ZyXEL Communications P660HWD1V2 802.11g WIRELESS ADSL2+ 4-PORT GATEWAY User Manual P 660H HW W T Series V3 40 User s Guide

ZyXEL Communications Corporation 802.11g WIRELESS ADSL2+ 4-PORT GATEWAY P 660H HW W T Series V3 40 User s Guide

users manual7

P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 314 Table 133 TCP Reset LogsLOG MESSAGE DESCRIPTIONUnder SYN flood attack, sent TCP RSTThe router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen. Peer TCP state out of order, sent TCP RSTThe router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.Firewall session time out, sent TCP RSTThe router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout: 3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 secondsExceed MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > “Maximum Incomplete High”, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < “Maximum Incomplete Low”.Access block, sent TCP RSTThe router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst").Table 134 Packet Filter LogsLOG MESSAGE DESCRIPTION[TCP | UDP | ICMP | IGMP | Generic] packet filter matched (set:%d, rule:%d)Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.
P-660H/HW-D Series User’s Guide315 Appendix K Log Descriptions Table 135 ICMP LogsLOG MESSAGE DESCRIPTIONFirewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>ICMP access matched the default policy and was blocked or forwarded according to the user's setting. For type and code details, see Table 147 on page 324.Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>ICMP access matched (or didn’t match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. For type and code details, see Table 147 on page 324.Triangle route packet forwarded: ICMPThe firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: ICMPThe router blocked a packet that didn’t have a corresponding NAT table entry.Unsupported/out-of-order ICMP: ICMPThe firewall does not support this kind of ICMP packets or the ICMP packets are out of order.Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.Table 136 CDR LogsLOG MESSAGE DESCRIPTIONboard%d line%d channel%d, call%d,%s C01 Outgoing Call dev=%x ch=%x%sThe router received the setup requirements for a call. “call” is the reference (count) number of the call. “dev” is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or “ch” is the call channel ID.For example,"board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.board%d line%d channel%d, call%d,%s C02 OutCall Connected%d%sThe PPPoE, PPTP or dial-up call is connected.board%d line%d channel%d, call%d,%s C02 Call TerminatedThe PPPoE, PPTP or dial-up call was disconnected.Table 137 PPP LogsLOG MESSAGE DESCRIPTIONppp:LCP Starting The PPP connection’s Link Control Protocol stage has started.ppp:LCP Opening The PPP connection’s Link Control Protocol stage is opening.ppp:CHAP Opening The PPP connection’s Challenge Handshake Authentication Protocol stage is opening.ppp:IPCP Starting The PPP connection’s Internet Protocol Control Protocol stage is starting.ppp:IPCP Opening The PPP connection’s Internet Protocol Control Protocol stage is opening.
P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 316 ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing.ppp:IPCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing.Table 138 UPnP LogsLOG MESSAGE DESCRIPTIONUPnP pass through Firewall UPnP packets can pass through the firewall.Table 139 Content Filtering LogsLOG MESSAGE DESCRIPTION%s: Keyword blocking The content of a requested web page matched a user defined keyword.%s: Not in trusted web listThe web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.%s: Forbidden Web site The web site is in the forbidden web site list.%s: Contains ActiveX The web site contains ActiveX.%s: Contains Java appletThe web site contains a Java applet.%s: Contains cookie The web site contains a cookie.%s: Proxy mode detectedThe router detected proxy mode in the packet.%s The content filter server responded that the web site is in the blocked category list, but it did not return the category type.%s:%s The content filter server responded that the web site is in the blocked category list, and returned the category type.%s(cache hit) The system detected that the web site is in the blocked list from the local cache, but does not know the category type.%s:%s(cache hit) The system detected that the web site is in blocked list from the local cache, and knows the category type.%s: Trusted Web site The web site is in a trusted domain.%s When the content filter is not on according to the time schedule or you didn't select the "Block Matched Web Site” check box, the system forwards the web content.Waiting content filter server timeoutThe external content filtering server did not respond within the timeout period.DNS resolving failed The ZyXEL Device cannot get the IP address of the external content filtering via DNS query.Creating socket failed The ZyXEL Device cannot issue a query because TCP/IP socket creation failed, port:port number.Table 137 PPP Logs (continued)LOG MESSAGE DESCRIPTION
P-660H/HW-D Series User’s Guide317 Appendix K Log Descriptions Connecting to content filter server failThe connection to the external content filtering server failed.License key is invalid The external content filtering license key is invalid.Table 140 Attack LogsLOG MESSAGE DESCRIPTIONattack [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.attack ICMP (type:%d, code:%d)The firewall detected an ICMP attack. For type and code details, see Table 147 on page 324.land [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.land ICMP (type:%d, code:%d)The firewall detected an ICMP land attack. For type and code details, see Table 147 on page 324.ip spoofing - WAN [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall detected an IP spoofing attack on the WAN port.ip spoofing - WAN ICMP (type:%d, code:%d)The firewall detected an ICMP IP spoofing attack on the WAN port. For type and code details, see Table 147 on page 324.icmp echo: ICMP (type:%d, code:%d)The firewall detected an ICMP echo attack. For type and code details, see Table 147 on page 324.syn flood TCP The firewall detected a TCP syn flood attack.ports scan TCP The firewall detected a TCP port scan attack.teardrop TCP The firewall detected a TCP teardrop attack.teardrop UDP The firewall detected an UDP teardrop attack.teardrop ICMP (type:%d, code:%d)The firewall detected an ICMP teardrop attack. For type and code details, see Table 147 on page 324.illegal command TCP The firewall detected a TCP illegal command attack.NetBIOS TCP The firewall detected a TCP NetBIOS attack.ip spoofing - no routing entry [TCP | UDP | IGMP | ESP | GRE | OSPF]The firewall classified a packet with no source routing entry as an IP spoofing attack.ip spoofing - no routing entry ICMP (type:%d, code:%d)The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack.vulnerability ICMP (type:%d, code:%d)The firewall detected an ICMP vulnerability attack. For type and code details, see Table 147 on page 324.traceroute ICMP (type:%d, code:%d)The firewall detected an ICMP traceroute attack. For type and code details, see Table 147 on page 324.Table 139 Content Filtering Logs (continued)LOG MESSAGE DESCRIPTION
P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 318 Table 141 IPSec LogsLOG MESSAGE DESCRIPTIONDiscard REPLAY packet The router received and discarded a packet with an incorrect sequence number.Inbound packet authentication failedThe router received a packet that has been altered. A third party may have altered or tampered with the packet.Receive IPSec packet, but no corresponding tunnel existsThe router dropped an inbound packet for which SPI could not find a corresponding phase 2 SA.Rule <%d> idle time out, disconnectThe router dropped a connection that had outbound traffic and no inbound traffic for a certain time period. You can use the "ipsec timer chk_conn" CI command to set the time period. The default value is 2 minutes.WAN IP changed to <IP> The router dropped all connections with the “MyIP” configured as “0.0.0.0” when the WAN IP address changed.Table 142 IKE LogsLOG MESSAGE DESCRIPTIONActive connection allowed exceededThe IKE process for a new connection failed because the limit of simultaneous phase 2 SAs has been reached.Start Phase 2: Quick Mode Phase 2 Quick Mode has started.Verifying Remote ID failed: The connection failed during IKE phase 2 because the router and the peer’s Local/Remote Addresses don’t match.Verifying Local ID failed: The connection failed during IKE phase 2 because the router and the peer’s Local/Remote Addresses don’t match.IKE Packet Retransmit The router retransmitted the last packet sent because there was no response from the peer.Failed to send IKE Packet An Ethernet error stopped the router from sending IKE packets.Too many errors! Deleting SA An SA was deleted because there were too many errors.Phase 1 IKE SA process done The phase 1 IKE SA process has been completed.Duplicate requests with the same cookieThe router received multiple requests from the same peer while still processing the first IKE packet from the peer.IKE Negotiation is in process The router has already started negotiating with the peer for the connection, but the IKE process has not finished yet.No proposal chosen Phase 1 or phase 2 parameters don’t match. Please check all protocols / settings. Ex. One device being configured for 3DES and the other being configured for DES causes the connection to fail.Local / remote IPs of incoming request conflict with rule <%d>The security gateway is set to “0.0.0.0” and the router used the peer’s “Local Address” as the router’s “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed.
P-660H/HW-D Series User’s Guide319 Appendix K Log DescriptionsCannot resolve Secure Gateway Addr for rule <%d>The router couldn’t resolve the IP address from the domain name that was used for the secure gateway address.Peer ID: <peer id> <My remote type> -<My local type>The displayed ID information did not match between the two ends of the connection.vs. My Remote <My remote> -<My remote> The displayed ID information did not match between the two ends of the connection.vs. My Local <My local>-<My local>The displayed ID information did not match between the two ends of the connection.Send <packet> A packet was sent.Recv <packet> IKE uses ISAKMP to transmit data. Each ISAKMP packet contains many different types of payloads. All of them show in the LOG. Refer to RFC2408 – ISAKMP for a list of all ISAKMP payload types.Recv <Main or Aggressive> Mode request from <IP> The router received an IKE negotiation request from the peer address specified.Send <Main or Aggressive> Mode request to <IP>The router started negotiation with the peer.Invalid IP <Peer local> / <Peer local>The peer’s “Local IP Address” is invalid.Remote IP <Remote IP> / <Remote IP> conflictsThe security gateway is set to “0.0.0.0” and the router used the peer’s “Local Address” as the router’s “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed.Phase 1 ID type mismatch This router’s "Peer ID Type" is different from the peer IPSec router's "Local ID Type".Phase 1 ID content mismatch This router’s "Peer ID Content" is different from the peer IPSec router's "Local ID Content".No known phase 1 ID type foundThe router could not find a known phase 1 ID in the connection attempt.ID type mismatch. Local / Peer: <Local ID type/Peer ID type>The phase 1 ID types do not match.ID content mismatch The phase 1 ID contents do not match.Configured Peer ID Content: <Configured Peer ID Content>The phase 1 ID contents do not match and the configured "Peer ID Content" is displayed.Incoming ID Content: <Incoming Peer ID Content>The phase 1 ID contents do not match and the incoming packet's ID content is displayed.Unsupported local ID Type: <%d>The phase 1 ID type is not supported by the router.Build Phase 1 ID The router has started to build the phase 1 ID.Adjust TCP MSS to%d The router automatically changed the TCP Maximum Segment Size value after establishing a tunnel.Rule <%d> input idle time out, disconnectThe tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout period.XAUTH succeed! Username: <Username>The router used extended authentication to authenticate the listed username.Table 142 IKE Logs (continued)LOG MESSAGE DESCRIPTION
P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 320XAUTH fail! Username: <Username>The router was not able to use extended authentication to authenticate the listed username.Rule[%d] Phase 1 negotiation mode mismatchThe listed rule’s IKE phase 1 negotiation mode did not match between the router and the peer.Rule [%d] Phase 1 encryption algorithm mismatchThe listed rule’s IKE phase 1 encryption algorithm did not match between the router and the peer.Rule [%d] Phase 1 authentication algorithm mismatchThe listed rule’s IKE phase 1 authentication algorithm did not match between the router and the peer.Rule [%d] Phase 1 authentication method mismatchThe listed rule’s IKE phase 1 authentication method did not match between the router and the peer.Rule [%d] Phase 1 key group mismatchThe listed rule’s IKE phase 1 key group did not match between the router and the peer.Rule [%d] Phase 2 protocol mismatchThe listed rule’s IKE phase 2 protocol did not match between the router and the peer.Rule [%d] Phase 2 encryption algorithm mismatchThe listed rule’s IKE phase 2 encryption algorithm did not match between the router and the peer.Rule [%d] Phase 2 authentication algorithm mismatchThe listed rule’s IKE phase 2 authentication algorithm did not match between the router and the peer.Rule [%d] Phase 2 encapsulation mismatchThe listed rule’s IKE phase 2 encapsulation did not match between the router and the peer.Rule [%d]> Phase 2 pfs mismatchThe listed rule’s IKE phase 2 perfect forward secret (pfs) setting did not match between the router and the peer.Rule [%d] Phase 1 ID mismatch The listed rule’s IKE phase 1 ID did not match between the router and the peer.Rule [%d] Phase 1 hash mismatchThe listed rule’s IKE phase 1 hash did not match between the router and the peer.Rule [%d] Phase 1 preshared key mismatchThe listed rule’s IKE phase 1 pre-shared key did not match between the router and the peer.Rule [%d] Tunnel built successfullyThe listed rule’s IPSec tunnel has been built successfully.Rule [%d] Peer's public key not foundThe listed rule’s IKE phase 1 peer’s public key was not found.Rule [%d] Verify peer's signature failedThe listed rule’s IKE phase 1verification of the peer’s signature failed.Rule [%d] Sending IKE request IKE sent an IKE request for the listed rule.Rule [%d] Receiving IKE requestIKE received an IKE request for the listed rule.Swap rule to rule [%d] The router changed to using the listed rule.Rule [%d] Phase 1 key length mismatchThe listed rule’s IKE phase 1 key length (with the AES encryption algorithm) did not match between the router and the peer.Rule [%d] phase 1 mismatch The listed rule’s IKE phase 1 did not match between the router and the peer.Table 142 IKE Logs (continued)LOG MESSAGE DESCRIPTION
P-660H/HW-D Series User’s Guide321 Appendix K Log Descriptions Rule [%d] phase 2 mismatch The listed rule’s IKE phase 2 did not match between the router and the peer.Rule [%d] Phase 2 key length mismatchThe listed rule’s IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer.Table 143 PKI LogsLOG MESSAGE DESCRIPTIONEnrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port.Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port.Failed to resolve <SCEP CA server url>The SCEP online certificate enrollment failed because the certification authority server’s address cannot be resolved.Enrollment successful The CMP online certificate enrollment was successful. The Destination field records the certification authority server’s IP address and port.Enrollment failed The CMP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port.Failed to resolve <CMP CA server url>The CMP online certificate enrollment failed because the certification authority server’s IP address cannot be resolved.Rcvd ca cert: <subject name>The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd user cert: <subject name>The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd CRL <size>: <issuer name>The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.Rcvd ARL <size>: <issuer name>The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received ca certThe router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received user certThe router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received CRLThe router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field.Failed to decode the received ARLThe router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field.Table 142 IKE Logs (continued)LOG MESSAGE DESCRIPTION
P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 322 Rcvd data <size> too large! Max size allowed: <max size>The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded.Cert trusted: <subject name>The router has verified the path of the certificate with the listed subject name.Due to <reason codes>, cert not trusted: <subject name>Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. Please see Table 144 on page 322 for the corresponding descriptions of the codes.Table 144 Certificate Path Verification Failure Reason CodesCODE DESCRIPTION1Algorithm mismatch between the certificate and the search constraints.2Key usage mismatch between the certificate and the search constraints.3Certificate was not valid in the time interval.4(Not used)5Certificate is not valid.6Certificate signature was not verified correctly.7Certificate was revoked by a CRL.8Certificate was not added to the cache.9Certificate decoding failed.10 Certificate was not found (anywhere).11 Certificate chain looped (did not find trusted root).12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing).14 (Not used)15 CRL is too old.16 CRL is not valid.17 CRL signature was not verified correctly.18 CRL was not found (anywhere).19 CRL was not added to the cache.20 CRL decoding failed.21 CRL is not currently valid, but in the future.22 CRL contains duplicate serial numbers.23 Time interval is not continuous.24 Time information not available.25 Database method failed due to timeout.Table 143 PKI Logs (continued)LOG MESSAGE DESCRIPTION
P-660H/HW-D Series User’s Guide323 Appendix K Log Descriptions 26 Database method failed.27 Path was not verified.28 Maximum path length reached.Table 145 802.1X LogsLOG MESSAGE DESCRIPTIONLocal User Database accepts user.A user was authenticated by the local user database.Local User Database reports user credential error.A user was not authenticated by the local user database because of an incorrect user password.Local User Database does not find user`s credential.A user was not authenticated by the local user database because the user is not listed in the local user database.RADIUS accepts user. A user was authenticated by the RADIUS Server.RADIUS rejects user. Pls check RADIUS Server.A user was not authenticated by the RADIUS Server. Please check the RADIUS Server.Local User Database does not support authentication method.The local user database only supports the EAP-MD5 method. A user tried to use another authentication method and was not authenticated.User logout because of session timeout expired.The router logged out a user whose session expired.User logout because of user deassociation.The router logged out a user who ended the session.User logout because of no authentication response from user.The router logged out a user from which there was no authentication response.User logout because of idle timeout expired.The router logged out a user whose idle timeout period expired.User logout because of user request.A user logged out.Local User Database does not support authentication mothed.A user tried to use an authentication method that the local user database does not support (it only supports EAP-MD5).No response from RADIUS. Pls check RADIUS Server.There is no response message from the RADIUS server, please check the RADIUS server.Use Local User Database to authenticate user.The local user database is operating as the authentication server.Use RADIUS to authenticate user. The RADIUS server is operating as the authentication server.No Server to authenticate user. There is no authentication server to authenticate a user.Local User Database does not find user`s credential.A user was not authenticated by the local user database because the user is not listed in the local user database.Table 144 Certificate Path Verification Failure Reason Codes (continued)CODE DESCRIPTION
P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 324 Table 146 ACL Setting NotesPACKET DIRECTION DIRECTION DESCRIPTION(L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN.(W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN.(L to L) LAN to LAN/ZyXEL DeviceACL set for packets traveling from the LAN to the LAN or the ZyXEL Device.(W to W) WAN to WAN/ZyXEL DeviceACL set for packets traveling from the WAN to the WAN or the ZyXEL Device.Table 147 ICMP NotesTYPE CODE DESCRIPTION0Echo Reply0Echo reply message3Destination Unreachable0Net unreachable1Host unreachable2Protocol unreachable3Port unreachable4A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)5Source route failed4Source Quench0A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.5Redirect0Redirect datagrams for the Network1Redirect datagrams for the Host2Redirect datagrams for the Type of Service and Network3Redirect datagrams for the Type of Service and Host8Echo0Echo message11 Time Exceeded0Time to live exceeded in transit1Fragment reassembly time exceeded12 Parameter Problem0Pointer indicates the error13 Timestamp
P-660H/HW-D Series User’s Guide325 Appendix K Log Descriptions The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. 0Timestamp request message14 Timestamp Reply0Timestamp reply message15 Information Request0Information request message16 Information Reply0Information reply messageTable 148 Syslog LogsLOG MESSAGE DESCRIPTION<Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address last three numbers>" cat="<category>"This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU->LOGS->Log Settings page. The severity is the log’s syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The “devID” is the last three characters of the MAC address of the router’s LAN port. The “cat” is the same as the category in the router’s logs.Table 149 RFC-2408 ISAKMP Payload TypesLOG DISPLAY PAYLOAD TYPESA Security AssociationPROP ProposalTRANS TransformKE Key ExchangeID IdentificationCER CertificateCER_REQ Certificate RequestHASH HashSIG SignatureNONCE NonceNOTFY NotificationDEL DeleteVID Vendor IDTable 147 ICMP Notes (continued)TYPE CODE DESCRIPTION
P-660H/HW-D Series User’s GuideAppendix K Log Descriptions 326Log CommandsGo to the command interpreter interface. Configuring What You Want the ZyXEL Device to Log1Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record. 2Use sys logs category to view a list of the log categories.Figure 183 Displaying Log Categories Example3Use sys logs category followed by a log category to display the parameters that are available for the category.Figure 184 Displaying Log Parameters Example4Use sys logs category followed by a log category and a parameter to decide what to record.Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category. Not every parameter is available with every category.5Use the sys logs save command to store the settings in the ZyXEL Device (you must do this in order to record logs).Displaying Logs• Use the sys logs display command to show all of the logs in the ZyXEL Device’s log.• Use the sys logs category display command to show the log settings for all of the log categories.Copyright (c) 1994 - 2004 ZyXEL Communications Corp.ras>?Valid commands are:sys exit ether auxip ipsec bridge bmcertificates cnm 8021x radiusras>ras> sys logs category accessUsage: [0:none/1:log/2:alert/3:both] [0:don't show debug type/1:show debug type]
P-660H/HW-D Series User’s Guide327 Appendix K Log Descriptions• Use the sys logs display [log category] command to show the logs in an individual ZyXEL Device log category.• Use the sys logs clear command to erase all of the ZyXEL Device’s logs.Log Command ExampleThis example shows how to set the ZyXEL Device to record the access logs and alerts and then view the results.ras> sys logs loadras> sys logs category access 3ras> sys logs saveras> sys logs display access#.time source destination notes message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 |ACCESS BLOCK Firewall default policy: IGMP (W to W) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.255.250 |ACCESS BLOCK Firewall default policy: IGMP (W to W) 2|06/08/2004 05:58:20 |172.21.0.2 |239.255.255.254 |ACCESS BLOCK Firewall default policy: IGMP (W to W) 3|06/08/2004 05:58:20 |172.21.3.191 |224.0.1.22 |ACCESS BLOCK Firewall default policy: IGMP (W to W) 4|06/08/2004 05:58:20 |172.21.0.254 |224.0.0.1 |ACCESS BLOCK Firewall default policy: IGMP (W to W) 5|06/08/2004 05:58:20 |172.21.4.187:137 |172.21.255.255:137 |ACCESS BLOCK Firewall default policy: UDP (W to W)
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 328APPENDIX LWireless LANsWireless LAN TopologiesThis section discusses ad-hoc and infrastructure wireless LAN topologies.Ad-hoc Wireless LAN ConfigurationThe simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an Ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an Ad-hoc wireless LAN. Figure 185 Peer-to-Peer Communication in an Ad-hoc NetworkBSSA Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other.
P-660H/HW-D Series User’s Guide329 Appendix L Wireless LANsFigure 186 Basic Service SetESSAn Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 330Figure 187 Infrastructure WLANChannelA channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.RTS/CTSA hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.
P-660H/HW-D Series User’s Guide331 Appendix L Wireless LANsFigure 188 RTS/CTSWhen station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.Fragmentation ThresholdA Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 332A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.Preamble TypePreamble is used to signal that data is coming to the receiver. Short and Long refer to the length of the syncronization field in a packet.Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11b/g compliant wireless adapters support long preamble, but not all support short preamble. Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks. Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications.Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble.Note: The AP and the wireless adapters MUST use the same preamble mode in order to communicate.IEEE 802.11g Wireless LANIEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:Table 150 IEEE 802.11gDATA RATE (MBPS) MODULATION1 DBPSK (Differential Binary Phase Shift Keyed)2 DQPSK (Differential Quadrature Phase Shift Keying)5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)
P-660H/HW-D Series User’s Guide333 Appendix L Wireless LANsWireless Security OverviewWireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity.The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.Note: You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it. IEEE 802.1xIn June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:• User based identification that allows for roaming.• Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. Table 151 Wireless Security LevelsSecurity Level Security TypeLeast Secure Most SecureUnique SSID (Default)Unique SSID with Hide SSID EnabledMAC Address FilteringWEP EncryptionIEEE802.1x EAP with RADIUS Server AuthenticationWi-Fi Protected Access (WPA)WPA2
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 334RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:• Authentication Determines the identity of the users.• AuthorizationDetermines the network services available to authenticated users once they are connected to the network.• AccountingKeeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:• Access-RequestSent by an access point requesting authentication.• Access-RejectSent by a RADIUS server rejecting access.• Access-AcceptSent by a RADIUS server allowing access. • Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:• Accounting-RequestSent by the access point requesting accounting.• Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting.
P-660H/HW-D Series User’s Guide335 Appendix L Wireless LANsIn order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.EAP-MD5 (Message-Digest Algorithm 5)MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security)With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 336PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.LEAPLEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key ExchangeThe AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.Note: EAP-MD5 cannot be used with Dynamic WEP Key ExchangeFor added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.Table 152 Comparison of EAP Authentication TypesEAP-MD5 EAP-TLS EAP-TTLS PEAP LEAPMutual Authentication No Yes Yes Yes YesCertificate – Client No Yes Optional Optional NoCertificate – Server No Yes Yes Yes NoDynamic Key Exchange No Yes Yes Yes YesCredential Integrity None Strong Strong Strong ModerateDeployment Difficulty Easy Hard Moderate Moderate ModerateClient Identity Protection No No Yes Yes No
P-660H/HW-D Series User’s Guide337 Appendix L Wireless LANsWPA and WPA2Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 338By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.Wireless Client WPA SupplicantsA wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application ExampleYou need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.1The AP passes the wireless client's authentication request to the RADIUS server.2The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.
P-660H/HW-D Series User’s Guide339 Appendix L Wireless LANs3The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.Figure 189 WPA(2) with RADIUS Application Example21.4.2 WPA(2)-PSK Application ExampleA WPA(2)-PSK application looks as follows.1First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).2The AP checks each wireless client's password and (only) allows it to join the network if the password matches.3The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key).4The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them.
P-660H/HW-D Series User’s GuideAppendix L Wireless LANs 340Figure 190 WPA(2)-PSK AuthenticationSecurity Parameters SummaryRefer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.Table 153 Wireless Security Relational MatrixAUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOLENCRYPTION METHODENTER MANUAL KEY IEEE 802.1XOpen None No DisableEnable without Dynamic WEP KeyOpen WEP No Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableShared WEP No Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableWPA TKIP/AES No EnableWPA-PSK TKIP/AES Yes DisableWPA2 TKIP/AES No EnableWPA2-PSK TKIP/AES Yes Disable
P-660H/HW-D Series User’s Guide341 Appendix L Wireless LANs
P-660H/HW-D Series User’s GuideAppendix M Pop-up Windows, JavaScripts and Java Permissions 342APPENDIX MPop-up Windows, JavaScripts and JavaPermissionsIn order to use the web configurator you need to allow:• Web browser pop-up windows from your device.• JavaScripts (enabled by default).• Java permissions (enabled by default).Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.Internet Explorer Pop-up BlockersYou may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device’s IP address.Disable pop-up Blockers1In Internet Explorer, select Too ls , Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 191 Pop-up BlockerYou can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1In Internet Explorer, select Too ls , Internet Options, Privacy.2Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled.
P-660H/HW-D Series User’s Guide343 Appendix M Pop-up Windows, JavaScripts and Java PermissionsFigure 192 Internet Options3Click Apply to save this setting.Enable pop-up Blockers with ExceptionsAlternatively, if you only want to allow pop-up windows from your device, see the following steps.1In Internet Explorer, select Too ls , Internet Options and then the Privacy tab. 2Select Settings…to open the Pop-up Blocker Settings screen.
P-660H/HW-D Series User’s GuideAppendix M Pop-up Windows, JavaScripts and Java Permissions 344Figure 193 Internet Options3Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4Click Add to move the IP address to the list of Allowed sites.
P-660H/HW-D Series User’s Guide345 Appendix M Pop-up Windows, JavaScripts and Java PermissionsFigure 194 Pop-up Blocker Settings5Click Close to return to the Privacy screen. 6Click Apply to save this setting. JavaScriptsIf pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1In Internet Explorer, click Tools, Internet Options and then the Security tab.
P-660H/HW-D Series User’s GuideAppendix M Pop-up Windows, JavaScripts and Java Permissions 346Figure 195 Internet Options 2Click the Custom Level... button. 3Scroll down to Scripting. 4Under Active scripting make sure that Enable is selected (the default).5Under Scripting of Java applets make sure that Enable is selected (the default). 6Click OK to close the window.
P-660H/HW-D Series User’s Guide347 Appendix M Pop-up Windows, JavaScripts and Java PermissionsFigure 196 Security Settings - Java ScriptingJava Permissions1From Internet Explorer, click Tools, Internet Options and then the Security tab. 2Click the Custom Level... button. 3Scroll down to Microsoft VM. 4Under Java permissions make sure that a safety level is selected.5Click OK to close the window.
P-660H/HW-D Series User’s GuideAppendix M Pop-up Windows, JavaScripts and Java Permissions 348Figure 197 Security Settings - Java JAVA (Sun)1From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2make sure that Use Java 2 for <applet> under Java (Sun) is selected.3Click OK to close the window.
P-660H/HW-D Series User’s Guide349 Appendix M Pop-up Windows, JavaScripts and Java PermissionsFigure 198 Java (Sun)
P-660H/HW-D Series User’s GuideAppendix N Triangle Route 350APPENDIX NTriangle RouteThe Ideal Setup When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks.Figure 199 Ideal SetupThe “Triangle Route” ProblemA traffic route is a path for sending or receiving data packets between two Ethernet devices. Some companies have more than one route to one or more ISPs. If the alternate gateway is on the LAN (and it’s IP address is in the same subnet), the “triangle route” problem may occur. The steps below describe the “triangle route” problem. 1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.2The ZyXEL Device reroutes the SYN packet through Gateway A on the LAN to the WA N. 3The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL Device. As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged.
P-660H/HW-D Series User’s Guide351 Appendix N Triangle RouteFigure 200 “Triangle Route” ProblemThe “Triangle Route” SolutionsThis section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network. By putting your LAN and Gateway B in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2The ZyXEL Device reroutes the packet to Gateway A, which is in Subnet 2. 3The reply from WAN goes through the ZyXEL Device to the computer on the LAN in Subnet 1. Figure 201 IP Alias
P-660H/HW-D Series User’s GuideIndex 352IndexAaccess point 108access point. See also AP.Address Assignment 96Address Resolution Protocol (ARP) 99ADSL standards 35Advanced Encryption Standard 337alternative subnet mask notation 292Antenna gain 119Any IP 35, 98How it works 99note 99Any IP Setup 101AP 108AP (access point) 330AP. See also access point.Application-level Firewalls 145applicationsInternet access 39ATM Adaptation Layer 5 (AAL5) 77Attack Alert 175Attack Types 149BBackup 240Backup Type 92Bandwidth Management 186Bandwidth Manager Class Configuration 192Bandwidth Manager Monitor 196Bandwidth Manager Summary 191Basic wireless security 67Blocking Time 174Brute-force Attack, 148BSS 328BW Budget 193CCA 335CBR (Continuous Bit Rate) 85, 89Certificate Authority 335certificationsNotices 4viewing 4change password at login 43Channel 330Interference 330channel 108Channel ID 112compact 37compact guide 42Configuration 95Content Filtering 178Categories 178Schedule 179Trusted computers 180URL keyword blocking 178Content filtering 178content filtering 36Copyright 2CTS (Clear to Send) 331Custom PortsCreating/Editing 166Customer Support 8Customized Services 165Customized services 165DDefault 242default LAN IP address 42Denial of Service 145, 146, 174Destination Address 158device model number 238DHCP 37, 95, 96, 198, 226DHCP client 37DHCP relay 37DHCP server 37diagnostic 244disclaimer 2DNS 209Domain Name 96, 137, 226Domain Name System 95
P-660H/HW-D Series User’s Guide353 IndexDoS 146Basics 146Types 147DoS (Denial of Service) 35DoS attacks, types of 147DSL (Digital Subscriber Line) 254DSL line, reinitialize 245DSLAM (Digital Subscriber Line Access Multiplexer) 39Dynamic DNS 36, 198dynamic DNS 36Dynamic Host Configuration Protocol 37Dynamic WEP Key Exchange 336DYNDNS Wildcard 198EEAP Authentication 335ECHO 137E-Mail 131E-mailLog Example 236embedded help 45Encapsulated Routing Link Protocol (ENET ENCAP) 76Encapsulation 76, 77ENET ENCAP 76PPP over Ethernet 76PPPoA 77RFC 1483 77Encryption 337encryption 110and local (user) database 111key 111WPA compatible 111ESS 329Ethernet 251Extended Service Set 329Extended Service Set IDentification 112Extended wireless security 66FFairness-based Scheduler 188FCC interference statement 3Federal Communications Commission 3Finger 137FirewallAccess Methods 156Address Type 164Alerts 159Anti-Probing 172Creating/Editing Rules 162Custom Ports 165Enabling 159Firewall Vs Filters 154Guidelines For Enhancing Security 153Introduction 145LAN to WAN Rules 159Policies 156Rule Checklist 157Rule Logic 157Rule Security Ramifications 157Services 170Types 144When To Use 155firmware 238upgrade 238upload 238upload error 239Fragmentation Threshold 331Fragmentation threshold 331FTP 136, 137, 202, 205FTP Restrictions 202Full Rate 308GGeneral Setup 226General wireless LAN screen 112HHalf-Open Sessions 174Hidden node 330hide SSID 109Host 227, 228HTTP 137, 145, 146, 147HTTP (Hypertext Transfer Protocol) 238IIANA 97IANA (Internet Assigned Number Authority) 165IBSS 328ICMP echo 148IEEE 802.11g 37, 332
P-660H/HW-D Series User’s GuideIndex 354IEEE 802.11i 38IGMP 98Independent Basic Service Set 328initialization vector (IV) 337Install UPnP 216Windows Me 216Windows XP 218Integrated Services Digital Network 34Internal SPTGEN 256FTP Upload Example 258Points to Remember 257Text File 256Internet Access 35, 39Internet access 56Internet Access Setup 247Internet access wizard setup 56Internet Assigned Numbers AuthoritySee IANA 97Internet Control Message Protocol (ICMP) 148, 172IP Address 96, 137, 138, 139IP Address Assignment 78ENET ENCAP 79PPPoA or PPPoE 78RFC 1483 78IP alias 37IP Pool 102IP Pool Setup 95IP protocol type 170IP Spoofing 147, 150ISDN (Integrated Services Digital Network) 34KKey Fields For Configuring Rules 158LLAN Setup 76, 94LAN TCP/IP 96LAN to WAN Rules 159LAND 147, 148local (user) database 110and encryption 111Logs 232MMAC address 109MAC address filter 109MAC Address Filter Action 125MAC Address Filtering 124MAC Filter 124Management Information Base (MIB) 207Maximize Bandwidth Usage 188Maximum Burst Size (MBS) 80, 85, 90Max-incomplete High 174Max-incomplete Low 174Media Bandwidth Management 36Message Integrity Check (MIC) 337Metric 79Multicast 98Multiplexing 77multiplexing 77LLC-based 77VC-based 77Multiprotocol Encapsulation 77NNailed-Up Connection 79NAT 96, 137, 138Address mapping rule 142Application 134Definitions 132How it works 133Mapping Types 134What it does 133What NAT does 133NAT (Network Address Translation) 132NAT mode 136NAT Traversal 214navigating the web configurator 44NetBIOS commands 149Network Address Translation (NAT) 36Network Management 137NNTP 137OOne-Minute High 174
P-660H/HW-D Series User’s Guide355 IndexPPacket Filtering 154Packet filteringWhen to use 155Packet Filtering Firewalls 144Pairwise Master Key (PMK) 337, 339Peak Cell Rate (PCR) 80, 85, 90Ping of Death 147Point to Point Protocol over ATM Adaptation Layer 5 (AAL5) 77Point-to-Point 254Point-to-Point Tunneling Protocol 137POP3 137, 146, 147PPPoA 78PPPoE 76Benefits 76PPPoE (Point-to-Point Protocol over Ethernet) 36PPTP 137Preamble Mode 332Priorities 126, 190Priority 193Priority-based Scheduler 187product registration 7QQoS 111benefits 111Quick Start Guide 32RRADIUS 334Shared Secret Key 335RADIUS Message Types 334RADIUS Messages 334RADIUS server 110registrationproduct 7reinitialize the ADSL line 245Related Documentation 32Remote Management and NAT 203Remote Management Limitations 202Reset button, the 44Resetting the ZyXEL device 44Restore 241RF (Radio Frequency) 37RFC 1483 77RFC 1631 132RFC-1483 78RFC-2364 78RFC2516 36RIPSee Routing Information Protocol 97Routing Information Protocol 97Direction 97Version 97RTS (Request To Send) 331RTS Threshold 330, 331Rules 159Checklist 157Key Fields 158LAN to WAN 159Logic 157Predefined Services 170SSafety Warnings 5Saving the State 150Scheduler 187Security In General 153Security Parameters 340Security Ramifications 157Server 134, 135, 229Service 158Service Set 112Service Set IDentity. See SSID.Service Type 166, 247Services 137SMTP 137Smurf 148, 149SNMP 137, 206Manager 207MIBs 207Source Address 158Splitters 308SSID 108hide 109Stateful Inspection 35, 144, 145, 150Process 151ZyXEL device 151Static Route 182SUA 135SUA (Single User Account) 135SUA vs NAT 135subnet 290
P-660H/HW-D Series User’s GuideIndex 356Subnet Mask 96, 164subnet mask 292subnetting 292Supporting Disk 32Sustain Cell Rate (SCR) 85, 90Sustained Cell Rate (SCR) 80SYN Flood 147, 148SYN-ACK 148Syntax Conventions 32Syslog 169System Name 227System Parameter Table Generator 256System Timeout 203TTCP Maximum Incomplete 174, 175TCP Security 152TCP/IP 146, 147Teardrop 147Tel ne t 204Temporal Key Integrity Protocol (TKIP) 337Text File Format 256TFTP Restrictions 202Three-Way Handshake 147Threshold Values 173TMM QoS. See also QoS.Traceroute 150trademarks 2Traffic Redirect 90, 91Traffic redirect 90, 92traffic redirect 36Traffic shaping 80Triangle 350Triangle Route Solutions 351UUBR (Unspecified Bit Rate) 85, 89UDP/ICMP Security 152Universal Plug and Play 214Application 214Security issues 215Universal Plug and Play (UPnP) 36UPnP 214Forum 215Upper Layer Protocols 152, 153User Authentication 338user authentication 110local (user) database 110RADIUS server 110weaknesses 110User Name 199VVBR (Variable Bit Rate) 85, 89VC-based Multiplexing 78Virtual Channel Identifier (VCI) 78virtual circuit (VC) 77Virtual Path Identifier (VPI) 78VPI & VCI 78WWAN (Wide Area Network) 76WAN backup 91WAN to LAN Rules 159warrantynote 7Web 203Web Configurator 42, 44, 45, 153, 158web configurator screen summary 45WEP (Wired Equivalent Privacy) 38WEP Encryption 116WEP encryption 114Wi-Fi Multimedia QoS 126Wi-Fi Protected Access 337Wi-Fi Protected Access (WPA) 38wireless client 108Wireless Client WPA Supplicants 338Wireless LAN MAC Address Filtering 38wireless network 108basic guidelines 108wireless networkschannel 108encryption 110MAC address filter 109security 109SSID 108Wireless security 333wireless security 109WLANInterference 330
P-660H/HW-D Series User’s Guide357 IndexSecurity parameters 340WPA 337WPA compatible 111WPA2 337WPA2-Pre-Shared Key 337WPA2-PSK 337WPA-PSK 337WWW 131ZZero Configuration Internet Access 35Zero configuration Internet access 81ZyXEL_s FirewallIntroduction 145

Navigation menu