ZyXEL Communications OX253P WiMAX MIMO 2.5GHz Outdoor Simple CPE User Manual User s manual

ZyXEL Communications Corporation WiMAX MIMO 2.5GHz Outdoor Simple CPE User s manual

User Manual

OX253PWiMAX MIMO Outdoor Simple CPEFirmware Version 3.70Edition 1, 11/2010Default Login DetailsIP Address: http://192.168.1.1Administrator’s User Name and Password:admin/adminGeneral User’s User Name and Password:user/user
 About This User's GuideOX253P User’s Guide 3About This User's GuideIntended AudienceThis manual is intended for people who want to configure the OX253P using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.Related Documentation•Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.•Web Configurator Online HelpEmbedded web help for descriptions of individual screens and supplementary information.•Command Reference GuideThe Command Reference Guide explains how to use the Command-Line Interface (CLI) and CLI commands to configure the OX253P.Note: It is recommended you use the web configurator to configure the OX253P.•Support DiscDisclaimerGraphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate.
Document ConventionsOX253P User’s Guide4Document ConventionsWarnings and NotesThese are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your OX253P.Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.Syntax Conventions•The product(s) described in this book may be referred to as the “OX253P”, the “device”, the “system” or the “product” in this User’s Guide.•Product labels, screen names, field labels and field choices are all in bold font.•A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “enter” or “return” key on your keyboard.•“Enter” means for you to type one or more characters and then press the [ENTER] key. “Select” or “choose” means for you to use one of the predefined choices.•A right angle bracket ( > ) within a screen name denotes a mouse click. For example, TOOLS > Logs > Log Settings means you first click Tools in the navigation panel, then the Logs sub menu and finally the Log Settings tab to get to that screen.•Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.•“e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
 Document ConventionsOX253P User’s Guide 5Icons Used in FiguresFigures in this User’s Guide may use the following generic icons. The OX253P icon is not an exact representation of your OX253P.Table 1   Common IconsWiMAX Access PointComputerWireless SignalNotebookServerWiMAX Base StationTelephoneSwitchRouterInternet CloudInternet/WiMAX Cloud
Safety WarningsOX253P User’s Guide6Safety WarningsFor your safety, be sure to read and follow all warning notices and instructions.•Do NOT use this product near water, for example, in a wet basement or near a swimming pool.•Do NOT expose your device to dampness, dust or corrosive liquids.•Do NOT store things on the device.•Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.•Connect ONLY suitable accessories to the device.•Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.•Make sure to connect the cables to the correct ports.•Place connecting cables carefully so that no one will step on them or stumble over them.•Always disconnect all cables from this device before servicing or disassembling.•Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).•Do NOT remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet.•Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.•Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.•If the power adaptor or cord is damaged, remove it from the device and the power source.•Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.•Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.Use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord.•Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s).•If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged.
 Safety WarningsOX253P User’s Guide 7•Make sure that the cable system is grounded so as to provide some protection against voltage surges.Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately.
Safety WarningsOX253P User s Guide8Federal Communication Commission Interference Statement  This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.  These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.  However, there is no guarantee that interference will not occur in a particular installation.  If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:  - Reorient or relocate the receiving antenna. - Increase the separation between the equipment and receiver. - Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. - Consult the dealer or an experienced radio/TV technician for help.  FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.  This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.  IMPORTANT NOTE: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.  This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
 Contents OverviewOX253P User’s Guide 9Contents OverviewUser’s Guide ...........................................................................................................................17Getting Started ...........................................................................................................................19Introducing the Web Configurator ..............................................................................................23Internet Connection Wizard....................................................................................................... 29Tutorials .....................................................................................................................................35Technical Reference ..............................................................................................................45The Setup Screens ....................................................................................................................47The LAN Configuration Screens ................................................................................................53The WAN Configuration Screens ...............................................................................................65The NAT Configuration Screens ................................................................................................77The System Configuration Screens ...........................................................................................87The Certificates Screens ...........................................................................................................97The Firewall Screens ................................................................................................................119Content Filter ...........................................................................................................................129The Remote Management Screens .........................................................................................133QoS .........................................................................................................................................145The Logs Screens ...................................................................................................................149The Status Screen ...................................................................................................................163Troubleshooting .......................................................................................................................173Product Specifications .............................................................................................................181
Contents OverviewOX253P User’s Guide10
 Table of ContentsOX253P User’s Guide 11Table of ContentsAbout This User's Guide..........................................................................................................3Document Conventions............................................................................................................4Safety Warnings........................................................................................................................6Contents Overview...................................................................................................................9Table of Contents....................................................................................................................11Part I: User’s Guide................................................................................17Chapter  1Getting Started........................................................................................................................191.1 About Your OX253P ............................................................................................................191.1.1 WiMAX Internet Access .............................................................................................191.2 OX253P Hardware ..............................................................................................................201.2.1 LEDs ..........................................................................................................................201.3 Good Habits for Managing the Device .................................................................................21Chapter  2Introducing the Web Configurator........................................................................................232.1 Overview ..............................................................................................................................232.1.1 Accessing the Web Configurator ................................................................................232.2 The Main Screen .................................................................................................................25Chapter  3Internet Connection Wizard...................................................................................................293.1 Overview ..............................................................................................................................293.1.1 Welcome to the Setup Wizard ....................................................................................293.1.2 System Information ....................................................................................................303.1.3 Authentication Settings ..............................................................................................313.1.4 IP Address ..................................................................................................................333.1.5 Setup Complete .........................................................................................................34Chapter  4Tutorials...................................................................................................................................354.1 Overview ..............................................................................................................................35
Table of ContentsOX253P User’s Guide124.2 Setting Up a Small Network .................................................................................................354.2.1 Connecting Your Small Network to the Internet .........................................................374.2.2 Changing Service Providers .......................................................................................374.2.3 Blocking Web Access During Specific Hours .............................................................394.2.4 Blocking Web Sites by Keyword ................................................................................424.3 Remotely Managing Your OX253P ......................................................................................44Part II: Technical Reference..................................................................45Chapter  5The Setup Screens..................................................................................................................475.1 Overview ..............................................................................................................................475.1.1 What You Can Do in This Chapter .............................................................................475.1.2 What You Need to Know ............................................................................................475.1.3 Before You Begin .......................................................................................................485.2 Set IP Address .....................................................................................................................485.3 DHCP Client ........................................................................................................................495.4 Time Setting .........................................................................................................................505.4.1 Pre-Defined NTP Time Servers List ...........................................................................515.4.2 Resetting the Time .....................................................................................................52Chapter  6The LAN Configuration Screens............................................................................................536.1 Overview ..............................................................................................................................536.1.1 What You Can Do in This Chapter .............................................................................536.1.2 What You Need to Know ............................................................................................536.2 DHCP Setup ........................................................................................................................546.3 Static DHCP .........................................................................................................................566.4 IP Static Route .....................................................................................................................576.4.1 IP Static Route Setup .................................................................................................586.5 Other Settings ......................................................................................................................596.6 Technical Reference ............................................................................................................606.6.1 IP Address and Subnet Mask .....................................................................................616.6.2 DHCP Setup ...............................................................................................................616.6.3 LAN TCP/IP ................................................................................................................626.6.4 DNS Server Address ..................................................................................................626.6.5 RIP Setup ...................................................................................................................636.6.6 Multicast .....................................................................................................................63Chapter  7The WAN Configuration Screens...........................................................................................65
 Table of ContentsOX253P User’s Guide 137.1 Overview ..............................................................................................................................657.1.1 What You Can Do in This Chapter .............................................................................657.1.2 What You Need to Know ............................................................................................657.2 Internet Connection .............................................................................................................687.3 WiMAX Configuration ..........................................................................................................707.3.1 Frequency Ranges .....................................................................................................727.3.2 Configuring Frequency Settings .................................................................................737.3.3 Using the WiMAX Frequency Screen .........................................................................737.4 Buzzer .................................................................................................................................747.5 Advanced .............................................................................................................................75Chapter  8The NAT Configuration Screens............................................................................................778.1 Overview ..............................................................................................................................778.1.1 What You Can Do in This Chapter .............................................................................778.2 General ................................................................................................................................778.3 Port Forwarding  ..................................................................................................................788.3.1 Port Forwarding Options ............................................................................................798.3.2 Port Forwarding Rule Setup .......................................................................................818.4 Trigger Port ..........................................................................................................................828.4.1 Trigger Port Forwarding Example ..............................................................................848.5 ALG .....................................................................................................................................85Chapter  9The System Configuration Screens......................................................................................879.1 Overview ..............................................................................................................................879.1.1 What You Can Do in This Chapter .............................................................................879.1.2 What You Need to Know ............................................................................................879.2 General  ...............................................................................................................................899.3 Dynamic DNS ......................................................................................................................909.4 Firmware ..............................................................................................................................929.4.1 The Firmware Upload Process ...................................................................................939.5 Configuration .......................................................................................................................939.5.1 The Restore Configuration Process ...........................................................................949.6 Restart .................................................................................................................................959.6.1 The Restart Process ..................................................................................................959.7 Bridge ..................................................................................................................................95Chapter  10The Certificates Screens........................................................................................................9710.1 Overview ............................................................................................................................9710.1.1 What You Can Do in This Chapter ...........................................................................9710.1.2 What You Need to Know ..........................................................................................97
Table of ContentsOX253P User’s Guide1410.2 My Certificates ...................................................................................................................9810.2.1 My Certificates Create ............................................................................................10010.2.2 My Certificate Edit ..................................................................................................10410.2.3 My Certificate Import   ............................................................................................10710.3 Trusted CAs .....................................................................................................................10810.3.1 Trusted CA Edit  ......................................................................................................11010.3.2 Trusted CA Import  ..................................................................................................11310.4 Technical Reference .........................................................................................................11310.4.1 Certificate Authorities ..............................................................................................11410.4.2 Verifying a Certificate ..............................................................................................116Chapter  11The Firewall Screens............................................................................................................11911.1 Overview ...........................................................................................................................11911.1.1 What You Can Do in This Chapter ..........................................................................11911.1.2 What You Need to Know .........................................................................................11911.2 Firewall Setting ................................................................................................................12011.2.1 Firewall Rule Directions ..........................................................................................12011.2.2 Triangle Route ........................................................................................................12111.2.3 Firewall Setting Options .........................................................................................12211.3 Services ...........................................................................................................................12311.4 Technical Reference ........................................................................................................12411.4.1 Stateful Inspection Firewall. ....................................................................................12411.4.2 Guidelines For Enhancing Security With Your Firewall ..........................................12511.4.3 The “Triangle Route” Problem ................................................................................125Chapter  12Content Filter.........................................................................................................................12912.1 Overview ..........................................................................................................................12912.1.1 What You Can Do in This Chapter .........................................................................12912.2 Filter .................................................................................................................................13012.3 Schedule ..........................................................................................................................132Chapter  13The Remote Management Screens.....................................................................................13313.1 Overview ..........................................................................................................................13313.1.1 What You Can Do in This Chapter .........................................................................13313.1.2 What You Need to Know ........................................................................................13413.2 WWW ..............................................................................................................................13513.3 Telnet ...............................................................................................................................13613.4 FTP ..................................................................................................................................13613.5 SNMP ..............................................................................................................................13713.5.1 SNMP Traps ...........................................................................................................138
 Table of ContentsOX253P User’s Guide 1513.5.2 SNMP Options .......................................................................................................13913.6 DNS .................................................................................................................................14013.7 Security ............................................................................................................................14113.8 CWMP-TR069 .................................................................................................................142Chapter  14QoS.........................................................................................................................................14514.1 Overview ..........................................................................................................................14514.2 General ............................................................................................................................14514.3 Class Setup .....................................................................................................................14614.3.1 Class Configuration ................................................................................................147Chapter  15The Logs Screens.................................................................................................................14915.1 Overview ..........................................................................................................................14915.1.1 What You Can Do in This Chapter .........................................................................14915.1.2 What You Need to Know ........................................................................................14915.2 View Logs ........................................................................................................................15115.3 Log Settings .....................................................................................................................15315.4 Log Message Descriptions ..............................................................................................155Chapter  16The Status Screen.................................................................................................................16316.1 Overview ..........................................................................................................................16316.2 Status Screen ..................................................................................................................16316.2.1 Packet Statistics .....................................................................................................16716.2.2 WiMAX Site Information .........................................................................................16816.2.3 DHCP Table ...........................................................................................................16916.2.4 WiMAX Profile ........................................................................................................17016.3 Technical Reference ........................................................................................................171Chapter  17Troubleshooting....................................................................................................................17317.1 Power, Hardware Connections, and LEDs ......................................................................17317.2 OX253P Access and Login ..............................................................................................17417.3 Internet Access ................................................................................................................17617.4 Export a Certificate File ...................................................................................................17817.5 Reset the OX253P to Its Factory Defaults .......................................................................17917.5.1 Pop-up Windows, JavaScripts and Java Permissions ...........................................179Chapter  18Product Specifications.........................................................................................................181Appendix  A  WiMAX Security................................................................................................185
Table of ContentsOX253P User’s Guide16Appendix  B  Setting Up Your Computer’s IP Address...........................................................189Appendix  C  Pop-up Windows, JavaScripts and Java Permissions......................................217Appendix  D  IP Addresses and Subnetting...........................................................................229Appendix  E  Importing Certificates........................................................................................241Appendix  F  Common Services.............................................................................................271Index.......................................................................................................................................275
17PART IUser’s Guide
18
OX253P User’s Guide 19CHAPTER  1 Getting Started1.1  About Your OX253P The OX253P has a built-in switch and allows you to access the Internet by connecting to a WiMAX wireless network. You can configure firewall and content filtering as well as a host of other features. The web browser-based Graphical User Interface (GUI), also known as the web configurator, provides easy management.See Chapter 18 on page 181 for a complete list of features for your model.1.1.1  WiMAX Internet AccessConnect your computer or network to the OX253P for WiMAX Internet access. See the Quick Start Guide for instructions on hardware connection.In a wireless metropolitan area network (MAN), the OX253P connects to a WiMAX base station (BS) for Internet access. The following diagram shows a notebook computer equipped with the OX253P connecting to the Internet through a WiMAX base station (marked BS).Figure 1   Mobile Station and Base StationWhen the firewall is on, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. Use content filtering to block access to web sites with URLs containing keywords that you specify. You can define time periods and days during which content
Chapter 1Getting StartedOX253P User’s Guide20filtering is enabled and include or exclude particular computers on your network from content filtering. For example, you could block access to certain web sites for the kids.1.2  OX253P HardwareFollow the instructions in the Quick Start Guideto make hardware connections.1.2.1  LEDsThe following figure shows the LEDs (lights) on the OX253P.Figure 2   The OX253P’s LEDsThe following table describes your OX253P’s LEDs (from right to left).       Table 2   The OX253PLED STATE DESCRIPTIONPower (IDU only) OffThe OX253P is not receiving power.GreenThe OX253P is receiving power and functioning correctly.STRENGTHINDICATORSACTIVITYINDICATOR
 Chapter 1Getting StartedOX253P User’s Guide 211.3  Good Habits for Managing the DeviceDo the following things regularly to make the OX253P more secure and to manage the OX253P more effectively.•Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.•Write down the password and put it in a safe place.•Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the OX253P becomes unstable or even crashes. If you forget your password, you will have to reset the OX253P to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the OX253P. You could simply restore your last configuration.StrengthIndicator The Strength Indicator LEDs display the Received Signal Strength Indication (RSSI) of the wireless (WiMAX) connection. 5 Signal LEDsThe signal strength is greater than or equal to -59 dBm.4 Signal LEDsThe signal strength is between -69 and -60 dBm.3 Signal LEDsThe signal strength is between -79 and -70 dBm.2 Signal LEDsThe signal strength is between -89 and -90 dBm.1 Signal LEDThe signal strength is between -90 and -95 dBm.0 Signal LEDsThere is no WiMAX connection.Activity Indicator OffThe OX253P is not ready.GreenThe OX253P is connected to the network.BlinkingThe OX253P system is booting up or the OX253P is seeking a viable signal.Table 2   The OX253PLED STATE DESCRIPTION
Chapter 1Getting StartedOX253P User’s Guide22
OX253P User’s Guide 23CHAPTER  2 Introducing the WebConfigurator2.1  OverviewThe web configurator is an HTML-based management interface that allows easy device set up and management via any web browser that supports: HTML 4.0, CSS 2.0, and JavaScript 1.5, and higher. The recommended screen resolution for using the web configurator is 1024 by 768 pixels and 16-bit color, or higher.In order to use the web configurator you need to allow:•Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in many operating systems and web browsers.•JavaScript (enabled by default in most web browsers).•Java permissions (enabled by default in most web browsers).See the Appendix C on page 217 for more information on configuring your web browser.2.1.1  Accessing the Web Configurator1Make sure your OX253P hardware is properly connected (refer to the Quick Start Guide for more information).2Launch your web browser.3Enter "192.168.1.1" as the URL.4Select your preferable language from the language drop-down list.
Chapter 2Introducing the Web ConfiguratorOX253P User’s Guide245A password screen displays. Enter the default username (admin) and password (admin) and then click Login. Click Cancel to revert to the default password in the password field. If you have changed the password, enter your password and click Login.6The following screen displays. Click Apply to have the OX253P generate a new certificate. You can also click Ignore to have the OX253P use the default certificate.7A screen displays to let you choose to go to the Wizard or the Advanced screens.•Click Go to Wizard setup if you are logging in for the first time or if you want to make basic changes. The wizard selection screen appears. See Chapter 3 on page 29 for more information.•Click Go to Advanced setup if you want to configure features that are not available in the wizards. The main screen appears. See Section 16.2 on page 163 for more information.•Click Exit if you want to log out.
 Chapter 2Introducing the Web ConfiguratorOX253P User’s Guide 25Note: For security reasons, the OX253P automatically logs you out if you do not use the Web Configurator for five minutes. If this happens, log in again.2.2  The Main ScreenWhen you first log into the web configurator and by-pass the wizard, the Main screen appears. Here you can view a summary of your OX253P connection status. This is also the default “home” page for the web configurator and it contains conveniently-placed shortcuts to all of the other screens.Note: Some features in the web configurator may not be available depending on your firmware version and/or configuration.Figure 3   Main ScreenThe following table describes the icons in this screen.Table 3   Main > IconsICON DESCRIPTIONMAINClick to return to the Main screen.SETUPClick to go the Setup screen, where you can configure LAN, DHCP and WAN settings.
Chapter 2Introducing the Web ConfiguratorOX253P User’s Guide26The following table describes the labels in this screen. ADVANCEDClick to go to the Advanced screen, where you can configure features like Port Forwarding and Triggering, SNTP and so on.TOOLSClick to go the Tools screen, where you can configure your firewall, QoS, and content filter, among other things.STATUSClick to go to the Status screen, where you can view status and statistical information for all connections and interfaces.Strength IndicatorDisplays a visual representation of the quality of your WiMAX connection.•Disconnected - Zero bars•Poor reception - One bar•Good reception - Two bars•Excellent reception - Three barsTable 4   MainLABEL DESCRIPTIONWizardClick to run the Internet Connection Setup Wizard. All of the settings that you can configure in this wizard are also available in these web configurator screens.LogoutClick to log out of the web configurator.Note: This does not log you off the WiMAX network, it simply logs you out of the OX253P’s browser-based configuration interface.WiMAX Connection Status This field indicates the current status of your WiMAX connection.Status messages are as follows:•Connected - Indicates that the OX253P is connected to the WiMAX network. Use the Strength Indicator icon to determine the quality of your network connection.•Disconnected - Indicates that the OX253P is not connected to the WiMAX network.•DL_SYN - Indicates a download synchronization is in progress. This means the firmware is checking with the server for any updates or settings alterations.Table 3   Main > Icons (continued)ICON DESCRIPTION
 Chapter 2Introducing the Web ConfiguratorOX253P User’s Guide 27Software VersionThis field indicates the version number of the OX253P’s firmware. The version number takes the form of: Version(Build),release status (candidate) | Version Release Date.For example: V3.70(TPG.0)c4 | 07/08/2010 indicates that the firmware is 3.70, build TPG.0, candidate 4, released on July 08, 2010.Version DateThis field indicates the exact date and time the current firmware was compiled.System UptimeThis field indicates how long the OX253P has been on. This resets every time you shut the device down or restart it.WiMAX UptimeThis field indicates how long the OX253P has been connected to the WiMAX network. This resets every time you disconnect from the WiMAX network, shut the device down, or restart it.Table 4   Main (continued)LABEL DESCRIPTION
Chapter 2Introducing the Web ConfiguratorOX253P User’s Guide28
OX253P User’s Guide 29CHAPTER  3 Internet Connection Wizard3.1  OverviewThis chapter provides information on the Setup Wizard screens. The wizard guides you through several steps where you can configure your Internet settings.3.1.1  Welcome to the Setup WizardThis is the welcome screen for the Setup Wizard.The Internet Connection Wizard screens are described in detail in the following sections.Figure 4   Select a Mode
Chapter 3Internet Connection WizardOX253P User’s Guide303.1.2  System InformationThis Internet Connection Wizard screen allows you to configure your OX253P’s system information. The settings here correspond to the ADVANCED > System Configuration > General screen (see Section 9.2 on page 89 for more).Figure 5   Internet Connection Wizard > System InformationThe following table describes the labels in this screen.Table 5   Internet Connection Wizard > System InformationLABEL DESCRIPTIONSystem Name System Name is a unique name to identify the OX253P in an Ethernet network. Enter a descriptive name. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted. DomainName Type the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name.Back Click to display the previous screen.Next Click to proceed to the next screen. Close Click to close the wizard without saving.
 Chapter 3Internet Connection WizardOX253P User’s Guide 313.1.3  Authentication SettingsThis Internet Connection Wizard screen allows you to configure your Internet access settings. The settings here correspond to the ADVANCED > WAN Configuration > Internet Connection screen (see Section 7.2 on page 68 for more information).Figure 6   Internet Connection Wizard > Authentication Settings ScreenThe following table describes the labels in this screen.Table 6   Internet Connection Wizard > Authentication Settings ScreenLABEL DESCRIPTIONUser NameUse this field to enter the username associated with your Internet access account. You can enter up to 61 printable ASCII characters.PasswordUse this field to enter the password associated with your Internet access account. You can enter up to 47 printable ASCII characters.Anonymous Identity Enter the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. The anonymous identity is used to route your authentication request to the correct authentication server, and does not reveal your real user name. Your real user name and password are encrypted in the TLS tunnel, and only the anonymous identity can be seen.Leave this field blank if your ISP did not give you an anonymous identity to use.PKMThis field displays the Privacy Key Management version number. PKM provides security between the OX253P and the base station. At the time of writing, the OX253P supports PKMv2 only. See the WiMAX security appendix for more information.
Chapter 3Internet Connection WizardOX253P User’s Guide32AuthenticationThis field displays the user authentication method. Authentication is the process of confirming the identity of a mobile station (by means of a username and password, for example).Check with your service provider if you are unsure of the correct setting for your account. Choose from the following user authentication methods:•TTLS (Tunnelled Transport Layer Security)•TLS (Transport Layer Security)Note: Not all OX253Ps support TLS authentication. Check with your service provider for details.TTLS Inner EAPThis field displays the type of secondary authentication method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details. The OX253P supports the following inner authentication types:•CHAP (Challenge Handshake Authentication Protocol)•MSCHAP (Microsoft CHAP)•MSCHAPV2 (Microsoft CHAP version 2)•PAP (Password Authentication Protocol)CertificateThis is the security certificate the OX253P uses to authenticate the AAA server. Use the TOOLS > Certificates > Trusted CA screen to import certificates to the OX253P.Back Click to display the previous screen.Next Click to proceed to the next screen.Close Click to close the wizard without saving.Table 6   Internet Connection Wizard > Authentication Settings Screen (continued)LABEL DESCRIPTION
 Chapter 3Internet Connection WizardOX253P User’s Guide 333.1.4  IP AddressThis Internet Connection Wizard screen allows you to configure your IP address. The settings here correspond to the SETUP > Set IP Address screen (see Section 5.2 on page 48).A fixed IP address is a static IP that your ISP gives you. An automatic (dynamic) IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet.Figure 7   Internet Connection Wizard > IP AddressThe following table describes the labels in this screen.Table 7   Internet Connection Wizard > IP AddressLABEL DESCRIPTIONIP AddressMy computer or device gets its IP address automatically from the networkSelect this if you have a dynamic IP address. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet.Use fixed IP AddressA static IP address is a fixed IP that your ISP gives you.BackClick to display the previous screen.Next Click to proceed to the next screen.Close Click to close the wizard screen without saving.
Chapter 3Internet Connection WizardOX253P User’s Guide343.1.5  Setup CompleteClick Close to complete and save the Internet Connection Wizard settings.Figure 8   Internet Connection Wizard > CompleteLaunch your web browser and navigate to a website of your choice . If everything was configured properly, the web page should display. You can now surf the Internet!Refer to the rest of this guide for more detailed information on the complete range of OX253P features available in the more advanced web configurator. Note: If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct.
OX253P User’s Guide 35CHAPTER  4 Tutorials4.1  OverviewThis chapter shows you how to configure some of the OX253P’s features.Note: Be sure to read Introducing the Web Configurator on page 23 before working through the tutorials presented here. For field descriptions of individual screens, see the related technical reference in this User's Guide.4.2  Setting Up a Small NetworkThis tutorial shows you how to set up a small network in your office or home.Goal: Connect three computers to your OX253P to form a small network.
Chapter 4TutorialsOX253P User’s Guide36Required: The following table provides a summary of the information you will need to complete the tasks in this tutorial. 1In the Web Configurator, open the SETUP > Set IP Address screen and set the IP Address to 192.168.100.1. Use the default IP Subnet Mask of 255.255.255.0.2Open the ADVANCED > LAN Configuration > DHCP Setup screen.3Select Enable DHCP Server, then enter 192.168.100.34 as your IP Pool Starting Address and 32 for your Pool Size.4In the DNS Server section, set the First,Second and Third DNS Server fields to From ISP in order to use the DNS servers linked to your ISP.5Click Apply to save your DHCP settings.INFORMATION VALUE SEE ALSOLAN IP Address192.168.100.1 Chapter 5 on page 47Starting IP Address192.168.100.33 Chapter 6 on page 53Pool Size32DNS ServersFrom ISP
 Chapter 4TutorialsOX253P User’s Guide 376Next, go to the ADVANCED > NAT Configuration > General screen and select the Enable Network Address Translation option.7Click Apply to save your settings.8Connect your computers to the OX253P’s Ethernet ports and you’re all set!Note: You may need to configure the computers on your LAN to automatically obtain IP addresses. For information on how to do this, see Appendix B on page 189.4.2.1  Connecting Your Small Network to the InternetOnce your network is configured and hooked up, you will want to connect it to the Internet next. To do this, just run the Internet Connection Wizard (Chapter 3 on page 29), which walks you through the process.4.2.2  Changing Service ProvidersThis tutorial shows you how to import a new security certificate, which allows your device to communicate with the company’s network servers. This is necessary if you ever change Internet Service Providers and your OX253P is still compatible with the new network. (In some cases it may not be.)Goal: Import a new security certificate into the OX253P.See Also:Chapter 10 on page 97.
Chapter 4TutorialsOX253P User’s Guide381In the Web Configurator, open the TOOLS > Certificates > My Certificatesscreen and click the Import button.2In the Import Certificate screen, click Browse andlocate the security certificate that was provided by your new ISP.
 Chapter 4TutorialsOX253P User’s Guide 393Next, go to the ADVANCED > WAN Configuration screen and configure your new Internet access settings based on the information provided by your ISP.Note: You can also use the Internet Connection Wizard to configure these settings.4From the Certificates menu, select the security certificate that you just imported.5Click Apply to save your settings. You should now be able to connect to the Internet through your new service provider!4.2.3  Blocking Web Access During Specific HoursIf your OX253P is in a home or office environment you may decide that you want to block web access and video chat during a specific block of hours, such as during your daughter’s designated study hours. Goal: Configure the OX253P’s firewall to block web and video chat access on weekdays between the hours of 3:30 PM and 8:30 PM.’See Also:Chapter 11 on page 119.
Chapter 4TutorialsOX253P User’s Guide401Open the TOOLS > Firewall > Services to screen.2Select Enable Services Blocking.
 Chapter 4TutorialsOX253P User’s Guide 413Under Available Services, select HTTP(TCP:80) then click the Add button.Repeat this for CU-SEEME(TCP/UDP:7648,24032).This blocks all web and video chat traffic, while leaving other ports open for other types of traffic, such as ports 25 and 587 for e-mail and port 21 for FTP.The Blocked Services window updates accordingly.4Next, configure the Schedule to Block area with the days and hours for blocking web access to your employees.In this example, the five weekly work days are selected as well as the standard work hours of 3:30 PM to 8:30 PM (or 20:30 in 24-hour format).5Finally, click Apply to save your settings.
Chapter 4TutorialsOX253P User’s Guide424.2.4  Blocking Web Sites by KeywordYou can further refine web access by specifying keywords that appear in a URL and blocking them. This allows you to control the content you do allow to pass through the OX253P. For example, once your daughter’s designated study hours end, you allow web access and video chat but want to restrict certain sites.Goal: Restrict websites with the words “poker”, “sex”, and “beer” in their URLs.See Also:Chapter 12 on page 129.1Open the TOOLS > Content Filter > Filter screen.2Select Enable URL Keyword Blocking.
 Chapter 4TutorialsOX253P User’s Guide 433Enter the first Keyword then click Add. Repeat for additional keywords.As you enter them, the keywords appear in the Keyword List.4(Optional) If you want to allow websites with these keywords for a specific computer in your household, such as the computer in the master bedroom, then add that computer’s IP address to the Trusted IP Address field.5Click Apply to save these settings.6Next, open the TOOLS > Content Filter > Schedule screen.7To keep things simple, set the Days to Block to Everyday and the Time of Day to Block to All Day.8Click Apply to save these settings.
Chapter 4TutorialsOX253P User’s Guide444.3  Remotely Managing Your OX253PThe remote management feature allows you to log into the device over the Internet and configure its settings from a second trusted location.Goal: Set up the OX253P to allow management requests from the (demonstration) IP address 2.2.2.2.See Also:Chapter 13 on page 133.1Open the TOOLS > Remote Management > WWW screen.2Leave the Server Port setting as ‘80’, in order to allow computers back at the OX253P’s location to continue to access the Internet.3From the Server Access menu, select WAN. This allows remote management connections only from the Internet.4Finally, in the Secured Client IP Address field enter 2.2.2.2 as the IP address from which you will be connecting to the OX253P. Any other attempts by computer on the Internet to connect will be rejected because their IP addresses won’t match the one specified here.5Click Apply to save your changes.
45PART IITechnical Reference
46
OX253P User’s Guide 47CHAPTER  5 The Setup Screens5.1  OverviewUse these screens to configure or view LAN, DHCP Client and WAN settings.5.1.1  What You Can Do in This Chapter•The Set IP Address screen (Section 5.2 on page 48) lets you configure the OX253P’s IP address and subnet mask.•The DHCP Client screen (Section 5.3 on page 49) to view connection information for clients configured by the OX253P’s internal DHCP server.•The Time Setting screen (Section 5.4 on page 50) lets you configure your OX253P’s time and date keeping settings.5.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.LANA Local Area Network, or a shared communication system to which many computers are attached. A LAN, as its name implies, is limited to a local area such as a home or office environment. LANs have different topologies, the most common being the linear bus and the star configuration.IP AddressIP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your device will compute the subnet mask automatically based on the IP Address that
Chapter 5The Setup ScreensOX253P User’s Guide48you entered. You do not need to change the computer subnet mask unless you are instructed to do so.DaytimeA network protocol used by devices for debugging and time measurement. A computer can use this protocol to set its internal clock but only if it knows in which order the year, month, and day are returned by the server. Not all servers use the same format.TimeA network protocol for retrieving the current time from a server. The computer issuing the command compares the time on its clock to the information returned by the server, adjusts itself automatically for time zone differences, then calculates the difference and corrects itself if there has been any temporal drift.NTPNTP stands for Network Time Protocol. It is employed by devices connected to the Internet in order to obtain a precise time setting from an official time server. These time servers are accurate to within 200 microseconds.5.1.3  Before You Begin•Make sure that you have made all the appropriate hardware connections to the OX253P, as described in the Quick Start Guide.•Make sure that you have logged in to the web configurator at least one time and changed your password from the default, as described in the Quick Start Guide.5.2  Set IP AddressClick the SETUP icon in the navigation bar to set up the OX253P’s IP address and subnet mask. This screen displays this screen by default. If you are in any other sub-screen you can simply choose Set IP Address from the navigation menu on the left to open it again.Figure 9   SETUP > Set IP Address
 Chapter 5The Setup ScreensOX253P User’s Guide 49The following table describes the labels in this screen.  5.3  DHCP ClientClick the SETUP > DHCP Client to view connection information for all clients that have been configured by the OX253P’s internal DHCP server.Figure 10   SETUP > Set IP AddressThe following table describes the labels in this screen.  Table 8   SETUP > Set IP AddressLABEL DESCRIPTIONIP Address Enter the IP address of the OX253P on the LAN.Note: This field is the IP address you use to access the OX253P on the LAN. If the web configurator is running on a computer on the LAN, you lose access to it as soon as you change this field and click Apply. You can access the web configurator again by typing the new IP address in the browser.IP Subnet Mask Enter the subnet mask of the LAN.Apply Click to save your changes.Reset Click to restore your previously saved settings.Table 9   SETUP > Set IP AddressLABEL DESCRIPTION#This indicates the number of the item in this list.IP Address This indicates the IP address of a connected client device.Host Name This indicates the host name of a connected client device. If the device is computer, then the host name is the computer name.MAC Address This indicates the MAC address of a connected client device.
Chapter 5The Setup ScreensOX253P User’s Guide505.4  Time SettingClick SETUP >Time Setting to set the date, time, and time zone for the OX253P.Figure 11   SETUP > Time SettingThe following table describes the labels in this screen. Reserve This indicates whether the IP address for the connected client device is reserved. When the DHCP server issues IP addresses, reserved IPs are assigned to specific client devices.If the IP address is reserved, the client device identified by its MAC address will always receive this IP address from the DHCP server.Apply Click to save your changes.Refresh Click to refresh the information in the screen.Table 9   SETUP > Set IP Address (continued)LABEL DESCRIPTIONTable 10   SETUP > Time SettingLABEL DESCRIPTIONCurrent Time and DateCurrent TimeDisplays the current time according to the OX253P.
 Chapter 5The Setup ScreensOX253P User’s Guide 515.4.1  Pre-Defined NTP Time Servers ListThe OX253P uses a pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. It can use this list regardless of the time protocol you select.When the OX253P uses the list, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then it goes through the rest of Current DateDisplays the current time according to the OX253P.Time and Date SetupManual Select this if you want to specify the current date and time in the fields below.New Time Enter the new time in this field, and click Apply.New Date Enter the new date in this field, and click Apply.Get from Time Server Select this if you want to use a time server to update the current date and time in the OX253P.Time ProtocolSelect the time service protocol that your time server uses.Check with your ISP or network administrator, or use trial-and-error to find a protocol that works.Daytime (RFC-867) - This format is day/month/year/time zone.Time (RFC-868) - This format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0.NTP (RFC-1305) - This format is similar to Time (RFC 868).Time Server Address Enter the IP address or URL of your time server. Check with your ISP or network administrator if you are unsure of this information.Time Zone SetupTime ZoneSelect the time zone at your location.Daylight SavingsSelect this if your location uses daylight savings time. Daylight savings is a period from late spring to early fall when many places set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Start DateEnter which hour on which day of which week of which month daylight-savings time starts.End DateEnter which hour on the which day of which week of which month daylight-savings time ends.Apply Click to save your changes.Reset Click to restore your previously saved settings.Table 10   SETUP > Time Setting (continued)LABEL DESCRIPTION
Chapter 5The Setup ScreensOX253P User’s Guide52the list in order until either it is successful or all the pre-defined NTP time servers have been tried. 5.4.2  Resetting the TimeThe OX253P automatically resets the time in the following circumstances:•When the device starts up, such as when you press the Power button.•When you click Apply in the SETUP > Time Setting screen.•Once every 24-hours after starting up.Table 11   Pre-defined NTP Time Serversntp1.cs.wisc.eduntp1.gbg.netnod.sentp2.cs.wisc.edutock.usno.navy.milntp3.cs.wisc.eduntp.cs.strath.ac.ukntp1.sp.setime1.stupi.setick.stdtime.gov.twtock.stdtime.gov.twtime.stdtime.gov.tw
OX253P User’s Guide 53CHAPTER  6 The LAN Configuration Screens6.1  OverviewUse the ADVANCED > LAN Configuration screens to set up the OX253P on the LAN. You can configure its IP address and subnet mask, DHCP services, and other subnets. You can also control how the OX253P sends routing information using RIP.A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is usually a computer network limited to the immediate area, such as the same building or floor of a building.6.1.1  What You Can Do in This Chapter•The DHCP Setup screen (Section 6.2 on page 54) lets you enable, disable, and configure the DHCP server in the OX253P.•The Static DHCP screen (Section 6.3 on page 56) lets you assign specific IP addresses to specific computers on the LAN.•The IP Static Route screen (Section 6.4 on page 57) lets you examine the static routes configured in the OX253P.•The Other Settings screen (Section 6.5 on page 59) lets you control the routing information that is sent and received by each subnet assign specific IP addresses to specific computers on the LAN.6.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.IP AddressIP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.
Chapter 6The LAN Configuration ScreensOX253P User’s Guide54Subnet MasksSubnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.DNSDNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a networking device before you can access it.DHCPA DHCP (Dynamic Host Configuration Protocol) server can assign your OX253P an IP address, subnet mask, DNS and other routing information when it’s turned on.6.2  DHCP SetupClick ADVANCED > LAN Configuration > DHCP Setup to enable, disable, and configure the DHCP server in the OX253P.Figure 12   ADVANCED > LAN Configuration > DHCP SetupThe following table describes the labels in this screen. Table 12   ADVANCED > LAN Configuration > DHCP SetupLABEL DESCRIPTIONDHCP SetupEnable DHCP Server Select this if you want the OX253P to be the DHCP server on the LAN. As a DHCP server, the OX253P assigns IP addresses to DHCP clients on the LAN and provides the subnet mask and DNS server information.
 Chapter 6The LAN Configuration ScreensOX253P User’s Guide 55IP Pool Starting Address Enter the IP address from which the OX253P begins allocating IP addresses, if you have not specified an IP address for this computer in ADVANCED > LAN Configuration > Static DHCP.Pool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by a subnet mask of 255.255.255.0 (regardless of the subnet the OX253P is in). For example, if the IP Pool Start Address is 10.10.10.10, the OX253P can allocate up to 10.10.10.254, or 245 IP addresses.DNS ServerFirst, Second and Third DNS ServerSpecify the IP addresses of a maximum of three DNS servers that the network can use. The OX253P provides these IP addresses to DHCP clients. You can specify these IP addresses two ways.From ISP - provide the DNS servers provided by the ISP on the WAN port.User Defined - enter a static IP address.DNS Relay - this setting will relay DNS information from the DNS server obtained by the OX253P.None - no DNS service will be provided by the OX253P.Apply Click to save your changes.Reset Click to restore your previously saved settings.Table 12   ADVANCED > LAN Configuration > DHCP Setup (continued)LABEL DESCRIPTION
Chapter 6The LAN Configuration ScreensOX253P User’s Guide566.3  Static DHCPClick ADVANCED > LAN Configuration > Static DHCP to assign specific IP addresses to specific computers on the LAN.Note: This screen has no effect if the DHCP server is not enabled. You can enable it in ADVANCED > LAN Configuration > DHCP Setup.Figure 13   ADVANCED > LAN Configuration > Static DHCPThe following table describes the labels in this screen. Table 13   ADVANCED > LAN Configuration > Static DHCPLABEL DESCRIPTION#The number of the item in this list.MAC Address Enter the MAC address of the computer to which you want the OX253P to assign the same IP address.IP Address Enter the IP address you want the OX253P to assign to the computer.Apply Click to save your changes.Reset Click to restore your previously saved settings.
 Chapter 6The LAN Configuration ScreensOX253P User’s Guide 576.4  IP Static RouteClick ADVANCED > LAN Configuration > IP Static Route to look at the static routes configured in the OX253P.Note: The first static route is the default route and cannot be modified or deleted.Figure 14   Advanced> LAN Configuration > IP Static RouteThe following table describes the icons in this screen.The following table describes the labels in this screen. Table 14   Advanced> LAN Configuration > IP Static RouteICON DESCRIPTIONEditClick to edit this item.DeleteClick to delete this item.Table 15   Advanced> LAN Configuration > IP Static RouteLABEL DESCRIPTION#The number of the item in this list.Name This field displays the name that describes the static route.
Chapter 6The LAN Configuration ScreensOX253P User’s Guide586.4.1  IP Static Route SetupClick an Edit icon in ADVANCED > LAN Configuration > IP Static Route to edit a static route in the OX253P.Figure 15   Advanced> LAN Configuration > IP Static Route Setup > EditThe following table describes the labels in this screen.Active This field shows whether this static route is active (Yes) or not (No).Destination This field displays the destination IP address(es) that this static route affects.Gateway This field displays the IP address of the gateway to which the OX253P should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.Action Click the Edit icon to modify this item.Click the Delete icon to remove this item.Table 15   Advanced> LAN Configuration > IP Static Route (continued)LABEL DESCRIPTIONTable 16   Advanced> LAN Configuration > IP Static Route Setup > EditLABEL DESCRIPTIONRoute Name Enter the name of the static route.Active Select this if you want the static route to be used. Clear this if you do not want the static route to be used.Private Select this if you do not want the OX253P to tell other routers about this static route. For example, you might select this if the static route is in your LAN. Clear this if you want the OX253P to tell other routers about this static route.Destination IP Address Enter one of the destination IP addresses that this static route affects.
 Chapter 6The LAN Configuration ScreensOX253P User’s Guide 596.5  Other SettingsClick ADVANCED > LAN Configuration > Other Settings to set the RIP and Multicast options.Figure 16   ADVANCED > LAN Configuration > Other SettingsIP Subnet Mask Enter the subnet mask that defines the range of destination IP addresses that this static route affects. If this static route affects only one IP address, enter 255.255.255.255.Gateway IP Address Enter the IP address of the gateway to which the OX253P should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.Metric Usually, you should keep the default value. This field is related to RIP.The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". The smaller the metric, the lower the "cost". RIP uses hop count as the measurement of cost, where 1 is for a directly-connected network. The metric must be 1-15; if you use a value higher than 15, the routers assume the link is down.Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.Table 16   Advanced> LAN Configuration > IP Static Route Setup > Edit (continued)LABEL DESCRIPTION
Chapter 6The LAN Configuration ScreensOX253P User’s Guide60The following table describes the labels in this screen.6.6  Technical ReferenceThe following section contains additional technical information about the OX253P features described in this chapter.Table 17   ADVANCED > LAN Configuration > Other SettingsLABEL DESCRIPTIONRIP & Multicast SetupRIP Direction Use this field to control how much routing information the OX253P sends and receives on the subnet.•None - The OX253P does not send or receive routing information on the subnet.•Both - The OX253P sends and receives routing information on the subnet.•In Only - The OX253P only receives routing information on the subnet.•Out Only - The OX253P only sends routing information on the subnet.RIP Version Select which version of RIP the OX253P uses when it sends or receives information on the subnet.•RIP-1 - The OX253P uses RIPv1 to exchange routing information.•RIP-2B - The OX253P broadcasts RIPv2 to exchange routing information.•RIP-2M - The OX253P multicasts RIPv2 to exchange routing information.Multicast You do not have to enable multicasting to use RIP-2M. (See RIPVersion.)Select which version of IGMP the OX253P uses to support multicasting on the LAN. Multicasting sends packets to some computers on the LAN and is an alternative to unicasting (sending packets to one computer) and broadcasting (sending packets to every computer).•None - The OX253P does not support multicasting.•IGMP-v1 - The OX253P supports IGMP version 1.•IGMP-v2 - The OX253P supports IGMP version 2.Multicasting can improve overall network performance. However, it requires extra processing and generates more network traffic. In addition, other computers on the LAN have to support the same version of IGMP.Apply Click to save your changes.Reset Click to restore your previously saved settings.
 Chapter 6The LAN Configuration ScreensOX253P User’s Guide 616.6.1  IP Address and Subnet MaskSimilar to the way houses on a street share a common street name, computers on a LAN share one common network number.Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the OX253P. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your OX253P, but make sure that no other device on your network is using that IP address.The subnet mask specifies the network number portion of an IP address. Your OX253P will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the OX253P unless you are instructed to do otherwise.6.6.2  DHCP SetupDHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the OX253P as a DHCP server or disable it. When configured as a server, the OX253P provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else each computer must be manually configured.The OX253P is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN computers.These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), see Section 6.3 on page 56.
Chapter 6The LAN Configuration ScreensOX253P User’s Guide626.6.3  LAN TCP/IPThe OX253P has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.The LAN parameters of the OX253P are preset in the factory with the following values:•IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)•DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), see Section 6.3 on page 56.6.6.4  DNS Server AddressDNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask.There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank.Some ISPs choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The OX253P supports the IPCP DNS server extensions through the DNS proxy feature.If the Primary and Secondary DNS Server fields in the LAN Setup screen are notspecified, for instance, left as 0.0.0.0, the OX253P tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the OX253P, the OX253P forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses in the LAN Setup screen. This way, the OX253P can pass the DNS servers to the computers and the computers can query the DNS server directly without the OX253P’s intervention.
 Chapter 6The LAN Configuration ScreensOX253P User’s Guide 636.6.5  RIP SetupRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.  When set to:•Both - the OX253P will broadcast its routing table periodically and incorporate the RIP information that it receives.•In Only - the OX253P will not send any RIP packets but will accept all RIP packets received.•Out Only - the OX253P will send out RIP packets but will not accept any RIP packets received.•None - the OX253P will not send any RIP packets and will ignore any RIP packets received.The Version field controls the format and the broadcasting method of the RIP packets that the OX253P sends (it recognizes both formats when receiving). RIP-1is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.6.6.6  MulticastTraditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.The OX253P supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the OX253P queries all directly connected networks to gather group membership. After that, the OX253P periodically updates this
Chapter 6The LAN Configuration ScreensOX253P User’s Guide64information. IP multicasting can be enabled/disabled on the OX253P LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces.
OX253P User’s Guide 65CHAPTER  7 The WAN Configuration Screens7.1  Overview Use the ADVANCED > WAN Configuration screens to set up your OX253P’s Wide Area Network (WAN) or Internet features.A Wide Area Network (or WAN) links geographically dispersed locations to other networks or the Internet. A WAN configuration can include switched and permanent telephone circuits, terrestrial radio systems and satellite systems.7.1.1  What You Can Do in This Chapter•The Internet Connection screen (Section 7.2 on page 68) lets you set up your OX253P’s Internet settings.•The WiMAX Configuration screen (Section 7.3 on page 70) lets set up the frequencies used by your OX253P.•The Advanced screen (Section 7.5 on page 75) lets configure your DNS server, RIP, Multicast and Windows Networking settings.7.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.WiMAX WiMAX (Worldwide Interoperability for Microwave Access) is the IEEE 802.16 wireless networking standard, which provides high-bandwidth, wide-range wireless service across wireless Metropolitan Area Networks (MANs). In a wireless MAN, a wireless-equipped computer is known either as a mobile station (MS) or a subscriber station (SS). Mobile stations use the IEEE 802.16e standard and are able to maintain connectivity while switching their connection from one base station to another base station (handover) while subscriber stations use other standards that do not have this capability (IEEE 802.16-2004, for
Chapter 7The WAN Configuration ScreensOX253P User’s Guide66example). The following figure shows an MS-equipped notebook computer MS1moving from base station BS1’s coverage area and connecting to BS2.Figure 17   WiMax: Mobile StationWiMAX technology uses radio signals (around 2 to 10 GHz) to connect subscriber stations and mobile stations to local base stations. Numerous subscriber stations and mobile stations connect to the network through a single base station (BS), as in the following figure. Figure 18   WiMAX: Multiple Mobile StationsA base station's coverage area can extend over many hundreds of meters, even under poor conditions. A base station provides network access to subscriber stations and mobile stations, and communicates with other base stations.The radio frequency and bandwidth of the link between the OX253P and the base station are controlled by the base station. The OX253P follows the base station’s configuration.
 Chapter 7The WAN Configuration ScreensOX253P User’s Guide 67AuthenticationWhen authenticating a user, the base station uses a third-party RADIUS or Diameter server known as an AAA (Authentication, Authorization and Accounting) server to authenticate the mobile or subscriber stations. The following figure shows a base station using an AAA server to authenticate mobile station MS, allowing it to access the Internet.Figure 19   Using an AAA ServerIn this figure, the dashed arrow shows the PKM (Privacy Key Management) secured connection between the mobile station and the base station, and the solid arrow shows the EAP secured connection between the mobile station, the base station and the AAA server. See the WiMAX security appendix for more details.
Chapter 7The WAN Configuration ScreensOX253P User’s Guide687.2  Internet ConnectionClick ADVANCED > WAN Configuration to set up your OX253P’s Internet settings.Note: Not all OX253P models have all the fields shown here.Figure 20   ADVANCED > WAN Configuration > Internet ConnectionThe following table describes the labels in this screen.  Table 18   ADVANCED > WAN Configuration > Internet Connection > ISP Parameters for Internet AccessLABEL DESCRIPTIONISP Parameters for Internet AccessUser NameUse this field to enter the username associated with your Internet access account. You can enter up to 61 printable ASCII characters.PasswordUse this field to enter the password associated with your Internet access account. You can enter up to 47 printable ASCII characters.
 Chapter 7The WAN Configuration ScreensOX253P User’s Guide 69Anonymous Identity Enter the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. The anonymous identity is used to route your authentication request to the correct authentication server, and does not reveal your real user name. Your real user name and password are encrypted in the TLS tunnel, and only the anonymous identity can be seen.Leave this field blank if your ISP did not give you an anonymous identity to use.PKMThis field displays the Privacy Key Management version number. PKM provides security between the OX253P and the base station. At the time of writing, the OX253P supports PKMv2 only. See the WiMAX security appendix for more information.AuthenticationThis field displays the user authentication method. Authentication is the process of confirming the identity of a mobile station (by means of a username and password, for example).Check with your service provider if you are unsure of the correct setting for your account. Choose from the following user authentication methods:•TTLS (Tunnelled Transport Layer Security)•TLS (Transport Layer Security)Note: Not all OX253Ps support TLS authentication. Check with your service provider for details.TTLS Inner EAPThis field displays the type of secondary authentication method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details.This field is available only when TTLS is selected in the Authentication field.The OX253P supports the following inner authentication types:•CHAP (Challenge Handshake Authentication Protocol)•MSCHAP (Microsoft CHAP)•MSCHAPV2 (Microsoft CHAP version 2)•PAP (Password Authentication Protocol)Auth ModeSelect the authentication mode from the drop-down list box.This field is not available in all OX253Ps. Check with your service provider for details.The OX253P supports the following authentication modes:•User Only•Device Only with Cert•Certs and User AuthenticationTable 18   ADVANCED > WAN Configuration > Internet Connection > ISP Parameters for Internet Access (continued)LABEL DESCRIPTION
Chapter 7The WAN Configuration ScreensOX253P User’s Guide707.3  WiMAX ConfigurationClick ADVANCED > WAN Configuration > WiMAX Configuration to set up the frequencies used by your OX253P.In a WiMAX network, a mobile or subscriber station must use a radio frequency supported by the base station to communicate. When the OX253P looks for a connection to a base station, it can search a range of frequencies.CertificateThis is the security certificate the OX253P uses to authenticate the AAA server. Use the TOOLS > > Trusted CAs screen to import certificates to the OX253P.WAN IP Address AssignmentGetautomatically from ISP (Default)Select this if you have a dynamic IP address. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. Use Fixed IP Address A static IP address is a fixed IP that your ISP gives you. Type your ISP assigned IP address in the IP Address field below. IP Subnet MaskEnter a subnet mask in dotted decimal notation. Refer to the appendicesto calculate a subnet mask If you are implementing subnetting.Gateway IP Address Specify a gateway IP address (supplied by your ISP).ApplyClick to save your changes.ResetClick to restore your previously saved settings.Table 18   ADVANCED > WAN Configuration > Internet Connection > ISP Parameters for Internet Access (continued)LABEL DESCRIPTION
 Chapter 7The WAN Configuration ScreensOX253P User’s Guide 71Radio frequency is measured in Hertz (Hz). Figure 21   ADVANCED > WAN Configuration >WiMAX Configuration   The following table describes the labels in this screen.Table 19   Radio Frequency Conversion1 kHz = 1000 Hz1 MHz = 1000 kHz (1000000 Hz)1 GHz = 1000 MHz (1000000 kHz)Table 20   ADVANCED > WAN Configuration >WiMAX ConfigurationLABEL DESCRIPTIONDL Frequency / Bandwidth These fields show the downlink frequency settings in kilohertz (kHz). Enter values in these fields to have the OX253P scan these frequencies for available channels in ascending numerical order.Note: The Bandwidth field is not user-configurable; when the OX253P finds a WiMAX connection, its frequency is displayed in this field.Contact your service provider for details of supported frequencies.
Chapter 7The WAN Configuration ScreensOX253P User’s Guide727.3.1  Frequency RangesThe following figure shows the OX253P searching a range of frequencies to find a connection to a base station. Figure 22   Frequency RangesIn this figure, A is the WiMAX frequency range. “WiMAX frequency range” refers to the entire range of frequencies the OX253P is capable of using to transmit and receive (see the Product Specifications appendix for details). In the figure, B shows the operator frequency range. This is the range of frequencies within the WiMAX frequency range supported by your operator (service provider).The operator range is subdivided into bandwidth steps. In the figure, each C is a bandwidth step.The arrow D shows the OX253P searching for a connection.Have the OX253P search only certain frequencies by configuring the downlink frequencies. Your operator can give you information on the supported frequencies. The downlink frequencies are points of the frequency range your OX253P searches for an available connection. Use the Site Survey screen to set these bands. You can set the downlink frequencies anywhere within the WiMAX frequency range. In this example, the downlink frequencies have been set to search all of the operator range for a connection.ApplyClick to save your changes.ResetClick to restore your previously saved settings.Table 20   ADVANCED > WAN Configuration >WiMAX Configuration (continued)LABEL DESCRIPTION
 Chapter 7The WAN Configuration ScreensOX253P User’s Guide 737.3.2  Configuring Frequency SettingsYou need to set the OX253P to scan one or more specific radio frequencies to find an available connection to a WiMAX base station. Use the WiMAX Frequency screen to define the radio frequencies to be searched for available wireless connections. See Section 7.3.3 on page 73 for an example of using the WiMAX Frequency screen.Note: It may take several minutes for the OX253P to find a connection.•The OX253P searches the DL Frequency settings in ascending numerical order, from [1] to [9].Note: The Bandwidth field is not user-configurable; when the OX253P finds a WiMAX connection, its frequency is displayed in this field.•If you enter a 0 in a DL Frequency field, the OX253P immediately moves on to the next DL Frequency field.•When the OX253P connects to a base station, the values in this screen are automatically set to the base station’s frequency. The next time the OX253P searches for a connection, it searches only this frequency. If you want the OX253P to search other frequencies, enter them in the DL Frequency fields.The following table describes some examples of DL Frequency settings.7.3.3  Using the WiMAX Frequency ScreenIn this example, your Internet service provider has given you a list of supported frequencies: 2.51, 2.525, 2.6, and 2.625. 1In the DL Frequency [1] field, enter 2510000 (2510000 kilohertz (kHz) is equal to 2.51 gigahertz).Table 21   DL Frequency Example SettingsEXAMPLE 1 EXAMPLE 2DL Frequency [1] 25000002500000DL Frequency [2] 25500002550000DL Frequency [3] 02600000DL Frequency [4] 00DL Frequency [5] 00The OX253P searches at 2500000 kHz, and then searches at 2550000 kHz if it has not found a connection.The OX253P searches at 2500000 kHz and then at 2550000 kHz if it has not found an available connection. If it still does not find an available connection, it searches at 2600000 kHz.
Chapter 7The WAN Configuration ScreensOX253P User’s Guide742In the DL Frequency [2] field, enter 2525000.3In the DL Frequency [3] field, enter 2600000.4In the DL Frequency [4] field, enter 2625000.Leave the rest of the DL Frequency fields at zero. The screen appears as follows.Figure 23   Completing the WiMAX Frequency Screen5Click Apply. The OX253P stores your settings. When the OX253P searches for available frequencies, it scans all frequencies from DL Frequency [1] to DL Frequency [4]. When it finds an available connection, the fields in this screen will be automatically set to use that frequency.7.4  BuzzerClick ADVANCED > WAN Configuration > Buzzer to enable or disable buzzer in the ODU. The buzzer sounds beeps when the OX253P receives signal from the connected base station. Figure 24   ADVANCED > WAN Configuration > Buzzer
 Chapter 7The WAN Configuration ScreensOX253P User’s Guide 75The following table describes the labels in this screen.7.5  AdvancedClick ADVANCED > WAN Configuration > Advanced to configure your DNS server, RIP, Multicast and Windows Networking settings.Figure 25   ADVANCED > WAN Configuration > Advanced     Table 22   ADVANCED > WAN Configuration > BuzzerLABEL DESCRIPTIONEnable BuzzerSelect this to turn on the buzzer in the outdoor unit (ODU).  You may need to turn on the buzzer when you set up the ODU. The buzzer sounds the number of beeps based on the signal strength (the RSSI value) received from the base station.•RSSI > -50: The five LEDs on the ODU light on and the buzzer sounds five beeps regularly. •-50 > RSSI > -60: Four of the five LEDs on the ODU light on and the buzzer sounds four beeps regularly.•-60 > RSSI > -70: Three of the five LEDs on the ODU light on and the buzzer sounds three beeps regularly.•-70 > RSSI > -80: Two of the five LEDs on the ODU light on and the buzzer sounds two beeps regularly.•-80 > RSSI > -90: One of the five LEDs on the ODU lights on and the buzzer sounds one beep regularly.•-90 > RSSI - The buzzer does not sound.Disable BuzzerSelect this to turn the buzzer off.ApplyClick to save your changes.ResetClick to restore your previously saved settings.
Chapter 7The WAN Configuration ScreensOX253P User’s Guide76The following table describes the labels in this screen.Table 23   ADVANCED > WAN Configuration > AdvancedLABEL DESCRIPTIONDNS ServersFirst, Second and Third DNS Server Select Obtainedfrom ISP if your ISP dynamically assigns DNS server information (and the OX253P's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select UserDefined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose UserDefined, but leave the IP address set to 0.0.0.0, UserDefined changes to None after you click Apply. If you set a second choice to UserDefined, and enter the same IP address, the second UserDefined changes to None after you click Apply.Select None if you do not want to configure DNS servers. You must have another DHCP server on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.Multicast SetupMulticastIGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The OX253P supports both IGMP version 1 (IGMP-v1) and IGMP-v2.Select None to disable it.Windows Networking (NetBIOS over TCP/IP)Allow between LAN and WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.ApplyClick to save your changes.ResetClick to restore your previously saved settings.
OX253P User’s Guide 77CHAPTER  8 The NAT Configuration Screens8.1  OverviewUse these screens to configure port forwarding and trigger ports for the OX253P. You can also enable and disable SIP, FTP, and H.323 ALG.Network Address Translation (NAT) maps a host’s IP address within one network to a different IP address in another network. For example, you can use a NAT router to map one IP address from your ISP to multiple private IP addresses for the devices in your home network.8.1.1  What You Can Do in This Chapter•The General screen (Section 8.2 on page 77) lets you enable or disable NAT and to allocate memory for NAT and firewall rules.•The Port Forwarding screen (Section 8.3 on page 78) lets you look at the current port-forwarding rules in the OX253P, and to enable, disable, activate, and deactivate each one.•The Trigger Port screen (Section 8.4 on page 82) lets you maintain trigger port forwarding rules for the OX253P.•The ALG screen (Section 8.5 on page 85) lets you enable and disable SIP (VoIP), FTP (file transfer), and H.323 (audio-visual) ALG in the OX253P.8.2  GeneralClick ADVANCED > NAT Configuration > General to enable or disable NAT and to allocate memory for NAT and firewall rules.Figure 26   ADVANCED > NAT Configuration > General
Chapter 8The NAT Configuration ScreensOX253P User’s Guide78The following table describes the labels in this screen.8.3  Port Forwarding A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.Use the ADVANCED > NAT Configuration > Port Forwarding screen to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.Table 24   ADVANCED > NAT Configuration > GeneralLABEL DESCRIPTIONEnable Network Address Translation Select this if you want to use port forwarding, trigger ports, or any of the ALG.Max NAT/Firewall Session Per User When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet. Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/firewall sessions each client computer can establish through the OX253P. If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is using all of the available NAT sessions. Apply Click to save your changes.ResetClick to return to the previous screen without saving your changes.
 Chapter 8The NAT Configuration ScreensOX253P User’s Guide 79For example, let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet.Figure 27   Multiple Servers Behind NAT Example8.3.1  Port Forwarding OptionsClick ADVANCED > NAT Configuration > Port Forwarding to look at the current port-forwarding rules in the OX253P, and to enable, disable, activate, and deactivate each one. You can also set up a default server to handle ports not covered by rules.Figure 28   ADVANCED > NAT Configuration > Port Forwarding
Chapter 8The NAT Configuration ScreensOX253P User’s Guide80The following table describes the icons in this screen.The following table describes the labels in this screen.Table 25   Advanced> VPN Transport > Customer InterfaceICON DESCRIPTIONEditClick to edit this item.DeleteClick to delete this item.Table 26   ADVANCED > NAT Configuration > Port ForwardingLABEL DESCRIPTIONDefault Server SetupDefault Server Enter the IP address of the server to which the OX253P should forward packets for ports that are not specified in the Port Forwarding section below or in the TOOLS > Remote MGMT screens. Enter 0.0.0.0 if you want the OX253P to discard these packets instead.Port Forwarding#The number of the item in this list.Active Select this to enable this rule. Clear this to disable this rule.Name This field displays the name of the rule. It does not have to be unique.Start Port This field displays the beginning of the range of port numbers forwarded by this rule.End Port This field displays the end of the range of port numbers forwarded by this rule. If it is the same as the Start Port, only one port number is forwarded.Server IP Address This field displays the IP address of the server to which packet for the selected port(s) are forwarded.ActionClick the Edit icon to set up a port forwarding rule or alter the configuration of an existing port forwarding rule.Click the Delete icon to remove an existing port forwarding rule. Apply Click to save your changes.Reset Click to restore your previously saved settings.
 Chapter 8The NAT Configuration ScreensOX253P User’s Guide 818.3.2  Port Forwarding Rule SetupClick a port forwarding rule’s Edit icon in the ADVANCED >NAT Configuration >Port Forwarding screen to activate, deactivate, or edit it.Figure 29   ADVANCED > NAT Configuration > Port Forwarding > Rule SetupThe following table describes the labels in this screen.Table 27   ADVANCED > NAT Configuration > Port Forwarding > Rule SetupLABEL DESCRIPTIONActive Select this to enable this rule. Clear this to disable this rule.Service Name Enter a name to identify this rule. You can use 1 - 31 printable ASCII characters, or you can leave this field blank. It does not have to be a unique name.Start PortEnd PortEnter the port number or range of port numbers you want to forward to the specified server.To forward one port number, enter the port number in the Start Portand End Port fields.To forward a range of ports,•enter the port number at the beginning of the range in the Start Port field•enter the port number at the end of the range in the End Port field.Server IP Address Enter the IP address of the server to which to forward packets for the selected port number(s). This server is usually on the LAN.Apply Click to save your changes.CancelClick to return to the previous screen without saving your changes.
Chapter 8The NAT Configuration ScreensOX253P User’s Guide828.4  Trigger PortSome services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The OX253P records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the OX253P's WAN port receives a response with a specific port number and protocol ("incoming" port), the OX253P forwards the traffic to the LAN IP address of the computer that sent the request. After that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.Click ADVANCED > NAT Configuration > Trigger Port to maintain trigger port forwarding rules for the OX253P.Figure 30   ADVANCED > NAT Configuration > Trigger Port
 Chapter 8The NAT Configuration ScreensOX253P User’s Guide 83The following table describes the labels in this screen.Table 28   ADVANCED > NAT Configuration > Trigger PortLABEL DESCRIPTION#The number of the item in this list.Name Enter a name to identify this rule. You can use 1 - 15 printable ASCII characters, or you can leave this field blank. It does not have to be a unique name.IncomingStart PortEnd Port Enter the incoming port number or range of port numbers you want to forward to the IP address the OX253P records.To forward one port number, enter the port number in the Start Portand End Port fields.To forward a range of ports,•enter the port number at the beginning of the range in the Start Port field•enter the port number at the end of the range in the End Port field.If you want to delete this rule, enter zero in the Start Port and EndPort fields.TriggerStart PortEnd Port Enter the outgoing port number or range of port numbers that makes the OX253P record the source IP address and assign it to the selected incoming port number(s).To select one port number, enter the port number in the Start Port and End Port fields.To select a range of ports,•enter the port number at the beginning of the range in the Start Port field•enter the port number at the end of the range in the End Port field.If you want to delete this rule, enter zero in the Start Port and EndPort fields.Apply Click to save your changes.ResetClick to return to the previous screen without saving your changes.
Chapter 8The NAT Configuration ScreensOX253P User’s Guide848.4.1  Trigger Port Forwarding ExampleThe following is an example of trigger port forwarding. In this example, J is Jane’s computer and S is the Real Audio server.Figure 31   Trigger Port Forwarding Example1Jane requests a file from the Real Audio server (port 7070).2Port 7070 is a “trigger” port and causes the OX253P to record Jane’s computer IP address. The OX253P associates Jane's computer IP address with the "incoming" port range of 6970-7170.3The Real Audio server responds using a port number ranging between 6970-7170.4The OX253P forwards the traffic to Jane’s computer IP address. 5Only Jane can connect to the Real Audio server until the connection is closed or times out. The OX253P times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). Two points to remember about trigger ports:1Trigger events only happen on data that is coming from inside the OX253P and going to the outside.2If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN can’t trigger it.
 Chapter 8The NAT Configuration ScreensOX253P User’s Guide 858.5  ALGSome applications, such as SIP, cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. Some NAT routers may include a SIP Application Layer Gateway (ALG). An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream.Click ADVANCED > NAT Configuration > ALG to enable and disable SIP (VoIP), FTP (file transfer), and H.323 (audio-visual) ALG in the OX253P.Figure 32   ADVANCED > NAT Configuration > ALGThe following table describes the labels in this screen.Table 29   ADVANCED > NAT Configuration > ALGLABEL DESCRIPTIONEnable SIP ALG Select this to make sure SIP (VoIP) works correctly with port-forwarding and port-triggering rules.Enable FTP ALG Select this to make sure FTP (file transfer) works correctly with port-forwarding and port-triggering rules.Enable H.323 ALG Select this to make sure H.323 (audio-visual programs, such as NetMeeting) works correctly with port-forwarding and port-triggering rules.Apply Click to save your changes.CancelClick to return to the previous screen without saving your changes.
Chapter 8The NAT Configuration ScreensOX253P User’s Guide86
OX253P User’s Guide 87CHAPTER  9 The System ConfigurationScreens9.1  OverviewClick ADVANCED > System Configuration to set up general system settings, change the system mode, change the password, configure the DDNS server settings, and set the current date and time.9.1.1  What You Can Do in This Chapter•The General screen (Section 9.2 on page 89) lets you change the OX253P’s mode, set up its system name, domain name, idle timeout, and administrator password.•The Dynamic DNS screen (Section 9.3 on page 90) lets you set up the OX253P as a dynamic DNS client.•The Firmware screen (Section 9.4 on page 92) lets you upload new firmware to the OX253P.•The Configuration screen (Section 9.5 on page 93) lets you back up or restore the configuration of the OX253P.•The Restart screen (Section 9.6 on page 95) lets you restart your OX253P from within the web configurator.9.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.System NameThe System Name is often used for identification purposes. Because some ISPs check this name you should enter your computer's  "Computer Name". •In Windows 2000: Click Start > Settings > Control Panel and then double-click the System icon. Select the Network Identification tab and then click the Properties button. Note the entry for the Computer Name field and enter it as the System Name.
Chapter 9The System Configuration ScreensOX253P User’s Guide88•In Windows XP: Click Start > My Computer > View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the OX253P System Name.Domain NameThe Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the OX253P via DHCP.DNS Server Address AssignmentUse DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The OX253P can get the DNS server addresses in the following ways:1The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the SYSTEM General screen.2If the ISP did not give you DNS server information, leave the DNS Server fields in the SYSTEM General screen set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses.
 Chapter 9The System Configuration ScreensOX253P User’s Guide 899.2  General Click ADVANCED > System Configuration > General to change the OX253P’s mode, set up its system name, domain name, idle timeout, and administrator password.Figure 33   ADVANCED > System Configuration > GeneralThe following table describes the labels in this screen.Table 30   ADVANCED > System Configuration > GeneralLABEL DESCRIPTIONSystem SetupSystem NameEnter your computer's  "Computer Name". This is for identification purposes, but some ISPs also check this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.Domain NameEnter the domain name entry that is propagated to DHCP clients on the LAN. If you leave this blank, the domain name obtained from the ISP is used. Use up to 38 alphanumeric characters. Spaces are not allowed, but dashes “-” and periods "." are accepted.Administrator Inactivity Timer Enter the number of minutes a management session can be left idle before the session times out. After it times out, you have to log in again. A value of "0" means a management session never times out, no matter how long it has been left idle. This is not recommended. Long idle timeouts may have security risks. The default is five minutes. Password SetupOld PasswordEnter the current password you use to access the OX253P.New PasswordEnter the new password for the OX253P. You can use up to 30 characters. As you type the password, the screen displays an asterisk (*) for each character you type.
Chapter 9The System Configuration ScreensOX253P User’s Guide909.3  Dynamic DNSDynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.Note: If you have a private WAN IP address, then you cannot use Dynamic DNS.Retype to Confirm Enter the new password again.ApplyClick to save your changes.ResetClick to restore your previously saved settings.Table 30   ADVANCED > System Configuration > General (continued)LABEL DESCRIPTION
 Chapter 9The System Configuration ScreensOX253P User’s Guide 91Click ADVANCED > System Configuration > Dynamic DNS to set up the OX253P as a dynamic DNS client.Figure 34   ADVANCED > System Configuration > Dynamic DNSThe following table describes the labels in this screen.Table 31   ADVANCED > System Configuration > Dynamic DNSLABEL DESCRIPTIONDynamic DNS SetupEnable Dynamic DNS Select this to use dynamic DNS.Service Provider Select the name of your Dynamic DNS service provider.Dynamic DNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.Host Name Enter the host name. You can specify up to two host names, separated by a comma (",").User Name Enter your user name.Password Enter the password assigned to you.Enable Wildcard Option Select this to enable the DynDNS Wildcard feature.Enable offline option This field is available when CustomDNS is selected in the DDNS Type field. Select this if your Dynamic DNS service provider redirects traffic to a URL that you can specify while you are off line. Check with your Dynamic DNS service provider.
Chapter 9The System Configuration ScreensOX253P User’s Guide929.4  FirmwareClick ADVANCED > System Configuration > Firmware to upload new firmware to the OX253P. Firmware files usually use the system model name with a "*.bin" extension, such as "OX253P.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Contact your service provider for information on available firmware upgrades.Note: Only use firmware for your OX253P’s specific model.Figure 35   ADVANCED > System Configuration > FirmwareThe following table describes the labels in this screen.IP Address Update PolicyUse WAN IP Address Select this if you want the OX253P to update the domain name with the WAN port's IP address.Dynamic DNS server auto detect IP addressSelect this if you want the DDNS server to update the IP address of the host name(s) automatically. Select this optionwhen there are one or more NAT routers between the OX253P and the DDNS server.Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the OX253P and the DDNS server.Use specified IP address Select this if you want to use the specified IP address with the host name(s). Then, specify the IP address. Use this option if you have a static IP address.ApplyClick to save your changes.ResetClick to restore your previously saved settings.Table 31   ADVANCED > System Configuration > Dynamic DNS (continued)LABEL DESCRIPTIONTable 32   ADVANCED > System Configuration > FirmwareLABEL DESCRIPTIONFile Path Enter the location of the *.bin file you want to upload, or click Browse... to find it. You must decompress compressed (.zip) files before you can upload them.
 Chapter 9The System Configuration ScreensOX253P User’s Guide 939.4.1  The Firmware Upload ProcessWhen the OX253P uploads new firmware, the process usually takes about two minutes. The device also automatically restarts in this time. This causes a temporary network disconnect.Note: Do not turn off the device while firmware upload is in progress!After two minutes, log in again, and check your new firmware version in the Status screen. You might have to open a new browser window to log in.If the upload is not successful, you will be notified by error message.Click Return to go back to the Firmware screen.9.5  ConfigurationClick ADVANCED > System Configuration > Configuration to back up or restore the configuration of the OX253P. You can also use this screen to reset the OX253P to the factory default settings.Figure 36   ADVANCED > System Configuration > ConfigurationBrowse... Click this to find the *.bin file you want to upload.Upload Click this to begin uploading the selected file. This may take up to two minutes.Note: Do not turn off the device while firmware upload is in progress!Table 32   ADVANCED > System Configuration > Firmware (continued)LABEL DESCRIPTION
Chapter 9The System Configuration ScreensOX253P User’s Guide94The following table describes the labels in this screen.  9.5.1  The Restore Configuration ProcessWhen the OX253P restores a configuration file, the device automatically restarts. This causes a temporary network disconnect. Note: Do not turn off the device while configuration file upload is in progress.If the OX253P’s IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.168.5.1). See the Quick Start Guide or the appendices for details on how to set up your computer’s IP address.You might have to open a new browser to log in again.If the upload was not successful, you are notified by Configuration Upload Errormessage:Click Return to go back to the Configuration screen.Table 33   ADVANCED > System Configuration > ConfigurationLABEL DESCRIPTIONBackup ConfigurationBackup Click this to save the OX253P’s current configuration to a file on your computer. Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file is useful if you need to return to your previous settings.Restore ConfigurationFile PathEnter the location of the file you want to upload, or click Browse... to find it.BrowseClick this to find the file you want to upload.UploadClick this to restore the selected configuration file.Note: Do not turn off the device while configuration file upload is in progress.Back to Factory DefaultsReset Click this to clear all user-entered configuration information and return the OX253P to its factory defaults. There is no warning screen.
 Chapter 9The System Configuration ScreensOX253P User’s Guide 959.6  RestartClick ADVANCED > System Configuration > Restart to reboot the OX253P without turning the power off.Note: Restarting the OX253P does not affect its configuration.Figure 37   ADVANCED > System Configuration > RestartThe following table describes the labels in this screen.    9.6.1  The Restart Process When you click Restart, the the process usually takes about two minutes. Once the restart is complete you can log in again.9.7  BridgeClick ADVANCED > System Configuration > Bridge to switch the OX253P between the bridge or router mode. You may need the bridge mode when you need to use VLAN applications in your network.Figure 38   ADVANCED > System Configuration > BridgeTable 34   ADVANCED > System Configuration > FirmwareLABEL DESCRIPTIONRestart Click this button to have the device perform a software restart. The Power LED blinks as it restarts and the shines steadily if the restart is successful.Note: Wait one minute before logging back into the OX253P after a restart.
Chapter 9The System Configuration ScreensOX253P User’s Guide96The following table describes the labels in this screen.    Table 35   ADVANCED > System Configuration > BridgeLABEL DESCRIPTIONBridge ModeSelect this to switch to the bridge mode for the OX253P.Router ModeSelect this to switch to the router mode for the OX253P.ApplyClick to save your change.
OX253P User’s Guide 97CHAPTER 10The Certificates Screens10.1  OverviewUse the TOOLS > Certificates screens to manage public key certificates on the OX253P.The OX253P can use public key certificates (also sometimes called “digital IDs”) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions (to name a few) receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on his site to be issued to all visiting web browsers to let them know that the site is legitimate.10.1.1  What You Can Do in This Chapter•The My Certificates screen (Section 10.2 on page 98) lets you generate and export self-signed certificates or certification requests and import the OX253P’s CA-signed certificates.•The Trusted CAs screen (Section 10.3 on page 108) lets you display a summary list of certificates of the certification authorities that you have set the OX253P to accept as trusted.10.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.Certificate AuthoritiesA Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the
Chapter 10The Certificates ScreensOX253P User’s Guide98OX253P to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. 10.2  My CertificatesClick TOOLS > Certificates > My Certificates to access this screen. Use this screen to generate and export self-signed certificates or certification requests and import the OX253P’s CA-signed certificates.Figure 39   TOOLS > Certificates > My Certificates      The following table describes the icons in this screen.The following table describes the labels in this screen. Table 36   TOOLS > Certificates > My CertificatesICON DESCRIPTIONEditClick to edit this item.ExportClick to export an item.DeleteClick to delete this item.Table 37   TOOLS > Certificates > My CertificatesLABEL DESCRIPTIONPKI Storage Space in Use This bar displays the percentage of the OX253P’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#The number of the item in this list.NameThis field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name.
 Chapter 10The Certificates ScreensOX253P User’s Guide 99TypeThis field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.SELF represents a self-signed certificate. *SELF represents the default self-signed certificate which signs the imported remote host certificates.CERT represents a certificate issued by a certification authority.SubjectThis field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. IssuerThis field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.ActionClick the Edit icon to open a screen with an in-depth list of information about the certificate.Click the Export icon to save a copy of the certificate without its private key. Browse to the location you want to use and click Save.Click the Delete icon to remove a certificate. A window displays asking you to confirm that you want to delete the certificate. Subsequent certificates move up by one when you take this action.The OX253P keeps all of your certificates unless you specifically delete them. Uploading new firmware or default configuration file does not delete your certificates.You cannot delete certificates that any of the OX253P’s features are configured to use.ImportClick to a certificate into the OX253P.CreateClick to go to the screen where you can have the OX253P generate a certificate or a certification request.RefreshClick to display the current validity status of the certificates.Table 37   TOOLS > Certificates > My Certificates (continued)LABEL DESCRIPTION
Chapter 10The Certificates ScreensOX253P User’s Guide10010.2.1  My Certificates Create Click TOOLS > Certificates > My Certificates and then the Create icon to open the My Certificates Create screen. Use this screen to have the OX253P create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.Figure 40   TOOLS > Certificates > My Certificates > Create
 Chapter 10The Certificates ScreensOX253P User’s Guide 101The following table describes the labels in this screen. Table 38   TOOLS > Certificates > My Certificates > CreateLABEL DESCRIPTIONCertificate NameType a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.Common Name Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address is for identification purposes only and can be any string.A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.Organizational UnitIdentify the organizational unit or department to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore.OrganizationIdentify the company or group to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore.CountryIdentify the state in which the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.Key LengthSelect a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated.Create a self-signed certificate Select Create a self-signed certificate to have the OX253P generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.Create a certificationrequest and save it locally for later manual enrollmentSelect Create a certification request and save it locally for later manual enrollment to have the OX253P generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.Copy the certification request from the My Certificate Detailsscreen and then send it to the certification authority.
Chapter 10The Certificates ScreensOX253P User’s Guide102Create a certificationrequest and enroll for a certificate immediately onlineSelect Create a certification request and enroll for a certificate immediately online to have the OX253P generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority’s certificate already imported in the Trusted CAs screen.When you select this option, you must select the certification authority’s enrollment protocol and the certification authority’s certificate from the drop-down list boxes and enter the certification authority’s server address. You also need to fill in the Reference Number and Key if the certification authority requires them. EnrollmentProtocol This field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authority’s enrollment protocol from the drop-down list box.Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online. Enter the IP address (or URL) of the certification authority server.For a URL, you can use up to 511 of the following characters. a-zA-Z0-9'()+,/:.=?;!*#@$_%-CA CertificateThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authority’s certificate from the CA Certificate drop-down list box.You must have the certification authority’s certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the OX253P's list of certificates of trusted certification authorities.Request Authentication When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just the Keyfield displays if your certification authority uses the SCEP enrollment protocol. For the reference number, use 0 to 99999999.For the key, use up to 31 of the following characters. a-zA-Z0-9;|`~!@#$%^&*()_+\{}':,./<>=-Table 38   TOOLS > Certificates > My Certificates > CreateLABEL DESCRIPTION
 Chapter 10The Certificates ScreensOX253P User’s Guide 103If you configured the My Certificate Create screen to have the OX253P enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the OX253P to enroll a certificate online.Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.Table 38   TOOLS > Certificates > My Certificates > CreateLABEL DESCRIPTION
Chapter 10The Certificates ScreensOX253P User’s Guide10410.2.2  My Certificate EditClick TOOLS > Certificates > My Certificates then the Edit icon to access this screen. Use this screento view in-depth certificate information and change the certificate’s name. Figure 41   TOOLS > Certificates > My Certificates > Edit     The following table describes the labels in this screen.  Table 39   TOOLS > Certificates > My Certificates > EditLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.PropertySelect Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the TOOLS > Certificates >TrustedCAs screen.
 Chapter 10The Certificates ScreensOX253P User’s Guide 105Certification PathThis field displays for a certificate, not a certification request.Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The OX253P does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.RefreshClick to display the certification path.Certification InformationTypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority).  “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number. “Serial NumberThis field displays the certificate’s identification number given by the certification authority or generated by the OX253P.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).IssuerThis field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Namefield.“none” displays for a certification request. SignatureAlgorithm This field displays the type of algorithm that was used to sign the certificate. The OX253P uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid FromThis field displays the date that the certificate becomes applicable. “none” displays for a certification request. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate’s key pair (the OX253P uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Table 39   TOOLS > Certificates > My Certificates > EditLABEL DESCRIPTION
Chapter 10The Certificates ScreensOX253P User’s Guide106Key UsageThis field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and   “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request. MD5 FingerprintThis is the certificate’s message digest that the OX253P calculated using the MD5 algorithm. SHA1 FingerprintThis is the certificate’s message digest that the OX253P calculated using the SHA1 algorithm. Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authority’s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.Table 39   TOOLS > Certificates > My Certificates > EditLABEL DESCRIPTION
 Chapter 10The Certificates ScreensOX253P User’s Guide 10710.2.3  My Certificate ImportClick TOOLS > Certificates > My Certificates > Import to access this screen. Use this screen to import a certificate that matches a corresponding certification request that was generated by the OX253P. You must remove any spaces from the certificate’s filename before you can import it.Figure 42   TOOLS > Certificates > My Certificates > ImportThe following table describes the labels in this screen.  Table 40   TOOLS > Certificates > My Certificates > ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browseto find it.You cannot import a certificate with the same name as a certificate that is already in the OX253P.Browse Click to find the certificate file you want to upload. Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.
Chapter 10The Certificates ScreensOX253P User’s Guide10810.3  Trusted CAsClick TOOLS > Certificates >Trusted CAs access this screen. Use this screen to display a summary list of certificates of the certification authorities that you have set the OX253P to accept as trusted. The OX253P accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. Figure 43   TOOLS > Certificates > Trusted CAsThe following table describes the icons in this screen.The following table describes the labels in this screen. Table 41   TOOLS > Certificates > Trusted CAsICON DESCRIPTIONEditClick to edit this item.ExportClick to export an item.DeleteClick to delete this item.Table 42   TOOLS > Certificates > Trusted CAsLABEL DESCRIPTIONPKI Storage Space in Use This bar displays the percentage of the OX253P’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#The number of the item in this list.NameThis field displays the name used to identify this certificate. SubjectThis field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
 Chapter 10The Certificates ScreensOX253P User’s Guide 109IssuerThis field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.CRL IssuerThis field displays Yes if the certification authority issues CRL (Certificate Revocation Lists) for the certificates that it has issued and you have selected the Check incoming certificates issued by this CA against a CRL check box in the certificate’s details screen to have the OX253P check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays No.ActionClick the Edit icon to open a screen with an in-depth list of information about the certificate.Use the Export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the Delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action.ImportClick Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the OX253P.RefreshClick this button to display the current validity status of the certificates.Table 42   TOOLS > Certificates > Trusted CAs (continued)LABEL DESCRIPTION
Chapter 10The Certificates ScreensOX253P User’s Guide11010.3.1  Trusted CA Edit Click TOOLS > Certificates >Trusted CAs and then click the Edit icon to open the Trusted CAs screen. Use this screen to view in-depth certificate information and change the certificate’s name.Figure 44   TOOLS > Certificates > Trusted CAs > Edit      The following table describes the labels in this screen.    Table 43   TOOLS > Certificates > Trusted CAs > EditLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.PropertySelect Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the TOOLS > Certificates >TrustedCAs screen.
 Chapter 10The Certificates ScreensOX253P User’s Guide 111Certification PathThis field displays for a certificate, not a certification request.Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The OX253P does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.RefreshClick Refresh to display the certification path.Certification InformationTypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority).  “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number. “Serial NumberThis field displays the certificate’s identification number given by the certification authority or generated by the OX253P.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).IssuerThis field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Namefield.“none” displays for a certification request. SignatureAlgorithm This field displays the type of algorithm that was used to sign the certificate. The OX253P uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid FromThis field displays the date that the certificate becomes applicable. “none” displays for a certification request. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate’s key pair (the OX253P uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Table 43   TOOLS > Certificates > Trusted CAs > Edit (continued)LABEL DESCRIPTION
Chapter 10The Certificates ScreensOX253P User’s Guide112Key UsageThis field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and   “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request. MD5 FingerprintThis is the certificate’s message digest that the OX253P calculated using the MD5 algorithm. SHA1 FingerprintThis is the certificate’s message digest that the OX253P calculated using the SHA1 algorithm. Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authority’s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.Table 43   TOOLS > Certificates > Trusted CAs > Edit (continued)LABEL DESCRIPTION
 Chapter 10The Certificates ScreensOX253P User’s Guide 11310.3.2  Trusted CA Import   Click TOOLS > Certificates >Trusted CAs and then click Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority’s certificate from a computer to the OX253P. The OX253P trusts any valid certificate signed by any of the imported trusted CA certificates.Note: You must remove any spaces from the certificate’s filename before you can import the certificate.Figure 45   TOOLS > Certificates > Trusted CAs > ImportThe following table describes the labels in this screen.10.4  Technical ReferenceThe following section contains additional technical information about the OX253P features described in this chapter.Table 44   TOOLS > Certificates > Trusted CAs ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browseto find it.Choose... Click to find the certificate file you want to upload. Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.
Chapter 10The Certificates ScreensOX253P User’s Guide11410.4.1  Certificate AuthoritiesWhen using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as “digital signatures”). Only you can write your signature exactly as it ought to look. When people know what your signature ought to look like, they can verify whether something was signed by you, or by someone else. In the same way, your private key “writes” your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows.1Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). 2Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3Tim uses his private key to sign the message and sends it to Jenny.4Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and she knows that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key).5Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message.The OX253P uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.A certification path is the hierarchy of certification authority certificates that validate a certificate. The OX253P does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the
 Chapter 10The Certificates ScreensOX253P User’s Guide 115scheduled expiration is called a CRL (Certificate Revocation List). The OX253P can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).10.4.1.1  Advantages of CertificatesCertificates offer the following benefits.•The OX253P only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. •Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.10.4.1.2  Self-signed CertificatesYou can have the OX253P act as a certification authority and sign its own certificates.10.4.1.3  Factory Default CertificateThe OX253P generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. 10.4.1.4  Certificate File FormatsAny certificate that you want to import has to be in one of these file formats:•Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.•PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.•Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The OX253P currently allows the importation of a PKS#7 file that contains a single certificate. •PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.Note: Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.
Chapter 10The Certificates ScreensOX253P User’s Guide11610.4.2  Verifying a CertificateBefore you import a certificate into the OX253P, you should verify that you have the correct certificate. This is especially true of trusted certificates since the OX253P also trusts any valid certificate signed by any of the imported trusted certificates.10.4.2.1  Checking the Fingerprint of a Certificate on Your ComputerA certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. 1Browse to where you have the certificate saved on your computer. 2Make sure that the certificate has a “.cer” or “.crt” file name extension. (On some Linux distributions, the file extension may be “.der”.) Add the file name extension manually if the file does not have any.Figure 46   Remote Host Certificates
 Chapter 10The Certificates ScreensOX253P User’s Guide 1173Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprintfields.Figure 47   Certificate Details 4Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Chapter 10The Certificates ScreensOX253P User’s Guide118
OX253P User’s Guide 119CHAPTER 11 The Firewall Screens11.1  OverviewUse the TOOLS > Firewall screens to manage OX253P’s firewall security measures.Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem.A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself.11.1.1  What You Can Do in This Chapter•The Firewall Setting screen (Section 11.2 on page 120) lets you configure the basic settings for your firewall.•The Service Setting screen (Section 11.3 on page 123) lets you enable service blocking, set up the date and time service blocking is effective, and to maintain the list of services you want to block.11.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.About the OX253P FirewallThe OX253P firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The OX253P's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet.
Chapter 11The Firewall ScreensOX253P User’s Guide120The OX253P can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The OX253P is installed between the LAN and a WiMAX base station connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.The OX253P has one Ethernet (LAN) port. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, “inbound access” is not allowed (by default) unless the remote host is authorized to use a specific service.11.2  Firewall SettingThis section describes firewalls and the built-in OX253P’s firewall features.11.2.1  Firewall Rule DirectionsFigure 48   Firewall Rule DirectionsLAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. You can block certain LAN-to-WAN traffic in the Services screen (click the Services tab). All services displayed in the Blocked Services list box are LAN-to-WAN firewall rules that block those services originating from the LAN. Blocked LAN-to-WAN packets are considered alerts. Alerts are “higher priority logs” that include system errors, attacks and attempted access to blocked web sites. Alerts appear in red in the View Log screen. You may choose to have alerts e-mailed immediately in the Log Settings screen.
 Chapter 11The Firewall ScreensOX253P User’s Guide 121LAN-to-LAN/OX253P means the LAN to the OX253P LAN interface. This is always allowed, as this is how you manage the OX253P from your local computer.WAN-to-LAN rules are Internet to your local network firewall rules. The default is to block all traffic from the Internet to your local network. How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by:•Configuring NAT port forwarding rules.•Configuring WAN or LAN & WAN access for services in the Remote MGMTscreens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/OX253P firewall rules. WAN-to-WAN/OX253P firewall rules are Internet to the OX253P WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LAN and WAN-to-WAN/OX253P packets to log. Forwarded WAN-to-LAN packets are not considered alerts.11.2.2  Triangle RouteWhen the firewall is on, your OX253P acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the OX253P to protect your LAN against attacks.Figure 49   Ideal Firewall Setup
Chapter 11The Firewall ScreensOX253P User’s Guide12211.2.3  Firewall Setting OptionsClick TOOLS > Firewall > General to configure the basic settings for your firewall.Figure 50   TOOLS > Firewall > GeneralThe following table describes the labels in this screen. Table 45   TOOLS > Firewall > GeneralLABEL DESCRIPTIONEnable Firewall Select this to activate the firewall. The OX253P controls access and protects against Denial of Service (DoS) attacks when the firewall is activated.Bypass Triangle Route Select this if you want to let some traffic from the WAN go directly to a computer in the LAN without passing through the OX253P.Max NAT/Firewall Session Per UserSelect the maximum number of NAT rules and firewall rules the OX253P enforces at one time. The OX253P automatically allocates memory for the maximum number of rules, regardless of whether or not there is a rule to enforce. This is the same number you enter in ADVANCED > NAT Configuration > General.Packet DirectionLog Select the situations in which you want to create log entries for firewall events.No Log - do not create any log entriesLog Blocked - (LAN to WAN only) create log entries when packets are blockedLog Forwarded - (WAN to LAN only) create log entries when packets are forwardedLog All - create log entries for every packetApply Click to save your changes.Reset Click to restore your previously saved settings.
 Chapter 11The Firewall ScreensOX253P User’s Guide 12311.3  ServicesClick TOOLS > Firewall > Services to enable service blocking, set up the date and time service blocking is effective, and to maintain the list of services you want to block.Figure 51   TOOLS > Firewall > ServicesThe following table describes the labels in this screen.Table 46   TOOLS > Firewall > ServicesLABEL DESCRIPTIONService SetupEnable Services Blocking Select this to activate service blocking. The Schedule to Block section controls what days and what times service blocking is actually effective, however.
Chapter 11The Firewall ScreensOX253P User’s Guide12411.4  Technical ReferenceThe following section contains additional technical information about the OX253P features described in this chapter.11.4.1  Stateful Inspection Firewall.Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.Available Services This is a list of pre-defined services (destination ports) you may prohibit your LAN computers from using. Select the port you want to block, and click Add to add the port to the Blocked Services field.A custom port is a service that is not available in the pre-defined Available Services list. You must define it using the Type and PortNumber fields.Blocked Services This is a list of services (ports) that are inaccessible to computers on your LAN when service blocking is effective. To remove a service from this list, select the service, and click Delete.Type Select TCP or UDP, based on which one the custom port uses.Port Number Enter the range of port numbers that defines the service. For example, suppose you want to define the Gnutella service. Select TCP type and enter a port range of 6345-6349.Add Click this to add the selected service in Available Services to the Blocked Services list.Delete Select a service in the Blocked Services, and click this to remove the service from the list.Clear All Click this to remove all the services in the Blocked Services list.Schedule to BlockDay to Block Select which days of the week you want the service blocking to be effective.Time of Day to Block Select what time each day you want service blocking to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00.Apply Click to save your changes.Reset Click to restore your previously saved settings.Table 46   TOOLS > Firewall > Services (continued)LABEL DESCRIPTION
 Chapter 11The Firewall ScreensOX253P User’s Guide 12511.4.2  Guidelines For Enhancing Security With Your Firewall1Change the default password via web configurator.2Think about access control before you connect to the network in any way.3Limit who can access your router.4Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.5For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.6Protect against IP spoofing by making sure the firewall is active.7Keep the firewall in a secured (locked) room.11.4.3  The “Triangle Route” ProblemA traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the OX253P’s LAN IP address), the “triangle route” (also called asymmetrical route) problem may occur. The steps below describe the “triangle route” problem. 1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.2The OX253P reroutes the SYN packet through Gateway Aon the LAN to the WAN. 3The reply from the WAN goes directly to the computer on the LAN without going through the OX253P.
Chapter 11The Firewall ScreensOX253P User’s Guide126As a result, the OX253P resets the connection, as the connection has not been acknowledged.Figure 52   “Triangle Route” Problem11.4.3.1  Solving the “Triangle Route” ProblemIf you have the OX253P allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the OX253P and its firewall protection. Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your OX253P supports up to three logical LAN interfaces with the OX253P being the gateway for each logical network. It’s like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the OX253P to your LAN. The following steps describe such a scenario.1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2The OX253Preroutes the packet to Gateway A, which is in Subnet 2. 3The reply from the WAN goes to the OX253P.
 Chapter 11The Firewall ScreensOX253P User’s Guide 1274The OX253P then sends it to the computer on the LAN in Subnet 1.Figure 53   IP Alias
Chapter 11The Firewall ScreensOX253P User’s Guide128
OX253P User’s Guide 129CHAPTER 12Content Filter12.1  OverviewUse the TOOLS > Content Filter screens to create and enforce policies that restrict access to the Internet based on contentInternet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords. The OX253P can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. The OX253P also allows you to define time periods and days during which the OX253P performs content filtering.12.1.1  What You Can Do in This Chapter•The Filter screen (Section 12.2 on page 130) lets you set up a trusted IP address, which web features are restricted, and which keywords are blocked when content filtering is effective.•The Schedule screen (Section 12.3 on page 132) lets you schedule content filtering.
Chapter 12Content FilterOX253P User’s Guide13012.2  FilterClick TOOLS > Content Filter > Filter to set up a trusted IP address, which web features are restricted, and which keywords are blocked when content filtering is effective.Figure 54   TOOLS > Content Filter > Filter
 Chapter 12Content FilterOX253P User’s Guide 131The following table describes the labels in this screen.  Table 47   TOOLS > Content Filter > FilterLABEL DESCRIPTIONTrusted IP SetupTrusted Computer IP AddressYou can allow a specific computer to access all Internet resources without the restrictions you set in these screens. Enter the IP address of the trusted computer.Restrict Web Features Select the web features you want to disable. If a user downloads a page with a restricted feature, that part of the web page appears blank or grayed out.ActiveX - This is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.Java - This is used to build downloadable Web components or Internet and intranet business applications of all kinds.Cookies - This is used by Web servers to track usage and to provide service based on ID.Web Proxy - This is a server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN, it is possible for LAN users to avoid content filtering restrictions.Keyword BlockingEnable URL Keyword BlockingSelect this if you want the OX253P to block Web sites based on words in the web site address. For example, if you block the keyword bad,http://www.website.com/bad.html is blocked.Keyword Type a keyword you want to block in this field. You can use up to 128 printable ASCII characters. There is no wildcard character, however.Add Click this to add the specified Keyword to the Keyword List. You can enter up to 128 keywords.Keyword List This field displays the keywords that are blocked when Enable URL Keyword Blocking is selected. To delete a keyword, select it, click Delete, and click Apply.Delete Click Delete to remove the selected keyword in the Keyword List. The keyword disappears after you click Apply.Clear All Click this button to remove all of the keywords in the Keyword List.Denied Access Message Enter the message that is displayed when the OX253P’s content filter feature blocks access to a web site.Apply Click to save your changes.Reset Click to restore your previously saved settings.
Chapter 12Content FilterOX253P User’s Guide13212.3  ScheduleClick TOOLS > Content Filter > Schedule to schedule content filtering.Figure 55   TOOLS > Content Filter > ScheduleThe following table describes the labels in this screen.Table 48   TOOLS > Content Filter > ScheduleLABEL DESCRIPTIONDay to Block Select which days of the week you want content filtering to be effective.Time of Day to Block Select what time each day you want content filtering to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00.Apply Click to save your changes.Reset Click to restore your previously saved settings.
OX253P User’s Guide 133CHAPTER 13The Remote ManagementScreens13.1  OverviewUse the TOOLS > Remote Management screens to control which computers can use which services to access the OX253P on each interface.Remote management allows you to determine which services/protocols can access which OX253P interface (if any) from which computers.You may manage your OX253P from a remote location via:To disable remote management of a service, select Disable in the corresponding Server Access field.You may only have one remote management session running at a time. The OX253P automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.1Telnet2HTTP13.1.1  What You Can Do in This Chapter•The WWW screen (Section 13.2 on page 135) lets you control HTTP access to your OX253P.•The Telnet screen (Section 13.3 on page 136) lets you control Telnet access to your OX253P.•The FTP screen (Section 13.4 on page 136) lets you control FTP access to your OX253P.Table 49   Remote Management•Internet (WAN only) •ALL (LAN and WAN)•LAN only •Neither (Disable).
Chapter 13The Remote Management ScreensOX253P User’s Guide134•The SNMP screen (Section 13.5 on page 137) lets you control SNMP access to your OX253P.•The DNS screen (Section 13.6 on page 140) lets you control DNS access to your OX253P.•The Security screen (Section 13.7 on page 141) lets you control how your OX253P responds to other types of requests.•The CWMP-TR069 screen (Section 13.8 on page 142) lets you configure the OX253P’s auto-configuration and dynamic service configuration options.13.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.Remote Management LimitationsRemote management over LAN or WAN will not work when:1A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2You have disabled that service in one of the remote management screens.3The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the OX253P will disconnect the session immediately.4There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.Remote Management and NATWhen NAT is enabled:•Use the OX253P’s WAN IP address when configuring from the WAN. •Use the OX253P’s LAN IP address when configuring from the LAN.System TimeoutThere is a default system management idle timeout of five minutes (three hundred seconds). The OX253P automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the Maintenance > System > General screen.
 Chapter 13The Remote Management ScreensOX253P User’s Guide 135SNMPSimple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your OX253P supports SNMP agent functionality, which allows a manager station to manage and monitor the OX253P through the network. The OX253P supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation.Note: SNMP is only available if TCP/IP is configured.13.2  WWWClick TOOLS > Remote Management > WWW to control HTTP access to your OX253P.Figure 56   TOOLS > Remote Management > WWWThe following table describes the labels in this screen.       Table 50   TOOLS > Remote Management > WWWLABEL DESCRIPTIONServer Port Enter the port number this service can use to access the OX253P. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the OX253P using this service.Secured Client IP Address Select All to allow any computer to access the OX253P using this service.Select Selected to only allow the computer with the IP address that you specify to access the OX253P using this service.Apply Click to save your changes.Reset Click to restore your previously saved settings.
Chapter 13The Remote Management ScreensOX253P User’s Guide13613.3  TelnetClick TOOLS > Remote Management > Telnet to control Telnet access to your OX253P.Figure 57   TOOLS > Remote Management > TelnetThe following table describes the labels in this screen.13.4  FTPClick TOOLS > Remote Management > FTP to control FTP access to your OX253P.Figure 58   TOOLS > Remote Management > FTPTable 51   TOOLS > Remote Management > TelnetLABEL DESCRIPTIONServer Port Enter the port number this service can use to access the OX253P. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the OX253P using this service.Secured Client IP Address Select All to allow any computer to access the OX253P using this service.Select Selected to only allow the computer with the IP address that you specify to access the OX253P using this service.Apply Click to save your changes.Reset Click to restore your previously saved settings.
 Chapter 13The Remote Management ScreensOX253P User’s Guide 137The following table describes the labels in this screen.13.5  SNMPAn SNMP managed network consists of two main types of component: agents and a manager.Figure 59   SNMP Management ModelAn agent is a management software module that resides in a managed device (the OX253P). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. Table 52   TOOLS > Remote Management > FTPLABEL DESCRIPTIONServer Port Enter the port number this service can use to access the OX253P. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the OX253P using this service.Secured Client IP Address Select All to allow any computer to access the OX253P using this service.Select Selected to only allow the computer with the IP address that you specify to access the OX253P using this service.Apply Click to save your changes.Reset Click to restore your previously saved settings.
Chapter 13The Remote Management ScreensOX253P User’s Guide138The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. The OX253P supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: •Get - Allows the manager to retrieve an object variable from the agent. •GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. •Set - Allows the manager to set values for object variables within an agent. •Trap - Used by the agent to inform the manager of some events.13.5.1  SNMP TrapsThe OX253P sends traps to the SNMP manager when any of the following events occurs:          Table 53   SNMP TrapsTRAP # TRAP NAME DESCRIPTION0coldStart (defined in RFC-1215)A trap is sent after booting (power on).1warmStart (defined in RFC-1215)A trap is sent after booting (software reboot).4authenticationFailure (defined in RFC-1215)A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password).6whyReboot A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).6a For intentional reboot: A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.).6b For fatal error:  A trap is sent with the message of the fatal code if the system reboots because of fatal errors.
 Chapter 13The Remote Management ScreensOX253P User’s Guide 13913.5.2  SNMP OptionsClick TOOLS > Remote Management > SNMP to access this screen. Use SNMP options to control SNMP access to your OX253P.Figure 60   TOOLS > Remote Management > SNMPThe following table describes the labels in this screen.Table 54   TOOLS > Remote Management > SNMPLABEL DESCRIPTIONSNMP ConfigurationGet Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.Set Community Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests.Trap Community Enter the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.Trap Destination Enter the IP address of the station to send your SNMP traps to.SNMPPort You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Access Status Select the interface(s) through which a computer may access the OX253P using this service.
Chapter 13The Remote Management ScreensOX253P User’s Guide14013.6  DNSClick TOOLS > Remote Management > DNS to access this screen. Use this screen to control DNS access to your OX253P.Figure 61   TOOLS > Remote Management > DNSThe following table describes the labels in this screen.Secured Client IP A secured client is a “trusted” computer that is allowed to communicate with the OX253P using this service. Select All to allow any computer to access the OX253P using this service.Choose Selected to just allow the computer with the IP address that you specify to access the OX253P using this service.Apply Click to save your changes.Reset Click to restore your previously saved settings.Table 54   TOOLS > Remote Management > SNMP (continued)LABEL DESCRIPTIONTable 55   TOOLS > Remote Management > DNSLABEL DESCRIPTIONServer Port This field is read-only. This field displays the port number this service uses to access the OX253P. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the OX253P using this service.Secured Client IP Address Select All to allow any computer to access the OX253P using this service.Select Selected to only allow the computer with the IP address that you specify to access the OX253P using this service.Apply Click to save your changes.Reset Click to restore your previously saved settings.
 Chapter 13The Remote Management ScreensOX253P User’s Guide 14113.7  SecurityClick TOOLS > Remote Management > Security to access this screen. Use this screen to control how your OX253P responds to other types of requests.Figure 62   TOOLS > Remote Management > SecurityThe following table describes the labels in this screen.Table 56   TOOLS > Remote Management > SecurityLABEL DESCRIPTIONRespond to Ping on Select the interface(s) on which the OX253P should respond to incoming ping requests.•Disable - the OX253P does not respond to any ping requests.•LAN - the OX253P only responds to ping requests received from the LAN.•WAN - the OX253P only responds to ping requests received from the WAN.•LAN & WAN - the OX253P responds to ping requests received from the LAN or the WAN.Do not respond to requests for unauthorized servicesSelect this to prevent outsiders from discovering your OX253P by sending requests to unsupported port numbers. If an outside user attempts to probe an unsupported port on your OX253P, an ICMP response packet is automatically returned. This allows the outside user to know the OX253P exists. Your OX253P supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your OX253P when unsupported ports are probed.If you clear this, your OX253P replies with an ICMP Port Unreachable packet for a port probe on unused UDP ports and with a TCP Reset packet for a port probe on unused TCP ports. Apply Click to save your changes.Reset Click to restore your previously saved settings.
Chapter 13The Remote Management ScreensOX253P User’s Guide14213.8  CWMP-TR069CWMP-TR069 is an abbreviation of “CPE WAN Management Protocol - Technical Reference 069”, a protocol designed to facilitate the remote management of Customer Premise Equipement (CPE), such as the OX253P. It can be managed over a WAN by means of an Auto Configuration Server (ACS). CWMP-TR069 is based on sending Remote Procedure Calls (RPCs) between the ACS and the client device. RPCs are sent in Extensible Markup Language (XML) format over HTTP or HTTPS.An administrator can use an ACS to remotely set up the OX253P, modify its settings, perform firmware upgrades, and monitor and diagnose it. In order to do so, you must enable the CWMP-TR069 feature on your OX253P and then configure it appropriately. (The ACS server which it will use must also be configured by its administrator.)Figure 63   CWMP-TR069 ExampleIn this example, the OX253P receives data from at least 3 sources: A SIP server for handling voice calls, an HTTP server for handling web services, and an ACS, for configuring the OX253P remotely. All three servers are owned and operated by the client’s Internet Service Provider. However, without the configuration settings from the ACS, the OX253P cannot access the other two servers. Once the OX253P receives its configuration settings and implements them, it can connect to the other servers. If the settings change, it will once again be unable to connect until it receives its updates from the ACS.The OX253P can be configured to periodically check for updates from the auto-configuration server so that the end user need not be worried about it.SIPACSHTTP
 Chapter 13The Remote Management ScreensOX253P User’s Guide 143Click TOOLS > Remote Management > CWMP-TR069 to access this screen. Use this screen to open OX253P’s auto-configuration and dynamic service configuration options.Figure 64   TOOLS > Remote Management > CWMP-TR069The following table describes the labels in this screen.Table 57   TOOLS > Remote Management > CWMP-TR069LABEL DESCRIPTIONActive Select this option to turn on the OX253P’s CWMP-TR069 feature. Note: If this feature is not enabled then the OX253P cannot be managed remotely.ACS URL Enter the URL or IP address of the auto-configuration server.User Name Enter the user name sent when the OX253P connects to the ACS and which is used for authentication.You can enter up to 31 alphanumeric characters (a-z, A-Z, 0-9) and underscores but spaces are not allowed.Password Enter the password sent when the OX253P connects to an ACS and which is used for authentication.You can enter up to 31 alphanumeric characters (a-z, A-Z, 0-9) and underscores but spaces are not allowed.Connection Request User NameEnter the connection request user name that the ACS must send to the OX253P when it requests a connection.You can enter up to 31 alphanumeric characters (a-z, A-Z, 0-9) and underscores but spaces are not allowed.Note: This must be provided by the ACS administrator.
Chapter 13The Remote Management ScreensOX253P User’s Guide144Connection Request PasswordEnter the connection request password that the ACS must send to the OX253P when it requests a connection.You can enter up to 31 alphanumeric characters (a-z, A-Z, 0-9) and underscores but spaces are not allowed.Note: This must be provided by the ACS administrator.Periodic Inform Enable Select thisto allow the OX253P to periodically connect to the ACS and check for configuration updates. If you do not enable this feature then the OX253P can only be updated automatically when the ACS initiates contact with it and if you selected the Active checkbox on this screen.Periodic Inform IntervalEnter the time interval (in seconds) at which the OX253P connects to the auto-configuration server.Periodic Inform Time Enter a time interval that the OX253P will trigger a periodic inform interval. This works in tandem with the Periodic Inform Interval and is not mutually exclusive of it.The Periodic Inform Time must be in the following format: yyyy-mm-ddThh:mm:ss where yyyy is a four digit year (“2009”), mm is a two digit month (01~12), dd is a two digit day (01~28), hh is a two-digit hour in 24-hour format (01~24), mm is a two digit minutes value (01-60) and ss is a two digit seconds value (01-60).Note: You must separate the day information from the hour information with a “T”.This feature gives the OX253P abaseline from which to begin calculating when each periodic inform happens. If the inform time is set for some point in the past, the OX253P interpolates the inform interval forward to the current time and begins its periodic inform at the appropriate time based on this interpolation.If the inform time is set for some point in the future, then the OX253P interpolates backwards to the current time and actually begins at the appropriate time based on this interpolation.Apply Click to save your changes.Reset Click to restore your previously saved settings.Table 57   TOOLS > Remote Management > CWMP-TR069LABEL DESCRIPTION
OX253P User’s Guide 145CHAPTER 14QoS14.1  OverviewQuality of Service (QoS) refers to both a network’s ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth. Without QoS, all traffic data is equally likely to be dropped when the network is congested. This can cause a reduction in network performance and make the network inadequate for time-critical application such as video-on-demand.14.2  GeneralClick TOOLS > QoS to open the screen as shown next. Use this screen to enable or disable QoS.Figure 65   QoS > GeneralThe following table describes the labels in this screen.Table 58   TOOLS > Remote Management > SecurityLABEL DESCRIPTIONActive QoS Select this to enable QoS for the OX253P. Selecting this may improve network performance, especially if you are using VoIP applications or are playing online video games.Apply Click to save your changes.Reset Click to restore your previously saved settings.
Chapter 14QoSOX253P User’s Guide14614.3  Class SetupUse this screen to add, edit or delete QoS classifiers. A classifier groups traffic into data flows according to specific criteria such as the source address, destination address, source port number, destination port number or incoming interface. For example, you can configure a classifier to select traffic from the same protocol port (such as Telnet) to form a flow.You can give different priorities to traffic that the OX253P forwards out through the WAN interface. Give high priority to voice and video to make them run more smoothly. Similarly, give low priority to many large file downloads so that they do not reduce the quality of other applications. Click TOOLS > QoS > ClassSetup to open the following screen.Figure 66   QoS > Class SetupThe following table describes the labels in this screen.  Table 59   QoS Class SetupLABEL DESCRIPTIONCreate New Class Clickthis link to create a new class.#This field displays the index number of the class.Active This field indicates whether the QoS class is enabled or not.Name This field indicates the name of the class.Interface This field indicates the Ethernet port on which traffic is being monitored and prioritized.DSCP This field indicates the Differentiated Services Code Point (DSCP) value for the associated class.Class Index This field indicates the index for this QoS class. Classes are implemented based on index number, from lowest to highest.Action Click the Edit icon to go to the screen where you can edit the rule.Click the Delete icon to delete an existing rule. Note that subsequent rules move up by one when you take this action.Apply Click this button to save your changes back to the OX253P.Cancel Click this button to begin configuring this screen afresh.
 Chapter 14QoSOX253P User’s Guide 14714.3.1  Class ConfigurationClick the Create New Class link or the edit icon next to a non-default class entry in the Class Setup screen to configure a classifier. Figure 67   QoS > Class Setup > Create New ClassThe following table describes the labels in this screen.  Table 60   Create New ClassLABEL DESCRIPTIONClass ConfigurationActive Select this to make a class active.Index Enter an index number for the class. Similar classes are processed in order of index number, from lowest to highest.Name Enter a descriptive name of up to 20 printable English keyboard characters, including spaces.Interface Select an interface to which the class will apply:•To WAN - The class is applied to all packets incoming from the WAN (Wide Area Network).•To LAN - The class is applied to all packets outgoing from the LAN (Local Area Network).DSCP Enter the Differentiated Services Code Point (DSCP) value (0~63) for the traffic matching the class criteria. The higher the value, the higher the priority. Lower-priority packets may be dropped if the total traffic exceeds the capacity of the network.
Chapter 14QoSOX253P User’s Guide148Filter ConfigurationUse this section to define traffic to which this class will apply. The logical relationship of the following parameters is “AND”. Select Exclude next to a parameter to not apply the class to the traffic matching the criteria.SourceAddressSubnet Mask Enter a source IP address and the subnet mask for the criteria.Port Range Enter a port range on the source host for the criteria.DestinationAddressSubnet Mask Enter a destination IP address and the subnet mask for the criteria.Port Range Enter a port range on the destination host for the criteria.OthersService Select the traffic type of a service (SIP,FTP or H.323) to which this class will apply.Protocol Select TCP or UDP to specifiy the traffic type to which the class will apply. You can also select User Defined and enter the number of a protocol.Apply Click this button to save your changes back to the OX253P.Cancel Click this button to begin configuring this screen afresh.Table 60   Create New Class (continued)LABEL DESCRIPTION
OX253P User’s Guide 149CHAPTER 15The Logs Screens15.1  OverviewUse the TOOLS > Logs screens to look at log entries and alerts and to configure the OX253P’s log and alert settings.For a list of log messages, see Section 15.4 on page 155.15.1.1  What You Can Do in This Chapter•The View Logs screen (Section 15.2 on page 151) lets you look at log entries and alerts.•The Log Settings screen (Section 15.3 on page 153) lets you configure where the OX253P sends logs and alerts, the schedule for sending logs, and which logs and alerts are sent or recorded.15.1.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.AlertsAn alert is a type of log that warrants more serious attention. Some categories such as System Errors consist of both logs and alerts.Syslog LogsThere are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer
Chapter 15The Logs ScreensOX253P User’s Guide150can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs. The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 61   Syslog LogsLOG MESSAGE DESCRIPTIONEvent Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address>" cat="<category>"This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router generates a syslog. The facility is defined in the Log Settings screen. The severity is the log’s syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The “devID” is the MAC address of the router’s LAN port. The “cat” is the same as the category in the router’s logs.Traffic Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="Traffic Log" note="Traffic Log" devID="<mac address>" cat="Traffic Log" duration=seconds sent=sentBytes rcvd=receiveBytes dir="<from:to>" protoID=IPProtocolID proto="serviceName" trans="IPSec/Normal"This message is sent by the device when the connection (session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display "Traffic Log". The "proto" field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN",  "LAN:DEV" for example).Table 62   RFC-2408 ISAKMP Payload TypesLOG DISPLAY PAYLOAD TYPESA Security AssociationPROP ProposalTRANS TransformKE Key ExchangeID IdentificationCER CertificateCER_REQ Certificate RequestHASH HashSIG SignatureNONCE NonceNOTFY NotificationDEL DeleteVID Vendor ID
 Chapter 15The Logs ScreensOX253P User’s Guide 15115.2  View LogsClick TOOLS > Logs > View Log to access this screen. Use this screen to look at log entries and alerts. Alerts are written in red.Figure 68   TOOLS > Logs > View LogsClick a column header to sort log entries in descending (later-to-earlier) order. Click again to sort in ascending order. The small triangle next to a column header indicates how the table is currently sorted (pointing downward is descending; pointing upward is ascending). The following table describes the labels in this screen.       Table 63   TOOLS > Logs > View LogsLABEL DESCRIPTIONDisplay Select a category whose log entries you want to view. To view all logs, select All Logs. The list of categories depends on what log categories are selected in the Log Settings page.Email Log Now Click this to send the log screen to the e-mail address specified in the Log Settings page.Refresh Click to renew the log screen. Clear Log Click to clear all the log entries, regardless of what is shown on the log screen.
Chapter 15The Logs ScreensOX253P User’s Guide152#The number of the item in this list.Time This field displays the time the log entry was recorded.Message This field displays the reason for the log entry. See Section 15.4 on page 155.Source This field displays the source IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available.Destination This field lists the destination IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available.Note This field displays additional information about the log entry.Table 63   TOOLS > Logs > View Logs (continued)LABEL DESCRIPTION
 Chapter 15The Logs ScreensOX253P User’s Guide 15315.3  Log SettingsClick TOOLS > Logs > Log Settings to configure where the OX253P sends logs and alerts, the schedule for sending logs, and which logs and alerts are sent or recorded.Figure 69   TOOLS > Logs > Log Settings
Chapter 15The Logs ScreensOX253P User’s Guide154The following table describes the labels in this screen.   Table 64   TOOLS > Logs > Log SettingsLABEL DESCRIPTIONE-mail Log SettingsMail Server Enter the server name or the IP address of the mail server the OX253P should use to e-mail logs and alerts. Leave this field blank if you do not want to send logs or alerts by e-mail.Mail Subject Enter the subject line used in e-mail messages the OX253P sends.Send Log to Enter the e-mail address to which log entries are sent by e-mail. Leave this field blank if you do not want to send logs by e-mail.Send Alerts to Enter the e-mail address to which alerts are sent by e-mail. Leave this field blank if you do not want to send alerts by e-mail.Log Schedule Select the frequency with which the OX253P should send log messages by e-mail.•Daily•Weekly•Hourly•When Log is Full•None. If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent.Day for Sending Log This field is only available when you select Weekly in the Log Schedule field.Select which day of the week to send the logs.Time for Sending Log This field is only available when you select Daily or Weekly in the LogSchedule field.Enter the time of day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs.Clear log after sending mail Select this to clear all logs and alert messages after logs are sent by e-mail.Syslog LoggingActive Select this to enable syslog logging.Syslog Server IP Address Enter the server name or IP address of the syslog server that logs the selected categories of logs.Log Facility Select a location. The log facility allows you to log the messages in different files in the syslog server. See the documentation of your syslog for more details.Active Log and AlertLog Select the categories of logs that you want to record. Sendimmediate alert Select the categories of alerts that you want the OX253P to send immediately.
 Chapter 15The Logs ScreensOX253P User’s Guide 15515.4  Log Message DescriptionsThe following tables provide descriptions of example log messages.Apply Click to save your changes.Cancel Click to return to the previous screen without saving your changes.Table 64   TOOLS > Logs > Log SettingsLABEL DESCRIPTIONTable 65   System Error LogsLOG MESSAGE DESCRIPTIONWAN connection is down. The WAN connection is down. You cannot access the network through this interface.%s exceeds the max. number of session per host!This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.Table 66   System Maintenance LogsLOG MESSAGE DESCRIPTIONTime calibration is successful The device has adjusted its time based on information from the time server.Time calibration failed The device failed to get information from the time server.WAN interface gets IP: %s The WAN interface got a new IP address from the DHCP or  PPPoE server.DHCP client gets %s A DHCP client got a new IP address from the DHCP server.DHCP client IP expired A DHCP client's IP address has expired.DHCP server assigns %s The DHCP server assigned an IP address to a client.Successful WEB login Someone has logged on to the device's web configurator interface.WEB login failed Someone has failed to log on to the device's web configurator interface.TELNET Login Successfully Someone has logged on to the router via telnet.TELNET Login Fail Someone has failed to log on to the router via telnet.Successful FTP login Someone has logged on to the device via ftp.FTP login failed Someone has failed to log on to the device via ftp.NAT Session Table is Full! The maximum number of NAT session table entries has been exceeded and the table is full.Time initialized by Daytime Server The device got the time and date from the Daytime server.
Chapter 15The Logs ScreensOX253P User’s Guide156Time initialized by Time server The device got the time and date from the time server.Time initialized by NTP server The device got the time and date from the NTP server.Connect to Daytime server fail The device was not able to connect to the Daytime server.Connect to Time server fail The device was not able to connect to the Time server.Connect to NTP server fail The device was not able to connect to the NTP server.Too large ICMP packet has been dropped The device dropped an ICMP packet that was too large.Configuration Change: PC = 0x%x, Task ID = 0x%x The device is saving configuration changes.Table 67   Access Control LogsLOG MESSAGE DESCRIPTIONFirewall default policy: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy’s setting.Firewall rule [NOT] match:[ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>, <rule:%d>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The router blocked a packet that didn't have a corresponding NAT table entry.Router sent blocked web site message: TCP The router sent a message to notify a user that the router blocked access to a web site that the user requested.Exceed maximum sessions per host (%d). The device blocked a session because the host's connections exceeded the maximum sessions per host.Firewall allowed a packet that matched a NAT session: [ TCP | UDP ]A packet from the WAN (TCP or UDP) matched a cone NAT session and the device forwarded it to the LAN.Table 66   System Maintenance Logs (continued)LOG MESSAGE DESCRIPTION
 Chapter 15The Logs ScreensOX253P User’s Guide 157Table 68   TCP Reset LogsLOG MESSAGE DESCRIPTIONUnder SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RST The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Peer TCP state out of order, sent TCP RST The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.Firewall session time out, sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout:  3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 secondsExceed MAX incomplete, sent TCP RST The router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > “Maximum Incomplete High”, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < “Maximum Incomplete Low”.Access block, sent TCP RST The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: sys firewall tcprst).Table 69   Packet Filter LogsLOG MESSAGE DESCRIPTION[ TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set: %d, rule: %d)Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.
Chapter 15The Logs ScreensOX253P User’s Guide158 For type and code details, see Table 76 on page 161.Table 70   ICMP LogsLOG MESSAGE DESCRIPTIONFirewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>ICMP access matched the default policy and was blocked or forwarded according to the user's setting.Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>ICMP access matched (or didn’t match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Triangle route packet forwarded: ICMP The firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: ICMP The router blocked a packet that didn’t have a corresponding NAT table entry.Unsupported/out-of-order ICMP: ICMP The firewall does not support this kind of ICMP packets or the ICMP packets are out of order.Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.Table 71   PPP LogsLOG MESSAGE DESCRIPTIONppp:LCP Starting The PPP connection’s Link Control Protocol stage has started.ppp:LCP Opening The PPP connection’s Link Control Protocol stage is opening.ppp:CHAP Opening The PPP connection’s Challenge Handshake Authentication Protocol stage is opening.ppp:IPCP Starting The PPP connection’s Internet Protocol Control Protocol stage is starting.ppp:IPCP Opening The PPP connection’s Internet Protocol Control Protocol stage is opening.ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing.ppp:IPCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing.Table 72   UPnP LogsLOG MESSAGE DESCRIPTIONUPnP pass through Firewall UPnP packets can pass through the firewall.
 Chapter 15The Logs ScreensOX253P User’s Guide 159For type and code details, see Table 76 on page 161.Table 73   Content Filtering LogsLOG MESSAGE DESCRIPTION%s: Keyword blocking The content of a requested web page matched a user defined keyword.%s: Not in trusted web list The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.%s: Forbidden Web site The web site is in the forbidden web site list.%s: Contains ActiveX The web site contains ActiveX.%s: Contains Java applet The web site contains a Java applet.%s: Contains cookie The web site contains a cookie.%s: Proxy mode detected The router detected proxy mode in the packet.%s: Trusted Web site The web site is in a trusted domain.%s When the content filter is not on according to the time schedule:Waiting content filter server timeoutThe external content filtering server did not respond within the timeout period.DNS resolving failed The OX253P cannot get the IP address of the external content filtering via DNS query.Creating socket failed The OX253P cannot issue a query because TCP/UDP socket creation failed, port:port number.Connecting to content filter server failThe connection to the external content filtering server failed.License key is invalid The external content filtering license key is invalid.Table 74   Attack LogsLOG MESSAGE DESCRIPTIONattack [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack. land [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.land ICMP (type:%d, code:%d) The firewall detected an ICMP land attack. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected an IP spoofing attack on the WAN port.
Chapter 15The Logs ScreensOX253P User’s Guide160ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the WAN port. icmp echo : ICMP (type:%d, code:%d) The firewall detected an ICMP echo attack. syn flood TCP The firewall detected a TCP syn flood attack.ports scan TCP The firewall detected a TCP port scan attack.teardrop TCP The firewall detected a TCP teardrop attack.teardrop UDP The firewall detected an UDP teardrop attack.teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack.NetBIOS TCP The firewall detected a TCP NetBIOS attack.ip spoofing - no routing entry [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall classified a packet with no source routing entry as an IP spoofing attack.ip spoofing - no routing entry ICMP (type:%d, code:%d)The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack.vulnerability ICMP (type:%d, code:%d) The firewall detected an ICMP vulnerability attack. traceroute ICMP (type:%d, code:%d) The firewall detected an ICMP traceroute attack. ports scan UDP The firewall detected a UDP port scan attack.Firewall sent TCP packet in response to DoS attack TCPThe firewall sent TCP packet in response to a DoS attackICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack.ICMP Time Exceed ICMP The firewall detected an ICMP Time Exceed attack.ICMP Destination Unreachable ICMP The firewall detected an ICMP Destination Unreachable attack.ping of death. ICMP The firewall detected an ICMP ping of death attack.smurf ICMP The firewall detected an ICMP smurf attack.Table 75   Remote Management LogsLOG MESSAGE DESCRIPTIONRemote Management: FTP denied Attempted use of FTP service was blocked according to remote management settings.Remote Management: TELNET denied Attempted use of TELNET service was blocked according to remote management settings.Remote Management: HTTP or UPnP denied Attempted use of HTTP or UPnP service was blocked according to remote management settings.Table 74   Attack Logs (continued)LOG MESSAGE DESCRIPTION
 Chapter 15The Logs ScreensOX253P User’s Guide 161Remote Management: WWW denied Attempted use of WWW service was blocked according to remote management settings.Remote Management: HTTPS denied Attempted use of HTTPS service was blocked according to remote management settings.Remote Management: SSH denied Attempted use of SSH service was blocked according to remote management settings.Remote Management: ICMP Ping response denied Attempted use of ICMP service was blocked according to remote management settings.Remote Management: DNS denied Attempted use of DNS service was blocked according to remote management settings.Table 76   ICMP NotesTYPE CODE DESCRIPTION0Echo Reply0Echo reply message3Destination Unreachable0Net unreachable1Host unreachable2Protocol unreachable3Port unreachable4A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)5Source route failed4Source Quench0A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.5Redirect0Redirect datagrams for the Network1Redirect datagrams for the Host2Redirect datagrams for the Type of Service and Network3Redirect datagrams for the Type of Service and Host8Echo0Echo message11 Time Exceeded0Time to live exceeded in transit1Fragment reassembly time exceeded12 Parameter Problem0Pointer indicates the error13 TimestampTable 75   Remote Management LogsLOG MESSAGE DESCRIPTION
Chapter 15The Logs ScreensOX253P User’s Guide1620Timestamp request message14 Timestamp Reply0Timestamp reply message15 Information Request0Information request message16 Information Reply0Information reply messageTable 76   ICMP Notes (continued)TYPE CODE DESCRIPTION
OX253P User’s Guide 163CHAPTER 16The Status Screen16.1  OverviewUse this screen to view a complete summary of your OX253P connection status.16.2  Status ScreenClick the STATUS icon in the navigation bar to go to this screen, where you can view the current status of the device, system resources, interfaces (LAN and WAN), and SIP accounts. You can also register and un-register SIP accounts as well as view detailed information from DHCP and statistics from WiMAX, bandwidth management, and traffic.Figure 70   Status
Chapter 16The Status ScreenOX253P User’s Guide164The following tables describe the labels in this screen.    Table 77   StatusLABEL DESCRIPTIONRefresh IntervalSelect how often you want the OX253P to update this screen.Refresh NowClick this to update this screen immediately.Device InformationSystem NameThis field displays the OX253P system name. It is used for identification.You can change this in the ADVANCED > System Configuration > General screen’s System Name field.Firmware Version This field displays the current version of the firmware inside the device. It also shows the date the firmware version was created. You can change the firmware version by uploading new firmware in ADVANCED > System Configuration > Firmware.WAN InformationIP AddressThis field displays the current IP address of the OX253P in the WAN.IP Subnet MaskThis field displays the current subnet mask on the WAN.DHCPThis field displays what DHCP services the OX253P is using in the WAN. Choices are:Client - The OX253P is a DHCP client in the WAN. Its IP address comes from a DHCP server on the WAN.None - The OX253P is not using any DHCP services in the WAN. It has a static IP address.LAN InformationIP AddressThis field displays the current IP address of the OX253P in the LAN.IP Subnet MaskThis field displays the current subnet mask in the LAN.DHCPThis field displays what DHCP services the OX253P is providing to the LAN. Choices are:Server - The OX253P is a DHCP server in the LAN. It assigns IP addresses to other computers in the LAN.Relay - The OX253P is routing DHCP requests to one or more DHCP servers. The DHCP server(s) may be on another network.None - The OX253P is not providing any DHCP services to the LAN.You can change this in ADVANCED > LAN Configuration > DHCP Setup.WiMAX InformationSequans Firmware VersionThis field displays the firmware version of the WiMAX chipset on the OX253P.Operator ID Every WiMAX service provider has a unique Operator ID number, which is broadcast by each base station it owns. You can only connect to the Internet through base stations belonging to your service provider’s network.BS ID This field displays the identification number of the wireless base station to which the OX253P is connected. Every base station transmits a unique BSID, which identifies it across the network.
 Chapter 16The Status ScreenOX253P User’s Guide 165Frequency This field displays the radio frequency of the OX253P’s wireless connection to a base station.MAC address This field displays the Media Access Control address of the OX253P. Every network device has a unique MAC address which identifies it across the network.WiMAX StateThis field displays the status of the OX253P’s current connection. •INIT: the OX253P is starting up.•DL_SYN: The OX253P is unable to connect to a base station.•RANGING: the OX253P and the base station are transmitting and receiving information about the distance between them. Ranging allows the OX253P to use a lower transmission power level when communicating with a nearby base station, and a higher transmission power level when communicating with a distant base station.•CAP_NEGO: the OX253P and the base station are exchanging information about their capabilities.•AUTH: the OX253P and the base station are exchanging security information.•REGIST: the OX253P is registering with a RADIUS server.•OPERATIONAL: the OX253P has successfully registered with the base station. Traffic can now flow between the OX253P and the base station.•IDLE: the OX253P is in power saving mode, but can connect when a base station alerts it that there is traffic waiting.Bandwidth This field shows the size of the bandwidth step the OX253P uses to connect to a base station in megahertz (MHz). CINR Mean This field shows the average Carrier to Interference plus Noise Ratio of the current connection. This value is an indication of overall radio signal quality. A higher value indicates a higher signal quality, and a lower value indicates a lower signal quality.CINR Deviation This field shows the amount of change in the CINR level. This value is an indication of radio signal stability. A lower number indicates a more stable signal, and a higher number indicates a less stable signal. CINR Reuse 1 This field shows the WiMAX signal quality when the OX253P is transmitting data to the base station. A higher value indicates a higher signal quality, and a lower value indicates a lower signal quality. The base station determines downlink (DL) and uplink (UL) modulations based on this value.RSSI This field shows the Received Signal Strength Indication. This value is a measurement of overall radio signal strength. A higher RSSI level indicates a stronger signal, and a lower RSSI level indicates a weaker signal.A strong signal does not necessarily indicate a good signal: a strong signal may have a low signal-to-noise ratio (SNR).UL Data Rate This field shows the number of data packets uploaded from the OX253P to the base station each second.Table 77   Status (continued)LABEL DESCRIPTION
Chapter 16The Status ScreenOX253P User’s Guide166UL Modulation This field shows the modulation technique (QPSK or 16-QAM) the OX253P is using for transmitting data to the base station. 16-QAM modulation gets higher transmission rate because it carries more data than QPSK. The possible values of this field are qpsk-ctc-1/2,qpsk-ctc-3/4,qam16-ctc-1/2,qam16-ctc-3/4.See Section 16.3 on page 171 for more information.DL Data Rate This field shows the number of data packets downloaded to the OX253P from the base station each second. DL Modulation This field shows the modulation technique (QPSK, 16-QAM or 64-QAM) the base station is using for transmitting data to the OX253P. 64-QAM modulation gets higher transmission rate becuase it carries more data than QPSK and 16-QAM. The possible values of this field are qpsk-ctc-1/2,qpsk-ctc-3/4,qam16-ctc-1/2,qam16-ctc-3/4, qam64-ctc-1/2,qam64-ctc-2/3,qam64-ctc-3/4,qam64-ctc-5/6.See Section 16.3 on page 171 for more information.Tx Power This field shows the output transmission (Tx) level of the OX253P.System StatusSystem UptimeThis field displays how long the OX253P has been running since it last started up. The OX253P starts up when you plug it in, when you restart it (ADVANCED > System Configuration > Restart), or when you reset it.Current Date/Time This field displays the current date and time in the OX253P. You can change this in SETUP > Time Setting.Memory UsageThis field displays what percentage of the OX253P’s memory is currently used. The higher the memory usage, the more likely the OX253P is to slow down. Some memory is required just to start the OX253P and to run the web configurator. You can reduce the memory usage by disabling some services (see CPU Usage); by reducing the amount of memory allocated to NAT and firewall rules (you may have to reduce the number of NAT rules or firewall rules to do so); or by deleting rules in functions such as incoming call policies, speed dial entries, and static routes.Interface StatusInterfaceThis column displays each interface of the OX253P.StatusThis field indicates whether or not the OX253P is using the interface.For the WAN interface, this field displays Up when the OX253P is connected to a WiMAX network, and Down when the OX253P is not connected to a WiMAX network.For the LAN interface, this field displays Up when the OX253P is using the interface and Down when the OX253P is not using the interface.RateFor the LAN ports this displays the port speed and duplex setting.For the WAN interface, it displays the downstream and upstream transmission rate or N/A if the OX253P is not connected to a base station.For the WLAN interface, it displays the transmission rate when WLAN is enabled or N/A when WLAN is disabled.Table 77   Status (continued)LABEL DESCRIPTION
 Chapter 16The Status ScreenOX253P User’s Guide 16716.2.1  Packet StatisticsClick Status > Packet Statistics to open this screen. This read-only screen displays information about the data transmission through the OX253P. To configure these settings, go to the corresponding area in the Advanced screens.Figure 71   Packet StatisticsThe following table describes the fields in this screen.  SummaryWiMAX Site Information Click this link to view details of the radio frequencies used by the OX253P to connect to a base station.WiMAX ProfileClick this link to view details of the current wireless security settings.Packet Statistics Click this link to view port status and packet specific statistics.DHCP TableClick this link to see details of computers to which the OX253P has given an IP address.Table 77   Status (continued)LABEL DESCRIPTIONTable 78   Packet StatisticsLABEL DESCRIPTIONPortThis column displays each interface of the OX253P.Status This field indicates whether or not the OX253P is using the interface.For the WAN interface, this field displays the port speed and duplex setting when the OX253P is connected to a WiMAX network, and Down when the OX253P is not connected to a WiMAX network.For the LAN interface, this field displays the port speed and duplex setting when the OX253P is using the interface and Down when the OX253P is not using the interface.For the WLAN interface, it displays the transmission rate when WLAN is enabled or Down when WLAN is disabled.TxPkts  This field displays the number of packets transmitted on this interface.
Chapter 16The Status ScreenOX253P User’s Guide16816.2.2  WiMAX Site InformationClick Status > WiMAX Site Information to open this screen. This read-only screen shows WiMAX frequency information for the OX253P. These settings can be configured in the ADVANCED > WAN Configuration > WiMAX Configuration screen.Figure 72   WiMAX Configuation RxPkts  This field displays the number of packets received on this interface.Collisions This field displays the number of collisions on this port.Tx B/s  This field displays the number of bytes transmitted in the last second.Rx B/s This field displays the number of bytes received in the last second.Up Time  This field displays the elapsed time this interface has been connected. System up Time This is the elapsed time the system has been on.Poll Interval(s) Type the time interval for the browser to refresh system statistics.Set Interval Click this button to apply the new poll interval you entered in the PollInterval field above.Stop Click this button to halt the refreshing of the system statistics.Table 78   Packet Statistics (continued)LABEL DESCRIPTION
 Chapter 16The Status ScreenOX253P User’s Guide 169The following table describes the labels in this screen. 16.2.3  DHCP TableClick Status > DHCP Table to open this screen. This read-only screen shows the IP addresses, Host Names and MAC addresses of the devices currently connected to the OX253P. These settings can be configured in the ADVANCED > LAN Configuration > DHCP Setup screen.Figure 73   DHCP TableEach field is described in the following table.Table 79   WiMAX ConfigurationLABEL DESCRIPTIONDL Frequency[1] ~ [19]These fields show the downlink frequency settings in kilohertz (kHz). These settings determine how the OX253P searches for an available wireless connection.Table 80   DHCP TableLABEL DESCRIPTION#The number of the item in this list.IP AddressThis field displays the IP address the OX253P assigned to a computer in the network.Host NameThis field displays the system name of the computer to which the OX253P assigned the IP address.MAC AddressThis field displays the MAC address of the computer to which the OX253P assigned the IP address.RefreshClick this button to update the table data.
Chapter 16The Status ScreenOX253P User’s Guide17016.2.4  WiMAX ProfileClick Status > WiMAX Profile to open this screen. This read-only screen displays information about the security settings you are using. To configure these settings, go to the ADVANCED > WAN Configuration > Internet Connection screen.Note: Not all OX253P models have all the fields shown here.Figure 74   WiMAX Profile The following table describes the labels in this screen.Table 81   The WiMAX Profile ScreenLABEL DESCRIPTIONUser NameThis is the username for your Internet access account. PasswordThis is the password for your Internet access account. The password displays as a row of asterisks for security purposes.Anonymous IdentityThis is the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption.PKMThis field displays the Privacy Key Management version number. PKM provides security between the OX253P and the base station. See the WiMAX security appendix for more information.AuthenticationThis field displays the user authentication method. Authentication is the process of confirming the identity of a user (by means of a username and password, for example).EAP-TTLS allows an MS/SS and a base station to establish a secure link (or ‘tunnel’) with an AAA (Authentication, Authorization and Accounting) server in order to exchange authentication information. See the WiMAX security appendix for more details.
 Chapter 16The Status ScreenOX253P User’s Guide 17116.3  Technical ReferenceThe following section contains additional technical information about the OX253P features described in this chapter.ModulationA modulation technique is a method used to encode digital or analog information onto an analog carrier signal so it can be transmitted. A device modulates digital data onto an radio signal to send over the wireless network. The receiving device demodulates the radio signals back to digital data. The specific frequency at which the information is modulated on the radio signal is called the carrier.QPSKThe Quadrature Phase-Shift Keying digital modulation technique is used in WiMAX networks to transmit downlink traffic using a maximum data rate of 9.5 Mbps.16QAMThe Quadrature Amplitude Modulation (QAM) digital modulation technique modulates (changes) the amplitude of two carrier waves. WiMAX networks use 16QAM to transmit downlink traffic using a data rate of 18 Mbps.TTLS Inner EAPThis field displays the type of secondary authentication method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details.The OX253P supports the following inner authentication types:•CHAP (Challenge Handshake Authentication Protocol)•MSCHAP (Microsoft CHAP)•MSCHAPV2 (Microsoft CHAP version 2)•PAP (Password Authentication Protocol)CertificateThis is the security certificate the OX253P uses to authenticate the AAA server, if one is available.Table 81   The WiMAX Profile Screen (continued)LABEL DESCRIPTION
Chapter 16The Status ScreenOX253P User’s Guide172
OX253P User’s Guide 173CHAPTER 17TroubleshootingThis chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories:•Power, Hardware Connections, and LEDs•OX253P Access and Login•Internet Access•Export a Certificate File17.1  Power, Hardware Connections, and LEDsThe OX253P does not turn on. None of the LEDs turn on.1Make sure you are using the power adapter or cord included with the OX253P.2Make sure the power adapter or cord is connected to the OX253P and plugged in to an appropriate power source. Make sure the power source is turned on.3Disconnect and re-connect the power adapter or cord to the OX253P.4If the problem continues, contact the vendor.One of the LEDs does not behave as expected.1Make sure you understand the normal behavior of the LED. See Section 1.2.1 on page 20 for more information.2Check the hardware connections. See the Quick Start Guide.
Chapter 17TroubleshootingOX253P User’s Guide1743Inspect your cables for damage. Contact the vendor to replace any damaged cables.4Disconnect and re-connect the power adapter to the OX253P.5If the problem continues, contact the vendor.I hear beeping sounds coming from the OX253P.1When the OX253P receives signals from a base station, it beeps to notify you.2If you do not want to hear beeps from the OX253P, log into the Web Configurator and disable the buzzer in the ADVANCED > WAN Configuration > Buzzerscreen.17.2  OX253P Access and LoginI forgot the IP address for the OX253P.1The default IP address is http://192.168.1.1.2If you changed the IP address and have forgotten it, you might get the IP address of the OX253P by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd,and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the OX253P (it depends on the network), so enter this IP address in your Internet browser.3If this does not work, you have to reset the OX253P to its factory defaults. See Section 17.1 on page 173.I forgot the password.1The default password of the administrator account is admin.2If this does not work, you have to reset the OX253P to its factory defaults. See Section 9.5 on page 93.
 Chapter 17TroubleshootingOX253P User’s Guide 175I cannot see or access the Login screen in the web configurator.1Make sure you are using the correct IP address.•The default IP address is http://192.168.1.1.•If you changed the IP address (Section 5.2 on page 48), use the new IP address.•If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the OX253P.2Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 20.3Make sure your Internet browser does not block pop-up windows and has JavaScript and Java enabled. See Appendix C on page 217.4If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. Your OX253P is a DHCP server by default.If there is no DHCP server on your network, make sure your computer’s IP address is in the same subnet as the OX253P. See Appendix D on page 229.5Reset the OX253P to its factory defaults, and try to access the OX253P with the default IP address. See Section 9.6 on page 95.6If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.Advanced Suggestions•Try to access the OX253P using another service, such as Telnet. If you can access the OX253P, check the remote management settings and firewall rules to find out why the OX253P does not respond to HTTP.•If your computer is connected wirelessly, use a computer that is connected to a LAN/ETHERNET port.I can see the Login screen, but I cannot log in to the OX253P.1Make sure you have entered the user name and password correctly. The default user name is admin, and the default password is admin. These fields are case-sensitive, so make sure [Caps Lock] is not on.
Chapter 17TroubleshootingOX253P User’s Guide1762You cannot log in to the web configurator while someone is using Telnet to access the OX253P. Log out of the OX253P in the other session, or ask the person who is logged in to log out.3Disconnect and re-connect the power adapter or cord to the OX253P.4If this does not work, you have to reset the OX253P to its factory defaults. See Section 9.5 on page 93.I cannot Telnet to the OX253P.See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.17.3  Internet AccessI cannot access the Internet.1Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 20.2Make sure you entered your ISP account information correctly in the wizard. These fields are case-sensitive, so make sure [Caps Lock] is not on.3Check your security settings. In the web configurator, go to the Status screen. Click the WiMAX Profile link in the Summary box and make sure that you are using the correct security settings for your Internet account.4Check your WiMAX settings. The OX253P may have been set to search the wrong frequencies for a wireless connection. In the web configurator, go to the Statusscreen. Click the WiMAX Site Information link in the Summary box and ensure that the values are correct. If the values are incorrect, enter the correct frequency settings in the ADVANCED > WAN Configuration > WiMAX Configurationscreen. If you are unsure of the correct values, contact your service provider.5If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP.6Disconnect all the cables from your OX253P, and follow the directions in the Quick Start Guide again.
 Chapter 17TroubleshootingOX253P User’s Guide 1777If the problem continues, contact your ISP.I cannot access the Internet any more. I had access to the Internet (with the OX253P), but my Internet connection is not available any more.1Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 20.2Disconnect and re-connect the power adapter to the OX253P. 3If the problem continues, contact your ISP.The Internet connection is slow or intermittent.1The quality of the OX253P’s wireless connection to the base station may be poor. Poor signal reception may be improved by moving the OX253P away from thick walls and other obstructions, or to a higher floor in your building. 2There may be radio interference caused by nearby electrical devices such as microwave ovens and radio transmitters. Move the OX253P away or switch the other devices off. Weather conditions may also affect signal quality.3There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.2.1 on page 20. If the OX253P is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications.4Disconnect and re-connect the power adapter to the OX253P.5If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.The Internet connection disconnects.1Check your WiMAX link and signal strength using the WiMAX Link and StrengthIndicator LEDs on the device.2Contact your ISP if the problem persists.
Chapter 17TroubleshootingOX253P User’s Guide17817.4  Export a Certificate FileWhen I try to export a certificate file from the OX253P, the exporting process hangs.1You may encounter this issue if you are using Internet Explorer 8.2Make sure you have upgraded to Internet Explorer 8 standard version.3To resolve this, select Tool > SmartScreen Filter > Turn On SmartScreen Filter in your browser.Figure 75   Internet Explorer 8: Turn On Safety Filter4Select Turn off SmartScreen Filter and click OK. Export the certificate file again, you should be able to download the file now.Figure 76   Internet Explorer 8: Turn Off Safety Filter
 Chapter 17TroubleshootingOX253P User’s Guide 17917.5  Reset the OX253P to Its Factory DefaultsIf you reset the OX253P, you lose all of the changes you have made. The OX253P re-loads its default settings, and the password resets to admin. You have to make all of your changes again.17.5.1  Pop-up Windows, JavaScripts and Java PermissionsPlease see Appendix C on page 217.
Chapter 17TroubleshootingOX253P User’s Guide180
OX253P User’s Guide 181CHAPTER 18Product SpecificationsThis chapter gives details about your OX253P’s hardware and firmware features.                     Table 82   Environmental and Hardware SpecificationsFEATUREDESCRIPTIONOperating Temperature-15°C to 60°C (ODU), -10°C to 55°C (IDU)Storage Temperature-15°C to 65°C (ODU), -15°C to 60°C (IDU)Operating Humidity10% ~ 90% (non-condensing)Storage Humidity 10% to 95% (non-condensing)Power SupplyInput: AC Voltage Range: 90 VAC - 270 VAC           AC Voltage Rating: 100 VAC - 240 VACOutput: 48VDC, 0.38A Max.Power ConsumptionUS: maximum 18.24W, average 7.932WEU: maximum 12.12WEthernet InterfaceOne auto-negotiating, auto-MDI/MDI-X NWay 10/100 Mbps RJ-45 Ethernet portPower over Ethernet Interface (PoE) One RJ-45-type PoE port providing 48V DC to the OX253P-ODU from the OX253P-IDUAntennasOne 15dBi ± 0.5dBi Cross-Polarization antenna (ODU)Weight400gDimensionsODU: 372 (L) mm x 232 (W) mm x 54.8 (H) mmIDU: 188.5 (L) mm x 131.2 (W) mm x 42 (H) mmTable 83   Radio SpecificationsFEATUREDESCRIPTIONWiMAX Operating Frequency 2.5~2.7 GHzChannel Bandwidth5MHz / 10MHzMaximum Transmit Power26dbm with ODU antenna deployed.WiMAX ComplianceCompliant to receiver performances defined in IEEE P802.16-2005, §8.4.13.
Chapter 18Product SpecificationsOX253P User’s Guide182Table 84   Firmware SpecificationsFEATUREDESCRIPTIONWeb-based Configuration and Management Tool Also known as “the web configurator”, this is a firmware-based management solution for the OX253P. You must connect using a compatible web browser in order to use it.High Speed Wireless Internet Access The OX253P is ideal for high-speed wireless Internet browsing. WiMAX (Worldwide Interoperability for Microwave Access) is a wireless networking standard providing high-bandwidth, wide-range secured wireless service. The OX253P is a WiMAX mobile station (MS) compatible with the IEEE 802.16e standard.FirewallThe OX253P is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The OX253P’s firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.Content FilteringThe OX253P can block access to web sites containing specified keywords. You can define time periods and days during which content filtering is enabled and include or exclude a range of users on the LAN from content filtering.Network Address Translation (NAT) Network Address Translation (NAT) allows the translation of an Internet protocoladdress used within one network (for example a private IP address used in a local network) to a different IP address known withinanother network (for example a public IP address used on the Internet).Universal Plug and Play (UPnP) Your device and other UPnP enabled devices can use the standard TCP/IP protocol to dynamically join a network, obtain an IP address and convey their capabilities to each other.Dynamic DNS SupportWith Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.DHCPDHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server. Your device has built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. Your device can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.IP AliasIP alias allows you to partition a physical network into logical networks over the same Ethernet interface. Your device supports three logical LAN interfaces via its single physical Ethernet interface with the your device itself as the gateway for each LAN network.
 Chapter 18Product SpecificationsOX253P User’s Guide 183Time and DateGet the current time and date from an external server when you turn on your OX253P. You can also set the time manually.LoggingUse the OX253P’s logging feature to view connection history, surveillance logs, and error messages.Table 85   Standards Supported STANDARD DESCRIPTIONRFC 768User Datagram ProtocolRFC 791Internet Protocol v4RFC 792Internet Control Message ProtocolRFC 792Transmission Control ProtocolRFC 826Address Resolution ProtocolRFC 854Telnet ProtocolRFC 1349Type of Service ProtocolRFC 1706DNS NSAP Resource RecordsRFC 1889Real-time Transport Protocol (RTP)RFC 1890Real-time Transport Control Protocol (RTCP)RFC 2030Simple Network Time ProtocolRFC 2104HMAC: Keyed-Hashing for Message AuthenticationRFC 2131Dynamic Host Configuration ProtocolRFC 2401Security Architecture for the Internet ProtocolRFC 2409Internet Key ExchangeRFC 2475Architecture for Differentiated Services (Diffserv)RFC 2617Hypertext Transfer Protocol (HTTP) Authentication: Basic and Digest Access Authentication RFC 2782A DNS RR for specifying the location of services (DNS SRV)RFC 3261Session Initiation Protocol (SIP version 2)RFC 3262Reliability of Provisional Responses in the Session Initiation Protocol (SIP).RFC 3550RTP - A Real Time Protocol for Real-Time Applications RFC 3611RTP Control Protocol Extended Reports (RTCP XR)-XRRFC 3715IP Sec/NAT CompatibilityIEEE 802.310BASE5 10 Mbit/s (1.25 MB/s)IEEE 802.3u100BASE-TX, 100BASE-T4, 100BASE-FX Fast Ethernet at 100 Mbit/s (12.5 MB/s) with auto-negotiationTable 84   Firmware Specifications (continued)FEATUREDESCRIPTION
Chapter 18Product SpecificationsOX253P User’s Guide184
OX253P User’s Guide 185APPENDIX  A WiMAX SecurityWireless security is vital to protect your wireless communications. Without it, information transmitted over the wireless network would be accessible to any networking device within range.User Authentication and Data EncryptionThe WiMAX (IEEE 802.16) standard employs user authentication and encryption to ensure secured communication at all times.User authentication is the process of confirming a user’s identity and level of authorization. Data encryption is the process of encoding information so that it cannot be read by anyone who does not know the code. WiMAX uses PKMv2 (Privacy Key Management version 2) for authentication, and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol) for data encryption. WiMAX supports EAP (Extensible Authentication Protocol, RFC 2486) which allows additional authentication methods to be deployed with no changes to the base station or the mobile or subscriber stations.PKMv2PKMv2 is a procedure that allows authentication of a mobile or subscriber station and negotiation of a public key to encrypt traffic between the MS/SS and the base station. PKMv2 uses standard EAP methods such as Transport Layer Security (EAP-TLS) or Tunneled TLS (EAP-TTLS) for secure communication. In cryptography, a ‘key’ is a piece of information, typically a string of random numbers and letters, that can be used to ‘lock’ (encrypt) or ‘unlock’ (decrypt) a message. Public key encryption uses key pairs, which consist of a public (freely available) key and a private (secret) key. The public key is used for encryption and the private key is used for decryption. You can decrypt a message only if you have the private key. Public key certificates (or ‘digital IDs’) allow users to verify each other’s identity.
Appendix AWiMAX SecurityOX253P User’s Guide186RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The base station is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:•Authentication Determines the identity of the users.•AuthorizationDetermines the network services available to authenticated users once they are connected to the network.•AccountingKeeps track of the client’s network activity. RADIUS is a simple package exchange in which your base station acts as a message relay between the MS/SS and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the base station and the RADIUS server for user authentication:•Access-RequestSent by an base station requesting authentication.•Access-RejectSent by a RADIUS server rejecting access.•Access-AcceptSent by a RADIUS server allowing access. •Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The base station sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user accounting:•Accounting-RequestSent by the base station requesting accounting.•Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password they both know. The key is not sent over
 Appendix AWiMAX SecurityOX253P User’s Guide 187the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. DiameterDiameter (RFC 3588) is a type of AAA server that provides several improvements over RADIUS in efficiency, security, and support for roaming. Security AssociationThe set of information about user authentication and data encryption between two computers is known as a security association (SA). In a WiMAX network, the process of security association has three stages.•Authorization request and replyThe MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS.•Key request and replyThe MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key. •Encrypted trafficThe MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow.CCMPAll traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm. ‘Counter mode’ refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting.‘Cipher Block Chaining Message Authentication’ (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of ‘chained’ blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with.
Appendix AWiMAX SecurityOX253P User’s Guide188AuthenticationThe OX253P supports EAP-TTLS authentication.EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection (with EAP-TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
OX253P User’s Guide 189APPENDIX  B Setting Up Your Computer’s IPAddressThis appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network. Windows Vista/XP/2000, Mac OS 9/OS X, and all versions of UNIX/LINUX include the software components you need to use TCP/IP on your computer. If you manually assign IP information instead of using a dynamic IP, make sure that your network’s computers have IP addresses that place them in the same subnet.In this appendix, you can set up an IP address for:•Windows XP/NT/2000 on page190•Windows Vista on page193•Mac OS X: 10.3 and 10.4 on page197•Mac OS X: 10.5 on page201•Linux: Ubuntu 8 (GNOME) on page 204•Linux: openSUSE 10.3 (KDE) on page210
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide190Windows XP/NT/2000The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT.1Click Start >Control Panel.Figure 77   Windows XP: Start Menu2In the Control Panel, click the Network Connections icon.Figure 78   Windows XP: Control Panel
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 1913Right-click Local Area Connection and then select Properties.Figure 79   Windows XP: Control Panel > Network Connections > Properties4On the General tab, select Internet Protocol (TCP/IP) and then click Properties.Figure 80   Windows XP: Local Area Connection Properties
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide1925The Internet Protocol TCP/IP Properties window opens.Figure 81   Windows XP: Internet Protocol (TCP/IP) Properties6Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically.Select Use the following IP Address and fill in the IP address,Subnet mask,and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an AlternateDNS server, if that information was provided.7Click OK to close the Internet Protocol (TCP/IP) Properties window.Click OK to close the Local Area Connection Properties window.Verifying Settings1Click Start > All Programs > Accessories > Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information.
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 193Windows VistaThis section shows screens from Windows Vista Professional.1Click Start > Control Panel.Figure 82   Windows Vista: Start Menu2In the Control Panel, click the Network and Internet icon.Figure 83   Windows Vista: Control Panel3Click the Network and Sharing Center icon.Figure 84   Windows Vista: Network And Internet
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide1944Click Manage network connections.Figure 85   Windows Vista: Network and Sharing Center5Right-click Local Area Connection and then select Properties.Figure 86   Windows Vista: Network and Sharing CenterNote: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue.
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 1956Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties.Figure 87   Windows Vista: Local Area Connection Properties
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide1967The Internet Protocol Version 4 (TCP/IPv4) Properties window opens.Figure 88   Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties8Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically.Select Use the following IP Address and fill in the IP address,Subnet mask,and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an AlternateDNS server, if that information was provided.Click Advanced.9Click OK to close the Internet Protocol (TCP/IP) Properties window.Click OK to close the Local Area Connection Properties window.Verifying Settings1Click Start > All Programs > Accessories > Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information.
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 197Mac OS X: 10.3 and 10.4The screens in this section are from Mac OS X 10.4 but can also apply to 10.3.1Click Apple > System Preferences.Figure 89   Mac OS X 10.4: Apple Menu2In the System Preferences window, click the Network icon.Figure 90   Mac OS X 10.4: System Preferences
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide1983When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure.Figure 91   Mac OS X 10.4: Network Preferences4For dynamically assigned settings, select Using DHCP from the Configure IPv4list in the TCP/IP tab.Figure 92   Mac OS X 10.4: Network Preferences > TCP/IP Tab.
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 1995For statically assigned settings, do the following:•From the Configure IPv4 list, select Manually.•In the IP Address field, type your IP address.•In the Subnet Mask field, type your subnet mask.•In the Router field, type the IP address of your device.Figure 93   Mac OS X 10.4: Network Preferences > Ethernet
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide200Click Apply Now and close the window.Verifying SettingsCheck your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Infotab.Figure 94   Mac OS X 10.4: Network Utility
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 201Mac OS X: 10.5The screens in this section are from Mac OS X 10.5.1Click Apple > System Preferences.Figure 95   Mac OS X 10.5: Apple Menu2In System Preferences, click the Network icon.Figure 96   Mac OS X 10.5: Systems Preferences
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide2023When the Network preferences pane opens, select Ethernet from the list of available connection types.Figure 97   Mac OS X 10.5: Network Preferences > Ethernet4From the Configure list, select Using DHCP for dynamically assigned settings.5For statically assigned settings, do the following:•From the Configure list, select Manually.•In the IP Address field, enter your IP address.•In the Subnet Mask field, enter your subnet mask.
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 203•In the Router field, enter the IP address of your OX253P.Figure 98   Mac OS X 10.5: Network Preferences > Ethernet6Click Apply and close the window.
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide204Verifying SettingsCheck your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Infotab.Figure 99   Mac OS X 10.5: Network UtilityLinux: Ubuntu 8 (GNOME)This section shows you how to configure your computer’s TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default Ubuntu 8 installation.Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in GNOME:
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 2051Click System > Administration > Network.Figure 100   Ubuntu 8: System > Administration Menu2When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password.Figure 101   Ubuntu 8: Network Settings > Connections
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide2063In the Authenticate window, enter your admin account name and password then click the Authenticate button.Figure 102   Ubuntu 8: Administrator Account Authentication4In the Network Settings window, select the connection that you want to configure, then click Properties.Figure 103   Ubuntu 8: Network Settings > Connections
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 2075The Properties dialog box opens.Figure 104   Ubuntu 8: Network Settings > Properties•In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address.•In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address,Subnet mask, and Gateway address fields. 6Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen.
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide2087If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. Figure 105   Ubuntu 8: Network Settings > DNS  8Click the Close button to apply the changes.Verifying SettingsCheck your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 209tab.  The Interface Statistics column shows data if your connection is working properly.Figure 106   Ubuntu 8: Network Tools
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide210Linux: openSUSE 10.3 (KDE)This section shows you how to configure your computer’s TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default openSUSE 10.3 installation.Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE:1Click K Menu > Computer > Administrator Settings (YaST).Figure 107   openSUSE 10.3: K Menu > Computer Menu
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 2112When the Run as Root - KDE su dialog opens, enter the admin password and click OK.Figure 108   openSUSE 10.3: K Menu > Computer Menu3When the YaST Control Center window opens, select Network Devices and then click the Network Card icon.Figure 109   openSUSE 10.3: YaST Control Center
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide2124When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. Figure 110   openSUSE 10.3: Network Settings
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 2135When the Network Card Setup window opens, click the Address tabFigure 111   openSUSE 10.3: Network Card Setup6Select Dynamic Address (DHCP) if you have a dynamic IP address.Select Statically assigned IP Address if you have a static IP address. Fill in the IP address,Subnet mask, and Hostname fields.7Click Next to save the changes and close the Network Card Setup window.
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide2148If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided.Figure 112   openSUSE 10.3: Network Settings9Click Finish to save your settings and close the window.
 Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide 215Verifying SettingsClick the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information.Figure 113   openSUSE 10.3: KNetwork ManagerWhen the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly.Figure 114   openSUSE: Connection Status - KNetwork Manager
Appendix BSetting Up Your Computer’s IP AddressOX253P User’s Guide216
OX253P User’s Guide 217APPENDIX  C Pop-up Windows, JavaScriptsand Java PermissionsIn order to use the web configurator you need to allow:•Web browser pop-up windows from your device.•JavaScripts (enabled by default).•Java permissions (enabled by default).Note: The screens used below belong to Internet Explorer version 6, 7 and 8. Screens for other Internet Explorer versions may vary.Internet Explorer Pop-up BlockersYou may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device’s IP address.Disable Pop-up Blockers1In Internet Explorer, select Tools,Pop-up Blocker and then select Turn Off Pop-up Blocker.Figure 115   Pop-up BlockerYou can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab.
Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide2181In Internet Explorer, select Tools,Internet Options,Privacy.2Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 116   Internet Options: Privacy3Click Apply to save this setting.Enable Pop-up Blockers with ExceptionsAlternatively, if you only want to allow pop-up windows from your device, see the following steps.1In Internet Explorer, select Tools,Internet Options and then the Privacy tab.
 Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide 2192Select Settings…to open the Pop-up Blocker Settings screen.Figure 117   Internet Options: Privacy3Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1.
Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide2204Click Add to move the IP address to the list of Allowed sites.Figure 118   Pop-up Blocker Settings5Click Close to return to the Privacy screen. 6Click Apply to save this setting. JavaScriptsIf pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
 Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide 2211In Internet Explorer, click Tools,Internet Options and then the Security tab. Figure 119   Internet Options: Security 2Click the Custom Level... button. 3Scroll down to Scripting.4Under Active scripting make sure that Enable is selected (the default).5Under Scripting of Java applets make sure that Enable is selected (the default).
Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide2226Click OK to close the window.Figure 120   Security Settings - Java ScriptingJava Permissions1From Internet Explorer, click Tools,Internet Options and then the Securitytab. 2Click the Custom Level... button. 3Scroll down to Microsoft VM.4Under Java permissions make sure that a safety level is selected.
 Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide 2235Click OK to close the window.Figure 121   Security Settings - Java JAVA (Sun)1From Internet Explorer, click Tools,Internet Options and then the Advancedtab. 2Make sure that Use Java 2 for <applet> under Java (Sun) is selected.
Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide2243Click OK to close the window.Figure 122   Java (Sun)Mozilla FirefoxMozilla Firefox 2.0 screens are used here. Screens for other versions may vary slightly. The steps below apply to Mozilla Firefox 3.0 as well.You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in the screen that appears.Figure 123   Mozilla Firefox: TOOLS > Options
 Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide 225Click Content to show the screen below. Select the check boxes as shown in the following screen.Figure 124   Mozilla Firefox Content SecurityOperaOpera 10 screens are used here. Screens for other versions may vary slightly.
Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide226Allowing Pop-UpsFrom Opera, click Tools, then Preferences. In the General tab, go to Choose how you prefer to handle pop-ups and select Open all pop-ups.Figure 125   Opera: Allowing Pop-Ups
 Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide 227Enabling JavaFrom Opera, click Tools, then Preferences. In the Advanced tab, select Content from the left-side menu. Select the check boxes as shown in the following screen.Figure 126   Opera: Enabling JavaTo customize JavaScript behavior in the Opera browser, click JavaScript Options.Figure 127   Opera: JavaScript OptionsSelect the items you want Opera’s JavaScript to apply.
Appendix CPop-up Windows, JavaScripts and Java PermissionsOX253P User’s Guide228
OX253P User’s Guide 229APPENDIX  D IP Addresses and SubnettingThis appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.Introduction to IP AddressesOne part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered.StructureAn IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal.
Appendix DIP Addresses and SubnettingOX253P User’s Guide230The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID.Figure 128   Network Number and Host IDHow much of the IP address is the network number and how much is the host ID varies according to the subnet mask.  Subnet MasksA subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term “subnet” is short for “sub-network”.A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is “0” then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal).Table 86   IP Address Network Number and Host ID Example1STOCTET:(192)2NDOCTET:(168)3RDOCTET:(1)4TH OCTET(2)IP Address (Binary)11000000101010000000000100000010Subnet Mask (Binary) 111111111111111111111111 00000000Network Number 110000001010100000000001Host ID00000010
 Appendix DIP Addresses and SubnettingOX253P User’s Guide 231By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes.Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Network SizeThe size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network  (192.168.1.255 with a 24-bit subnet mask, for example).As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:Table 87   Subnet MasksBINARYDECIMAL1STOCTET2NDOCTET3RDOCTET4THOCTET8-bit mask 11111111 00000000 00000000 00000000 255.0.0.016-bitmask 11111111 11111111 00000000 00000000 255.255.0.024-bitmask 11111111 11111111 11111111 00000000 255.255.255.029-bitmask 11111111 11111111 11111111 11111000 255.255.255.248Table 88   Maximum Host NumbersSUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS8 bits255.0.0.024 bits224 – 21677721416 bits255.255.0.016 bits216 – 26553424 bits255.255.255.08 bits28 – 225429 bits255.255.255.248 3 bits23 – 26
Appendix DIP Addresses and SubnettingOX253P User’s Guide232NotationSince the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/” followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. SubnettingYou can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 – 2 or 254 possible hosts.Table 89   Alternative Subnet Mask NotationSUBNET MASK ALTERNATIVE NOTATIONLAST OCTET (BINARY)LAST OCTET (DECIMAL)255.255.255.0 /24 0000 0000 0255.255.255.128 /25 1000 0000 128255.255.255.192 /26 1100 0000 192255.255.255.224 /27 1110 0000 224255.255.255.240 /28 1111 0000 240255.255.255.248 /29 1111 1000 248255.255.255.252 /30 1111 1100 252
 Appendix DIP Addresses and SubnettingOX253P User’s Guide 233The following figure shows the company network before subnetting.  Figure 129   Subnetting Example: Before SubnettingYou can “borrow” one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25).The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25.
Appendix DIP Addresses and SubnettingOX253P User’s Guide234The following figure shows the company network after subnetting. There are now two sub-networks, A and B.Figure 130   Subnetting Example: After SubnettingIn a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address).192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254.Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to “borrow” two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
 Appendix DIP Addresses and SubnettingOX253P User’s Guide 235Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnet’s broadcast address). Table 90   Subnet 1IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address (Decimal) 192.168.1. 0IP Address (Binary) 11000000.10101000.00000001. 00000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1Broadcast Address: 192.168.1.63 Highest Host ID: 192.168.1.62Table 91   Subnet 2IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 64IP Address (Binary) 11000000.10101000.00000001. 01000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.64 Lowest Host ID: 192.168.1.65Broadcast Address: 192.168.1.127 Highest Host ID: 192.168.1.126Table 92   Subnet 3IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 128IP Address (Binary) 11000000.10101000.00000001. 10000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190Table 93   Subnet 4IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 192IP Address (Binary) 11000000.10101000.00000001.11000000Subnet Mask (Binary) 11111111.11111111.11111111.11000000
Appendix DIP Addresses and SubnettingOX253P User’s Guide236Example: Eight SubnetsSimilarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet.Subnet PlanningThe following table is a summary for subnet planning on a network with a 24-bit network number.Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254Table 93   Subnet 4 (continued)IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUETable 94   Eight SubnetsSUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESSBROADCAST ADDRESS10130 312 32 33 62 633 64 65 94 954 96 97 126 1275 128 129 158 1596 160 161 190 1917 192 193 222 2238 224 225 254 255Table 95   24-bit Network Number Subnet PlanningNO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.255.128 (/25) 2 1262 255.255.255.192 (/26) 4 623 255.255.255.224 (/27) 8 304 255.255.255.240 (/28) 16 145 255.255.255.248 (/29) 32 66 255.255.255.252 (/30) 64 27 255.255.255.254 (/31) 128 1
 Appendix DIP Addresses and SubnettingOX253P User’s Guide 237The following table is a summary for subnet planning on a network with a 16-bit network number. Configuring IP AddressesWhere you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the OX253P. Once you have decided on the network number, pick an IP address for your OX253P that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.The subnet mask specifies the network number portion of an IP address. Your OX253P will compute the subnet mask automatically based on the IP address that Table 96   16-bit Network Number Subnet PlanningNO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.128.0 (/17) 2 327662 255.255.192.0 (/18) 4 163823 255.255.224.0 (/19) 8 81904255.255.240.0 (/20) 16 40945255.255.248.0 (/21) 32 20466255.255.252.0 (/22) 64 10227255.255.254.0 (/23) 128 5108 255.255.255.0 (/24) 256 2549 255.255.255.128 (/25) 512 12610 255.255.255.192 (/26) 1024 6211 255.255.255.224 (/27) 2048 3012 255.255.255.240 (/28) 4096 1413 255.255.255.248 (/29) 8192 614 255.255.255.252 (/30) 16384 215 255.255.255.254 (/31) 32768 1
Appendix DIP Addresses and SubnettingOX253P User’s Guide238you entered. You don't need to change the subnet mask computed by the OX253P unless you are instructed to do otherwise.Private IP AddressesEvery machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:•10.0.0.0     — 10.255.255.255•172.16.0.0   — 172.31.255.255•192.168.0.0 — 192.168.255.255You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.IP Address ConflictsEach device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses ExampleMore than one device can not use the same IP address. In the following example computer Ahas a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client. Neither can access the Internet. This problem can be solved by assigning a different static IP
 Appendix DIP Addresses and SubnettingOX253P User’s Guide 239address to computer A or setting computer A to obtain an IP address automatically.  Figure 131   Conflicting Computer IP Addresses ExampleConflicting Router IP Addresses ExampleSince a router connects different networks, it must have interfaces using different network numbers. For example, if a router is set between a LAN and the Internet (WAN), the router’s LAN and WAN addresses must be on different subnets. In the following example, the LAN and WAN are on the same subnet. The LAN computers cannot access the Internet because the router cannot route between networks.Figure 132   Conflicting Computer IP Addresses ExampleConflicting Computer and Router IP Addresses ExampleMore than one device can not use the same IP address. In the following example, the computer and the router’s LAN port both use 192.168.1.1 as the IP address.
Appendix DIP Addresses and SubnettingOX253P User’s Guide240The computer cannot access the Internet. This problem can be solved by assigning a different IP address to the computer or the router’s LAN port.  Figure 133   Conflicting Computer and Router IP Addresses Example
OX253P User’s Guide 241APPENDIX  E Importing CertificatesThis appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate.Public key certificates can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the created certificate into your web browser and flag that certificate as a trusted authority.Note: You can see if you are browsing on a secure website if the URL in your web browser’s address bar begins with  https:// or there is a sealed padlock icon () somewhere in the main browser window (not all browsers show the padlock in the same location.)In this appendix, you can import a public key certificate for:•Internet Explorer on page 242•Firefox on page 252•Opera on page 258•Konqueror on page 266
Appendix EImporting CertificatesOX253P User’s Guide242Internet ExplorerThe following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista.1If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.Figure 134   Internet Explorer 7: Certification Error2Click Continue to this website (not recommended).Figure 135   Internet Explorer 7: Certification Error
 Appendix EImporting CertificatesOX253P User’s Guide 2433In the Address Bar, click Certificate Error > View certificates.Figure 136   Internet Explorer 7: Certificate Error4In the Certificate dialog box, click Install Certificate.Figure 137   Internet Explorer 7: Certificate
Appendix EImporting CertificatesOX253P User’s Guide2445In the Certificate Import Wizard, click Next.Figure 138   Internet Explorer 7: Certificate Import Wizard6If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9.Figure 139   Internet Explorer 7: Certificate Import Wizard
 Appendix EImporting CertificatesOX253P User’s Guide 2457Otherwise, select Place all certificates in the following store and then click Browse.Figure 140   Internet Explorer 7: Certificate Import Wizard8In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK.Figure 141   Internet Explorer 7: Select Certificate Store
Appendix EImporting CertificatesOX253P User’s Guide2469In the Completing the Certificate Import Wizard screen, click Finish.Figure 142   Internet Explorer 7: Certificate Import Wizard10 If you are presented with another Security Warning, click Yes.Figure 143   Internet Explorer 7: Security Warning
 Appendix EImporting CertificatesOX253P User’s Guide 24711 Finally, click OK when presented with the successful certificate installation message.Figure 144   Internet Explorer 7: Certificate Import Wizard12 The next time you start Internet Explorer and go to a web configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.Figure 145   Internet Explorer 7: Website Identification
Appendix EImporting CertificatesOX253P User’s Guide248Installing a Stand-Alone Certificate File in Internet ExplorerRather than browsing to a web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Double-click the public key certificate file.Figure 146   Internet Explorer 7: Public Key Certificate File2In the security warning dialog box, click Open.Figure 147   Internet Explorer 7: Open File - Security Warning3Refer to steps 4-12 in the Internet Explorer procedure beginning on page242 to complete the installation process.
 Appendix EImporting CertificatesOX253P User’s Guide 249Removing a Certificate in Internet ExplorerThis section shows you how to remove a public key certificate in Internet Explorer 7.1Open Internet Explorer and click TOOLS >Internet Options.Figure 148   Internet Explorer 7: Tools Menu2In the Internet Options dialog box, click Content >Certificates.Figure 149   Internet Explorer 7: Internet Options
Appendix EImporting CertificatesOX253P User’s Guide2503In the Certificates dialog box, click the Trusted Root Certificates Authoritiestab, select the certificate that you want to delete, and then click Remove.Figure 150   Internet Explorer 7: Certificates4In the Certificates confirmation, click Yes.Figure 151   Internet Explorer 7: Certificates5In the Root Certificate Store dialog box, click Yes.Figure 152   Internet Explorer 7: Root Certificate Store
 Appendix EImporting CertificatesOX253P User’s Guide 2516The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix EImporting CertificatesOX253P User’s Guide252FirefoxThe following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms.1If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.2Select Accept this certificate permanently and click OK.Figure 153   Firefox 2: Website Certified by an Unknown Authority
 Appendix EImporting CertificatesOX253P User’s Guide 2533The certificate is stored and you can now connect securely to the web configurator. A sealed padlock appears in the address bar, which you can click to open the PageInfo > Security window to view the web page’s security information.Figure 154   Firefox 2: Page Info
Appendix EImporting CertificatesOX253P User’s Guide254Installing a Stand-Alone Certificate File in FirefoxRather than browsing to a web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Open Firefox and click TOOLS > Options.Figure 155   Firefox 2: Tools Menu2In the Options dialog box, click ADVANCED >Encryption > View Certificates.Figure 156   Firefox 2: Options
 Appendix EImporting CertificatesOX253P User’s Guide 2553In the Certificate Manager dialog box, click Web Sites > Import.Figure 157    Firefox 2: Certificate Manager4Use the Select File dialog box to locate the certificate and then click Open.Figure 158    Firefox 2: Select File5The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information.
Appendix EImporting CertificatesOX253P User’s Guide256Removing a Certificate in FirefoxThis section shows you how to remove a public key certificate in Firefox 2.1Open Firefox and click TOOLS >Options.Figure 159   Firefox 2: Tools Menu2In the Options dialog box, click ADVANCED >Encryption > View Certificates.Figure 160   Firefox 2: Options
 Appendix EImporting CertificatesOX253P User’s Guide 2573In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete.Figure 161    Firefox 2: Certificate Manager4In the Delete Web Site Certificates dialog box, click OK.Figure 162   Firefox 2: Delete Web Site Certificates5The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix EImporting CertificatesOX253P User’s Guide258OperaThe following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms.1If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.2Click Install to accept the certificate.Figure 163   Opera 9: Certificate signer not found
 Appendix EImporting CertificatesOX253P User’s Guide 2593The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.Figure 164   Opera 9: Security information
Appendix EImporting CertificatesOX253P User’s Guide260Installing a Stand-Alone Certificate File in OperaRather than browsing to a web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Open Opera and click TOOLS >Preferences.Figure 165   Opera 9: Tools Menu
 Appendix EImporting CertificatesOX253P User’s Guide 2612In Preferences, click ADVANCED >Security > Manage certificates.Figure 166   Opera 9: Preferences
Appendix EImporting CertificatesOX253P User’s Guide2623In the Certificates Manager, click Authorities > Import.Figure 167    Opera 9: Certificate manager4Use the Import certificate dialog box to locate the certificate and then clickOpen.Figure 168    Opera 9: Import certificate
 Appendix EImporting CertificatesOX253P User’s Guide 2635In the Install authority certificate dialog box, click Install.Figure 169    Opera 9: Install authority certificate6Next, click OK.Figure 170    Opera 9: Install authority certificate7The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Appendix EImporting CertificatesOX253P User’s Guide264Removing a Certificate in OperaThis section shows you how to remove a public key certificate in Opera 9.1Open Opera and click TOOLS >Preferences.Figure 171   Opera 9: Tools Menu2In Preferences,ADVANCED >Security > Manage certificates.Figure 172   Opera 9: Preferences
 Appendix EImporting CertificatesOX253P User’s Guide 2653In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete.Figure 173    Opera 9: Certificate manager4The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.Note: There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button.
Appendix EImporting CertificatesOX253P User’s Guide266KonquerorThe following example uses Konqueror 3.5 on openSUSE 10.3, however the screens apply to Konqueror 3.5 on all Linux KDE distributions.1If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.2Click Continue.Figure 174   Konqueror 3.5: Server Authentication3Click Forever when prompted to accept the certificate.Figure 175   Konqueror 3.5: Server Authentication
 Appendix EImporting CertificatesOX253P User’s Guide 2674Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details.Figure 176   Konqueror 3.5: KDE SSL Information
Appendix EImporting CertificatesOX253P User’s Guide268Installing a Stand-Alone Certificate File in KonquerorRather than browsing to a web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.1Double-click the public key certificate file.Figure 177   Konqueror 3.5: Public Key Certificate File2In the Certificate Import Result - Kleopatra dialog box, click OK.Figure 178   Konqueror 3.5: Certificate Import ResultThe public key certificate appears in the KDE certificate manager, Kleopatra.Figure 179   Konqueror 3.5: Kleopatra
 Appendix EImporting CertificatesOX253P User’s Guide 2693The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details.
Appendix EImporting CertificatesOX253P User’s Guide270Removing a Certificate in KonquerorThis section shows you how to remove a public key certificate in Konqueror 3.5.1Open Konqueror and click Settings > Configure Konqueror.Figure 180   Konqueror 3.5: Settings Menu2In the Configure dialog box, select Crypto.3On the Peer SSL Certificates tab, select the certificate you want to delete and then click  Remove.Figure 181   Konqueror 3.5: Configure4The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button.
OX253P User’s Guide 271APPENDIX  F Common ServicesThe following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.•Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number.•Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers.•If the Protocol is TCP,UDP, or TCP/UDP, this is the IP port number.•If the Protocol is USER, this is the IP protocol number.•Description: This is a brief explanation of the applications that use this service or the situations in which this service is used.Table 97   Commonly Used ServicesNAME PROTOCOL PORT(S) DESCRIPTIONAH(IPSEC_TUNNEL) User-Defined 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service.AIM/New-ICQ TCP 5190 AOL’s Internet Messenger service. It is also used as a listening port by ICQ.AUTH TCP 113 Authentication protocol used by some servers.BGP TCP 179 Border Gateway Protocol.BOOTP_CLIENT UDP 68 DHCP Client.BOOTP_SERVER UDP 67 DHCP Server.CU-SEEME TCPUDP764824032A popular videoconferencing solution from White Pines Software.DNS TCP/UDP 53 Domain Name Server, a service that matches web names to IP numbers.ESP (IPSEC_TUNNEL) User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.
Appendix FCommon ServicesOX253P User’s Guide272FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.FTP TCPTCP2021File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323 TCP 1720 NetMeeting uses this protocol.HTTP TCP 80 Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.ICMP User-Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes.ICQ UDP 4000 This is a popular Internet chat program.IGMP(MULTICAST) User-Defined 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts.IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management.IRC TCP/UDP 6667 This is another popular Internet chat program.MSN Messenger TCP 1863 Microsoft Networks’ messenger service uses this protocol. NEW-ICQ TCP 5190 An Internet chat program.NEWS TCP 144 A protocol for news groups.NFS UDP 2049 Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING User-Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).Table 97   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
 Appendix FCommon ServicesOX253P User’s Guide 273PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL (GRE) User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel.RCMD TCP 512 Remote Command Service.REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web.REXEC TCP 514 Remote Execution Daemon.RLOGIN TCP 513 Remote Login.RTELNET TCP 107 Remote Telnet.RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.SFTP TCP 115 Simple File Transfer Protocol.SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP TCP/UDP 161 Simple Network Management Program.SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).SQL-NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSH TCP/UDP 22 Secure Shell Remote Login Program.STRM WORKS UDP 1558 Stream Works Protocol.SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server.TACACS UDP 49 Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.Table 97   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
Appendix FCommon ServicesOX253P User’s Guide274TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE TCP 7000 Another videoconferencing solution.Table 97   Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
IndexOX253P User’s Guide 275IndexNumbers16QAM 171AAAA 67accounting serversee AAAACS, see Auto Configuration Serveractivity 67Advanced Encryption Standardsee AESAES 187ALG 85alternative subnet mask notation 232applicationCWMP-TR-069 142Application Layer Gatewaysee ALGauthentication 31,67,69,185inner 188keyserver 67types 188authorization 185request and reply 187server 67Auto Configuration Server 142Bbase stationsee BSBS 65–66links 66buzzer 74buzzer and ODU LEDs 75buzzer and RSSI 75CCA 97,114and certificates 114CBC-MAC 187CCMP 185,187cell 65Certificate Management Protocol (CMP) 102Certificate Revocation List (CRL) 114certificates 97,185advantages 115and CA 114certification path 105,111,114expired 114factory-default 115file formats 115fingerprints 106,112importing 99not used for encryption 114revoked 114self-signed 101serial number 105,111storage space 98thumbprint algorithms 117thumbprints 117used for authentication 114verification 187verifying fingerprints 116certificationauthority, see CArequests 97,101,102chaining 187chaining message authenticationsee CCMPCMACsee MACcounter modesee CCMP
IndexOX253P User’s Guide276coverage area 65cryptography 185CWMP-TR-069 142Ddata 185–187decryption 185encryption 185flow 187DHCP 54,88,90client 88server 54diameter 67digital ID 185DL frequency 73,74domain name 88download frequencysee DL frequencydynamic DNS 90Dynamic Host Configuration Protocolsee DHCPEEAP 67encryption 185–187traffic 187Ethernetencapsulation 78Extensible Authorization Protocolsee EAPExtensible Markup Language, see XMLFfirewall 119,124,125frequencyband 74ranges 73,74scanning 74FTP 90,134restrictions 134IIANA 238identity 67,185idle timeout 134IEEE 802.16 65,185IEEE 802.16e 65inner authentication 188Internetaccess 67Internet Assigned Numbers Authoritysee IANA 238interoperability 65Kkey 31,69,185request and reply 187MMAC 187MAN 65Management Information Base (MIB) 138manual site survey 73,74Message Authentication Codesee MACmessage integrity 187Metropolitan Area Networksee MANmicrowave 65,66mobile stationsee MSmodulation 171MS 66My Certificates 98see also certificates
IndexOX253P User’s Guide 277NNAT 237and remote management 134server sets 78networkactivity 67services 67OODU LEDs and buzzer 75Ppattern-spotting 187PKMv2 31,67,69,185,188plain text encryption 187Privacy Key Managementsee PKMprivate key 185public certificate 187public key 31,69,185Public-Key Infrastructure (PKI) 114public-private key pairs 97,114QQoS 145QPSK 171Quality of Service, see QoSRradio frequency of WiMAX 66RADIUS 67,186Message Types 186Messages 186Shared Secret Key 186related documentation 3remote management and NAT 134remote management limitations 134Remote Procedure Call 142RFC 2510. See Certificate Management Protocol.RSSI and buzzer 75Ssafety warnings 6secure communication 31,69,185secure connection 67security 185security association 187see SAservices 67Simple Certificate Enrollment Protocol (SCEP) 102SIPALG 85Application Layer Gateway, see ALGSNMP 135manager 137spectrum range of WiMAX 66SS 65,66stateful inspection 124subnet 229mask 230subnetting 232subscriber stationsee SSsyntax conventions 4system timeout 134TtamperingTCP/IP configuration 54TEK 187TFTP restrictions 134TLS 31,69,185transport encryption key
IndexOX253P User’s Guide278see TEKtransport layer securitysee TLStriangle routeproblem 125solutions 126trigger port forwardingprocess 84TTLS 31,69,185,188tunneled TLSsee TTLSUunauthorized device 185user authentication 185user name 91Vverification 187WWiMAXradio frequency 66security 187spectrum range 66WiMAX Forum 65Wireless Interoperability for Microwave Accesssee WiMAXWireless Metropolitan Area Networksee MANwireless networkaccess 65standard 65wireless security 185wizard setup 29XXML 142
IndexOX253P User’s Guide 279
IndexOX253P User’s Guide280

Navigation menu