command Service.REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web.REXEC TCP 514 Remote Execution Daemon.RLOGIN TCP 513 Remote Login.Table 133   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
 Appendix DCommon ServicesNBG410W3G Series User s Guide 387RTELNET TCP 107 Remote Telnet.RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol.SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP TCP/UDP 161 Simple Network Management Program.SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).SQL-NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSH TCP/UDP 22 Secure Shell Remote Login Program.STRM WORKS UDP 1558 Stream Works Protocol.SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server.TACACS UDP 49 Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE TCP 7000 Another videoconferencing solution.Table 133   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
Appendix DCommon ServicesNBG410W3G Series User s Guide388
NBG410W3G Series User s Guide 389APPENDIX  E Wireless LANsWireless LAN TopologiesThis section discusses ad-hoc and infrastructure wireless LAN topologies.Ad-hoc Wireless LAN ConfigurationThe simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 248   Peer-to-Peer Communication in an Ad-hoc NetworkBSSA Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other.
Appendix EWireless LANsNBG410W3G Series User s Guide390Figure 249   Basic Service SetESSAn Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.
 Appendix EWireless LANsNBG410W3G Series User s Guide 391Figure 250   Infrastructure WLANChannelA channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.RTS/CTSA hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.
Appendix EWireless LANsNBG410W3G Series User s Guide392Figure 251    RTS/CTSWhen station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.Fragmentation ThresholdA Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.
 Appendix EWireless LANsNBG410W3G Series User s Guide 393If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.Preamble TypePreamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet.Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications.Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the ZyXEL Device uses long preamble.The wireless devices MUST use the same preamble mode in order to communicate.IEEE 802.11g Wireless LANIEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:Wireless Security OverviewWireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.Table 134   IEEE 802.11gDATA RATE (MBPS) MODULATION1DBPSK (Differential Binary Phase Shift Keyed)2DQPSK (Differential Quadrature Phase Shift Keying)5.5 / 11CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54OFDM (Orthogonal Frequency Division Multiplexing)
Appendix EWireless LANsNBG410W3G Series User s Guide394Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity.The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it. IEEE 802.1xIn June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: User based identification that allows for roaming. Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server.  Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: Authentication Determines the identity of the users. AuthorizationTable 135   Wireless Security LevelsSECURITY LEVEL SECURITY TYPELeast       Secure                                                                                  Most SecureUnique SSID (Default)Unique SSID with Hide SSID EnabledMAC Address FilteringWEP EncryptionIEEE802.1x EAP with RADIUS Server AuthenticationWi-Fi Protected Access (WPA)WPA2
 Appendix EWireless LANsNBG410W3G Series User s Guide 395Determines the network services available to authenticated users once they are connected to the network. AccountingKeeps track of the client!s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: Access-RequestSent by an access point requesting authentication. Access-RejectSent by a RADIUS server rejecting access. Access-AcceptSent by a RADIUS server allowing access.  Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: Accounting-RequestSent by the access point requesting accounting. Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. .
Appendix EWireless LANsNBG410W3G Series User s Guide396For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.EAP-MD5 (Message-Digest Algorithm 5)MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves! that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security)With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender!s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP)   Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.LEAPLEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.
 Appendix EWireless LANsNBG410W3G Series User s Guide 397Dynamic WEP Key ExchangeThe AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled.EAP-MD5 cannot be used with Dynamic WEP Key ExchangeFor added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.WPA and WPA2Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.Table 136   Comparison of EAP Authentication TypesEAP-MD5 EAP-TLS EAP-TTLS PEAP LEAPMutual Authentication No Yes Yes Yes YesCertificate $ Client No Yes Optional Optional NoCertificate $ Server No Yes Yes Yes NoDynamic Key Exchange No Yes Yes Yes YesCredential Integrity None Strong Strong Strong ModerateDeployment Difficulty Easy Hard Moderate Moderate ModerateClient Identity Protection No No Yes Yes No
Appendix EWireless LANsNBG410W3G Series User s Guide398Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it!s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.
 Appendix EWireless LANsNBG410W3G Series User s Guide 399Wireless Client WPA SupplicantsA wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application ExampleTo set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.1The AP passes the wireless client's authentication request to the RADIUS server.2The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.3A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client.4The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.Figure 252   WPA(2) with RADIUS Application ExampleWPA(2)-PSK Application ExampleA WPA(2)-PSK application looks as follows.1First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).2The AP checks each wireless client's password and allows it to join the network only if the password matches.
Appendix EWireless LANsNBG410W3G Series User s Guide4003The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them.Figure 253   WPA(2)-PSK AuthenticationSecurity Parameters SummaryRefer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features.Table 137   Wireless Security Relational MatrixAUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOLENCRYPTION METHODENTER MANUAL KEY IEEE 802.1XOpenNoneNoDisableEnable without Dynamic WEP KeyOpen WEP No           Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableShared WEP  No           Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableWPA  TKIP/AES No EnableWPA-PSK  TKIP/AES Yes DisableWPA2 TKIP/AES No EnableWPA2-PSK  TKIP/AES Yes Disable
 Appendix EWireless LANsNBG410W3G Series User s Guide 401Antenna OverviewAn antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna CharacteristicsFrequencyAn antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LANRadiation PatternA radiation pattern is a diagram that allows you to visualize the shape of the antenna!s coverage area. Antenna GainAntenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides.   Types of Antennas for WLANThere are two types of antennas used for wireless LAN applications. Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points.  Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications.
Appendix EWireless LANsNBG410W3G Series User s Guide402Positioning AntennasIn general, antennas should be mounted as high as practically possible and free of obstructions. In point-to%point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area.
NBG410W3G Series User s Guide 403APPENDIX  F Importing CertificatesThis appendix shows importing certificates examples using Internet Explorer 5.Import ZyXEL Device Certificates into Netscape NavigatorIn Netscape Navigator, you can permanently trust the ZyXEL Device!s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this. Figure 254   Security CertificateImporting the ZyXEL Device s Certificate into Internet ExplorerFor Internet Explorer to trust a self-signed certificate from the ZyXEL Device, simply import the self-signed certificate into your operating system as a trusted certification authority. To have Internet Explorer trust a ZyXEL Device certificate issued by a certificate authority, import the certificate authority!s certificate into your operating system as a trusted certification authority.The following example procedure shows how to import the ZyXEL Device!s (self-signed) server certificate into your operating system as a trusted certification authority.
Appendix FImporting CertificatesNBG410W3G Series User s Guide4041In Internet Explorer, double click the lock shown in the following screen.Figure 255   Login Screen2Click Install Certificate to open the Install Certificate wizard.Figure 256   Certificate General Information before Import3Click Next to begin the Install Certificate wizard.
 Appendix FImporting CertificatesNBG410W3G Series User s Guide 405Figure 257   Certificate Import Wizard 14Select where you would like to store the certificate and then click Next.Figure 258   Certificate Import Wizard 25Click Finish to complete the Import Certificate wizard.
Appendix FImporting CertificatesNBG410W3G Series User s Guide406Figure 259   Certificate Import Wizard 36Click Yes to add the ZyXEL Device certificate to the root store.Figure 260   Root Certificate Store
 Appendix FImporting CertificatesNBG410W3G Series User s Guide 407Figure 261   Certificate General Information after ImportEnrolling and Importing SSL Client CertificatesThe SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyXEL Device.You must have imported at least one trusted CA to the ZyXEL Device in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyXEL Device (see the ZyXEL Device!s Trusted CA web configurator screen).
Appendix FImporting CertificatesNBG410W3G Series User s Guide408Figure 262   ZyXEL Device Trusted CA ScreenThe CA sends you a package containing the CA!s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).Installing the CA s Certificate1Double click the CA!s trusted certificate to produce a screen similar to the one shown next.
 Appendix FImporting CertificatesNBG410W3G Series User s Guide 409Figure 263   CA Certificate Example2Click Install Certificate and follow the wizard as shown earlier in this appendix.Installing Your Personal Certificate(s)You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next1Click Next to begin the wizard.Figure 264   Personal Certificate Import Wizard 1
Appendix FImporting CertificatesNBG410W3G Series User s Guide4102The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.Figure 265   Personal Certificate Import Wizard 23Enter the password given to you by the CA.Figure 266   Personal Certificate Import Wizard 34Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
 Appendix FImporting CertificatesNBG410W3G Series User s Guide 411Figure 267   Personal Certificate Import Wizard 45Click Finish to complete the wizard and begin the import process.Figure 268   Personal Certificate Import Wizard 56You should see the following screen when the certificate is correctly installed on your computer. Figure 269   Personal Certificate Import Wizard 6
Appendix FImporting CertificatesNBG410W3G Series User s Guide412Using a Certificate When Accessing the ZyXEL Device ExampleUse the following procedure to access the ZyXEL Device via HTTPS.1Enter 'https://ZyXEL Device IP Address/ in your browser!s web address field.Figure 270   Access the ZyXEL Device Via HTTPS2When Authenticate Client Certificates is selected on the ZyXEL Device, the following screen asks you to select a personal certificate to send to the ZyXEL Device. This screen displays even if you only have a single certificate as in the example.Figure 271   SSL Client Authentication3You next see the ZyXEL Device login screen.Figure 272   ZyXEL Device Secure Login Screen
 Appendix FImporting CertificatesNBG410W3G Series User s Guide 413
Appendix FImporting CertificatesNBG410W3G Series User s Guide414
NBG410W3G Series User s Guide 415APPENDIX  G Legal InformationCopyrightCopyright © 2008 by ZyXEL Communications Corporation.The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.Published by ZyXEL Communications Corporation. All rights reserved.DisclaimerZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.Your use of the ZyXEL Device is subject to the terms and conditions of any related service providers. TrademarksZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.Certifications Federal Communications Commission (FCC) Interference StatementThe device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Appendix GLegal InformationNBG410W3G Series User s Guide416This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:1Reorient or relocate the receiving antenna.2Increase the separation between the equipment and the receiver.3Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.4Consult the dealer or an experienced radio/TV technician for help.FCC Radiation Exposure Statement This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.   IEEE 802.11b or 802.11g operation of this product in the U.S.A. is firmware-limited to channels 1 through 11.  To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.This device has been designed for the WLAN 2.4 GHz network throughout the EC region and Switzerland, with restrictions in France.
 Appendix GLegal InformationNBG410W3G Series User s Guide 417This Class B digital apparatus complies with Canadian ICES-003.Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.Viewing Certifications1Go to http://www.zyxel.com.2Select your product on the ZyXEL home page to go to that product's page.3Select the certification you wish to view from this page.ZyXEL Limited WarrantyZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.NoteRepair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.RegistrationRegister your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.
Appendix GLegal InformationNBG410W3G Series User s Guide418
NBG410W3G Series User s Guide 419APPENDIX  H Customer SupportIn the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional offices are listed below (see also http://www.zyxel.com/web/contact_us.php). Please have the following information ready when you contact an office.Required Information Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it."+# is the (prefix) number you dial to make an international telephone call.Corporate Headquarters (Worldwide) Support E-mail: support@zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-3-578-3942 Fax: +886-3-578-2439 Web: www.zyxel.com Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, TaiwanChina - ZyXEL Communications (Beijing) Corp. Support E-mail: cso.zycn@zyxel.cn Sales E-mail: sales@zyxel.cn Telephone: +86-010-82800646 Fax: +86-010-82800587 Address: 902, Unit B, Horizon Building, No.6, Zhichun Str, Haidian District, Beijing Web: http://www.zyxel.cnChina - ZyXEL Communications (Shanghai) Corp. Support E-mail: cso.zycn@zyxel.cn Sales E-mail: sales@zyxel.cn Telephone: +86-021-61199055 Fax: +86-021-52069033
Appendix HCustomer SupportNBG410W3G Series User s Guide420 Address: 1005F, ShengGao International Tower, No.137 XianXia Rd., Shanghai Web: http://www.zyxel.cnCosta Rica Support E-mail: soporte@zyxel.co.cr Sales E-mail: sales@zyxel.co.cr Telephone: +506-2017878 Fax: +506-2015098 Web: www.zyxel.co.cr Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa RicaCzech Republic E-mail: info@cz.zyxel.com Telephone: +420-241-091-350 Fax: +420-241-091-359 Web: www.zyxel.cz Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská RepublikaDenmark Support E-mail: support@zyxel.dk Sales E-mail: sales@zyxel.dk Telephone: +45-39-55-07-00 Fax: +45-39-55-07-07 Web: www.zyxel.dk  Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, DenmarkFinland Support E-mail: support@zyxel.fi Sales E-mail: sales@zyxel.fi Telephone: +358-9-4780-8411 Fax: +358-9-4780-8448 Web: www.zyxel.fi Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, FinlandFrance E-mail: info@zyxel.fr  Telephone: +33-4-72-52-97-97 Fax: +33-4-72-52-19-20 Web: www.zyxel.fr Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France
 Appendix HCustomer SupportNBG410W3G Series User s Guide 421Germany Support E-mail: support@zyxel.de Sales E-mail: sales@zyxel.de Telephone: +49-2405-6909-69 Fax: +49-2405-6909-99 Web: www.zyxel.de Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen, GermanyHungary Support E-mail: support@zyxel.hu Sales E-mail: info@zyxel.hu Telephone: +36-1-3361649 Fax: +36-1-3259100 Web: www.zyxel.hu Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, HungaryIndia Support E-mail: support@zyxel.in Sales E-mail: sales@zyxel.in Telephone: +91-11-30888144 to +91-11-30888153 Fax: +91-11-30888149, +91-11-26810715 Web: http://www.zyxel.in Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, IndiaJapan Support E-mail: support@zyxel.co.jp Sales E-mail: zyp@zyxel.co.jp Telephone: +81-3-6847-3700 Fax: +81-3-6847-3705 Web: www.zyxel.co.jp Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Shinagawa-ku, Tokyo 141-0022, JapanKazakhstan Support: http://zyxel.kz/support Sales E-mail: sales@zyxel.kz Telephone: +7-3272-590-698 Fax: +7-3272-590-689 Web: www.zyxel.kz Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan
Appendix HCustomer SupportNBG410W3G Series User s Guide422Malaysia Support E-mail: support@zyxel.com.my Sales E-mail: sales@zyxel.com.my Telephone: +603-8076-9933 Fax: +603-8076-9833 Web: http://www.zyxel.com.my Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, MalaysiaNorth America Support E-mail: support@zyxel.com Support Telephone: +1-800-978-7222 Sales E-mail: sales@zyxel.com Sales Telephone: +1-714-632-0882 Fax: +1-714-632-0858 Web: www.zyxel.com Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806-2001, U.S.A.Norway Support E-mail: support@zyxel.no  Sales E-mail: sales@zyxel.no Telephone: +47-22-80-61-80 Fax: +47-22-80-61-81 Web: www.zyxel.no Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, NorwayPoland E-mail: info@pl.zyxel.com Telephone: +48-22-333 8250 Fax: +48-22-333 8251 Web: www.pl.zyxel.com Regular Mail: ZyXEL Communications, ul. Okrzei 1A, 03-715 Warszawa, PolandRussia Support: http://zyxel.ru/support Sales E-mail: sales@zyxel.ru Telephone: +7-095-542-89-29 Fax: +7-095-542-89-25 Web: www.zyxel.ru Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, Russia
 Appendix HCustomer SupportNBG410W3G Series User s Guide 423Singapore Support E-mail: support@zyxel.com.sg Sales E-mail: sales@zyxel.com.sg Telephone: +65-6899-6678 Fax: +65-6899-8887 Web: http://www.zyxel.com.sg Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Singapore 609930Spain Support E-mail: support@zyxel.es Sales E-mail: sales@zyxel.es Telephone: +34-902-195-420 Fax: +34-913-005-345 Web: www.zyxel.es  Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, SpainSweden Support E-mail: support@zyxel.se Sales E-mail: sales@zyxel.se Telephone: +46-31-744-7700 Fax: +46-31-744-7701 Web: www.zyxel.se Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, SwedenTaiwan Support E-mail: support@zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-2-27399889 Fax: +886-2-27353220 Web: http://www.zyxel.com.tw Address: Room B, 21F., No.333, Sec. 2, Dunhua S. Rd., Da-an District, TaipeiThailand Support E-mail: support@zyxel.co.th Sales E-mail: sales@zyxel.co.th Telephone: +662-831-5315 Fax: +662-831-5395 Web: http://www.zyxel.co.th Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand.
Appendix HCustomer SupportNBG410W3G Series User s Guide424Turkey Support E-mail: cso@zyxel.com.tr Telephone: +90 212 222 55 22 Fax: +90-212-220-2526 Web: http:www.zyxel.com.tr Address: Kaptanpasa Mahallesi Piyalepasa Bulvari Ortadogu Plaza N:14/13 K:6 Okmeydani/Sisli Istanbul/TurkeyUkraine Support E-mail: support@ua.zyxel.com Sales E-mail: sales@ua.zyxel.com Telephone: +380-44-247-69-78 Fax: +380-44-494-49-32 Web: www.ua.zyxel.com Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev 04050, UkraineUnited Kingdom Support E-mail: support@zyxel.co.uk Sales E-mail: sales@zyxel.co.uk Telephone: +44-1344-303044, 0845 122 0301 (UK only) Fax: +44-1344-303034 Web: www.zyxel.co.uk Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK)
IndexNBG410W3G Series User s Guide 425IndexNumerics3Gintroduction 1263G. See third generation 126Aaccess point 147See also AP.address assignment 115, 247Advanced Encryption StandardSee AES.AES 398ALG 293RTP 294SIP 295STUN 295alternative subnet mask notation 379antennadirectional 401gain 401omni-directional 401anti-probing 180AP 147See also access point.AP (access point) 391APN (Access Point Name) 129Application Layer Gateway. See ALG.applications 35, 36broadband connection 36asymmetrical routes 173vs virtual interfaces 173authentication type 130CHAP 130PAP 130Bbackup configuration 334Basic Service Set, See BSS 389broadcast 103BSS 389CCA 195, 396Certificate AuthoritySee CA.certificates 195CA 195thumbprint algorithms 196thumbprints 196verifying fingerprints 196Certification Authority. See CA.certifications 415notices 416viewing 417channel 148, 391ID 152interference 391CNM 278command line interface 36computer names 104, 106configuration backup 334configuration restore 334contact information 419copyright 415cost of transmission 112CTS (Clear to Send) 392custom ports 185customer support 419Ddate setting 327daylight saving 329daytime time protocol 329default configuration 45default server IP address 235default settings 335Denial of Service. See DoS.device introduction 35DHCP 56, 102, 104, 255
IndexNBG410W3G Series User s Guide426DHCP clients 326DHCP table 56disclaimer 415DNS 277DNS serverprivate LAN 248DNS server address assignment 116DNS service 236domain name 325Domain Name System. See DNS.DoS 167, 183Dynamic DNS 255, 256Dynamic Host Configuration Protocol. See DHCP.dynamic WEP key exchange 397DYNDNS wildcard 248, 255EEAP authentication 395ECHO service 236encryption 149, 398and local (user) database 150key 150WEP 157ESS 390ethernetencapsulation 60Extended Service Set, See ESS 390Ffactory defaults 335factory-default configuration file 45FCC interference statement 415feature specifications 347finger service 236firewallaction for matched packets 180address type 179anti-probing 180creating/editing rules 177custom ports 185DoS 183DoS threshold 183maximum incomplete high 183maximum incomplete low 183one minute high 183one minute low 183rules 167service type 185stateful inspection 167TCP maximum incomplete 183three-way handshake 181threshold 182firmwareupload 331fragmentation threshold 392FTP 255, 273service 236Ggeneral setup 325GMT 329Greenwich Mean Time. See GMT.group key update timer 162HH.323 294RTP 294hidden node 391hide SSID 148HTTP service 236HTTPS 260example 263IIANA 102, 384IBSS 389IEEE 802.11g 393IEEE 802.1xinstallation requirements 151IGMP 103, 104version 103Independent Basic Service SetSee IBSS 389Initialization Vector (IV) 398Internet access setup 59Internet Assigned Number Authority. See IANA.Internet Assigned Numbers AuthoritySee IANA 384IP addresspool 103, 105, 137private 102
IndexNBG410W3G Series User s Guide 427IP protocol type 179ISP parameters 59LLAN 104load balancing 111load sharing 111loading a configuration file 334local (user) database 149and encryption 150MMAC address 116, 148filter 162MAC address filter 148maintenance 325Management Information Base. See MIB.managing the devicegood habits 38using FTP. See FTP.using telnet. See command line interface.using the command line interface. See command line interface.maximum incomplete high 183maximum incomplete low 183Media Access Control. See MAC address.Message Integrity Check (MIC) 398metric 112, 246MIB 275multicast 103multiple WAN 111NNAT 101, 225, 235, 237, 384application 227default server IP address 235definitions 225how NAT works 226inside global address 225inside local address 225many to many no overload 229many to many overload 229many to one 229mapping types 229one to one 229port forwarding 235port restricted cone 228server 229single user account 230what NAT does 226, 232NAT traversal 281navigation panel 52NBNS 104, 106NetBIOS 106NetBIOS Name Server. See NBNS.Network Address Translation. See NAT.Network Basic Input/Output System. See NetBIOS.NNTP service 236NTP time protocol 329Oone minute high 183one minute low 183operating temperature 345PPairwise Master Key (PMK) 398, 400password 43, 326PIN code 130PIN. See Personal Identification Number 130point-to-point protocol over ethernet 120Point-to-Point Protocol over Ethernet. See PPPoEPoint-to-Point Tunneling Protocol. See PPTP.pool of IP addresses 103, 105POP3 service 236port forwarding 235port restricted cone NAT 228port statistics 54PPPoEencapsulation 61, 120PPTP 62, 123encapsulation 62, 123service 236preamble mode 393pre-shared key 161private 246private IP address 102, 115product overview 35product registration 417
IndexNBG410W3G Series User s Guide428PSK 398RRADIUS 394message types 395messages 395shared secret key 395RADIUS server 149Real Time Transport Protocol. See RTP.registrationproduct 417related documentation 3reload factory-default configuration file 45remote management 260CNM 278DNS 277FTP 273how SSH works 267HTTPS 260HTTPS example 263limitations 260secure FTP using SSH 271secure telnet using SSH 270SNMP 274SSH 267SSH implementation 268system timeout 260telnet 272WWW 261reports 307host IP address 308, 309protocol/port 308, 310web site hits 308, 309reset button 45resetting the device 45resetting the time 330restore configuration 334restoring factory defaults 335RFC 1058. See RIP.RFC 1305. See NTP time protocol.RFC 1389. See RIP.RFC 1466. See IP address.RFC 1597. See private IP address.RFC 1631. See NAT.RFC 1889. See RTP.RFC 2131. See DHCP.RFC 2132. See DHCPRFC 3489. See STUN.RFC 867. See daytime time protocol.RFC 868. See time protocol.RIP 103direction 103version 103route priority 112Routing Information Protocol. See RIP.RTC 327RTP 294RTS (Request To Send) 392threshold 391, 392Ssafety warnings 6screws 347secure FTP using SSH 271secure telnet using SSH 270service set 153Service Set IDentification. See SSID 153Service Set IDentity. See SSID.service type 185services 236Session Initiation Protocol. See SIP.Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators. See STUN.Single User Account. See SUA.SIP 295RTP 294SIP ALG 293SMTP service 236SNMP 274get 275getnext 275manager 275MIB 275set 275trap 275SNMP service 236source address 179SSH 267how SSH works 267implementation 268SSID 148hide 148SSID profile 153stateful inspection firewall 167static WEP key 156storage temperature 345STUN 295subnet 377subnet mask 101, 378
IndexNBG410W3G Series User s Guide 429subnetting 380syntax conventions 4systemname 325timeout 260Ttarget market 35TCP maximum incomplete 183TCP/IP priority 112Telnet 272telnet 272temperature (operation) 345temperature (storage) 345Temporal Key Integrity Protocol (TKIP) 398threshold 182time 327daylight saving time 329resetting 330synchronization with server 330zone 329time protocol 329daytime 329NTP 329time 329timeoutsystem 260trademarks 415trafficredirect 132triangle routes 173vs virtual interfaces 173Uunicast 103Universal Plug and Play. See UPnP.UPnP 281, 282examples 284forum 282NAT traversal 281port mapping 283UPnP Implementers Corp. (UIC) 282user authentication 149local (user) database 149RADIUS server 149weaknesses 149Vvantage CNM 278virtual interfacesvs asymmetrical routes 173vs triangle routes 173WWAN IP address 115warranty 417note 417web configurator 43web site hits 308, 309WEP key 156Wi-Fi Protected Access (WPA) 397Windows Internet Naming Service. See WINS.WINS 104, 106WINS server 106wireless client 147wireless client WPA supplicants 399wireless LANintroduction 147wireless networkbasic guidelines 148channel 148encryption 149example 147MAC address filter 148overview 147security 148SSID 148wireless security 148, 393IEEE 802.1x 157none 156overview 148static WEP 156type 148WPA/WPA2 160WPA-PSK/WPA2-PSK 161wireless technologies comparison 127wizard setup 59WLANinterference 391security parameters 400WPA 397group key update timer 162key caching 398pre-authentication 398user authentication 398vs WPA-PSK 398wireless client supplicant 399
IndexNBG410W3G Series User s Guide430with RADIUS application example 399WPA2 397user authentication 398vs WPA2-PSK 398wireless client supplicant 399with RADIUS application example 399WPA2-Pre-Shared Key 397WPA2-PSK 397, 398application example 399WPA-PSK 397, 398application example 399WWW 261

Navigation menu