Mode request from The router received an IKE negotiation request from the peer address specified. Send

Mode request to The router started negotiation with the peer. Invalid IP / The peer’s “Local IP Address” is invalid. Remote IP / conflicts The security gateway is set to “0.0.0.0” and the router used the peer’s “Local Address” as the router’s “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed. Phase 1 ID type mismatch This router’s "Peer ID Type" is different from the peer IPSec router's "Local ID Type". Phase 1 ID content mismatch This router’s "Peer ID Content" is different from the peer IPSec router's "Local ID Content". No known phase 1 ID type found The router could not find a known phase 1 ID in the connection attempt. ID type mismatch. Local / Peer: The phase 1 ID types do not match. ID content mismatch The phase 1 ID contents do not match. Configured Peer ID Content: The phase 1 ID contents do not match and the configured "Peer ID Content" is displayed. Incoming ID Content: The phase 1 ID contents do not match and the incoming packet's ID content is displayed. Unsupported local ID Type: <%d> The phase 1 ID type is not supported by the router. Build Phase 1 ID The router has started to build the phase 1 ID. Adjust TCP MSS to%d The router automatically changed the TCP Maximum Segment Size value after establishing a tunnel. Rule <%d> input idle time out, disconnect The tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout period. XAUTH succeed! Username: The router used extended authentication to authenticate the listed username. XAUTH fail! Username: The router was not able to use extended authentication to authenticate the listed username. Rule[%d] Phase 1 negotiation mode mismatch The listed rule’s IKE phase 1 negotiation mode did not match between the router and the peer. Rule [%d] Phase 1 encryption algorithm mismatch The listed rule’s IKE phase 1 encryption algorithm did not match between the router and the peer. Rule [%d] Phase 1 authentication algorithm mismatch The listed rule’s IKE phase 1 authentication algorithm did not match between the router and the peer. P-660HW-Dx v2 User’s Guide Chapter 18 Logs Table 106 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 1 authentication method mismatch The listed rule’s IKE phase 1 authentication method did not match between the router and the peer. Rule [%d] Phase 1 key group mismatch The listed rule’s IKE phase 1 key group did not match between the router and the peer. Rule [%d] Phase 2 protocol mismatch The listed rule’s IKE phase 2 protocol did not match between the router and the peer. Rule [%d] Phase 2 encryption algorithm mismatch The listed rule’s IKE phase 2 encryption algorithm did not match between the router and the peer. Rule [%d] Phase 2 authentication algorithm mismatch The listed rule’s IKE phase 2 authentication algorithm did not match between the router and the peer. Rule [%d] Phase 2 encapsulation mismatch The listed rule’s IKE phase 2 encapsulation did not match between the router and the peer. Rule [%d]> Phase 2 pfs mismatch The listed rule’s IKE phase 2 perfect forward secret (pfs) setting did not match between the router and the peer. Rule [%d] Phase 1 ID mismatch The listed rule’s IKE phase 1 ID did not match between the router and the peer. Rule [%d] Phase 1 hash mismatch The listed rule’s IKE phase 1 hash did not match between the router and the peer. Rule [%d] Phase 1 preshared key mismatch The listed rule’s IKE phase 1 pre-shared key did not match between the router and the peer. Rule [%d] Tunnel built successfully The listed rule’s IPSec tunnel has been built successfully. Rule [%d] Peer's public key not found The listed rule’s IKE phase 1 peer’s public key was not found. Rule [%d] Verify peer's signature failed The listed rule’s IKE phase 1verification of the peer’s signature failed. Rule [%d] Sending IKE request IKE sent an IKE request for the listed rule. Rule [%d] Receiving IKE request IKE received an IKE request for the listed rule. Swap rule to rule [%d] The router changed to using the listed rule. Rule [%d] Phase 1 key length mismatch The listed rule’s IKE phase 1 key length (with the AES encryption algorithm) did not match between the router and the peer. Rule [%d] phase 1 mismatch The listed rule’s IKE phase 1 did not match between the router and the peer. Rule [%d] phase 2 mismatch The listed rule’s IKE phase 2 did not match between the router and the peer. Rule [%d] Phase 2 key length mismatch The listed rule’s IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer. P-660HW-Dx v2 User’s Guide 245 Chapter 18 Logs Table 107 PKI Logs 246 LOG MESSAGE DESCRIPTION Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port. Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port. Failed to resolve The SCEP online certificate enrollment failed because the certification authority server’s address cannot be resolved. Enrollment successful The CMP online certificate enrollment was successful. The Destination field records the certification authority server’s IP address and port. Enrollment failed The CMP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port. Failed to resolve The CMP online certificate enrollment failed because the certification authority server’s IP address cannot be resolved. Rcvd ca cert: The router received a certification authority certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd user cert: The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd CRL : The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd ARL : The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received ca cert The router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received CRL The router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received ARL The router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field. Rcvd data too large! Max size allowed: The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded. Cert trusted: The router has verified the path of the certificate with the listed subject name. Due to , cert not trusted: Due to the reasons listed, the certificate with the listed subject name has not passed the path verification. The recorded reason codes are only approximate reasons for not trusting the certificate. Please see Table 108 on page 247 for the corresponding descriptions of the codes. P-660HW-Dx v2 User’s Guide Chapter 18 Logs Table 108 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints. Certificate was not valid in the time interval. (Not used) Certificate is not valid. Certificate signature was not verified correctly. Certificate was revoked by a CRL. Certificate was not added to the cache. Certificate decoding failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped (did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing). 14 (Not used) 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly. 18 CRL was not found (anywhere). 19 CRL was not added to the cache. 20 CRL decoding failed. 21 CRL is not currently valid, but in the future. 22 CRL contains duplicate serial numbers. 23 Time interval is not continuous. 24 Time information not available. 25 Database method failed due to timeout. 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 109 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN. (L to L) LAN to LAN/ ZyXEL Device ACL set for packets traveling from the LAN to the LAN or the ZyXEL Device. (W to W) WAN to WAN/ ZyXEL Device ACL set for packets traveling from the WAN to the WAN or the ZyXEL Device. P-660HW-Dx v2 User’s Guide 247 Chapter 18 Logs Table 110 ICMP Notes TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded 11 Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem 12 Pointer indicates the error Timestamp 13 Timestamp request message Timestamp Reply 14 Timestamp reply message Information Request 15 Information request message Information Reply 16 248 DESCRIPTION Information reply message P-660HW-Dx v2 User’s Guide Chapter 18 Logs Table 111 Syslog Logs LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname src="" dst="" msg="" note="" devID="" cat=" "This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU->LOGS->Log Settings page. The severity is the log’s syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The “devID” is the last three characters of the MAC address of the router’s LAN port. The “cat” is the same as the category in the router’s logs. The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 112 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID P-660HW-Dx v2 User’s Guide 249 Chapter 18 Logs 250 P-660HW-Dx v2 User’s Guide CHAPTER 19 Tools This chapter describes how to upload new firmware, manage configuration and restart your ZyXEL Device. 19.1 Firmware Upgrade Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Only use firmware for your device’s specific model. Refer to the label on the bottom of your device. Click Maintenance > Tools to open the Firmware screen. Follow the instructions in this screen to upload firmware to your ZyXEL Device. Figure 143 Firmware P-660HW-Dx v2 User’s Guide 251 Chapter 19 Tools The following table describes the labels in this screen. Table 113 Firmware Upgrade LABEL DESCRIPTION Current Firmware Version This is the present Firmware version and the date created. File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. Do NOT turn off the ZyXEL Device while firmware upload is in progress! After you see the Firmware Upload in Progress screen, wait two minutes before logging into the ZyXEL Device again. Figure 144 Firmware Upload In Progress The ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 145 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the Firmware screen. 252 P-660HW-Dx v2 User’s Guide Chapter 19 Tools Figure 146 Error Message 19.2 Configuration Screen Click Maintenance > Tools > Configuration. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 147 Configuration 19.2.1 Backup Configuration Backup configuration allows you to back up (save) the ZyXEL Device’s current configuration to a file on your computer. Once your ZyXEL Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the ZyXEL Device’s current configuration to your computer P-660HW-Dx v2 User’s Guide 253 Chapter 19 Tools 19.2.2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device. Table 114 Maintenance Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse... to find it. Browse... Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Do not turn off the ZyXEL Device while configuration file upload is in progress After you see a “Restore Configuration successful” screen, you must then wait one minute before logging into the ZyXEL Device again. Figure 148 Configuration Restore Successful The ZyXEL Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 149 Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address. If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. 254 P-660HW-Dx v2 User’s Guide Chapter 19 Tools Figure 150 Configuration Restore Error 19.2.3 Back to Factory Defaults Pressing the RESET button in this section clears all user-entered configuration information and returns the ZyXEL Device to its factory defaults. You can also press the RESET button on the rear panel to reset the factory defaults of your ZyXEL Device. Refer to the chapter about introducing the web configurator for more information on the RESET button. 19.3 Restart System restart allows you to reboot the ZyXEL Device without turning the power off. Click Maintenance > Tools > Restart. Click Restart to have the ZyXEL Device reboot. This does not affect the ZyXEL Device's configuration. Figure 151 Restart Screen P-660HW-Dx v2 User’s Guide 255 Chapter 19 Tools 256 P-660HW-Dx v2 User’s Guide CHAPTER 20 Diagnostic These read-only screens display information to help you identify problems with the ZyXEL Device. 20.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next. Figure 152 Diagnostic: General The following table describes the fields in this screen. Table 115 Diagnostic: General LABEL DESCRIPTION TCP/IP Address Type the IP address of a computer that you want to ping in order to test a connection. Ping Click this button to ping the IP address that you entered. 20.2 DSL Line Diagnostic Click Maintenance > Diagnostic > DSL Line to open the screen shown next. P-660HW-Dx v2 User’s Guide 257 Chapter 20 Diagnostic Figure 153 Diagnostic: DSL Line The following table describes the fields in this screen. Table 116 Diagnostic: DSL Line LABEL DESCRIPTION ATM Status Click this button to view ATM status. ATM Loopback Test Click this button to start the ATM loopback test. Make sure you have configured at least one PVC with proper VPIs/VCIs before you begin this test. The ZyXEL Device sends an OAM F5 packet to the DSLAM/ATM switch and then returns it (loops it back) to the ZyXEL Device. The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network. DSL Line Status Click this button to view the DSL port’s line operating values and line bit allocation. Reset ADSL Line Click this button to reinitialize the ADSL line. The large text box above then displays the progress and results of this operation, for example: "Start to reset ADSL Loading ADSL modem F/W... Reset ADSL Line Successfully!" Capture All Logs Click this button to display all logs generated with the DSL line. 258 P-660HW-Dx v2 User’s Guide CHAPTER 21 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyXEL Device Access and Login • Internet Access 21.1 Power, Hardware Connections, and LEDs The ZyXEL Device does not turn on. None of the LEDs turn on. 1 Make sure the ZyXEL Device is turned on. 2 Make sure you are using the power adaptor or cord included with the ZyXEL Device. 3 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure the power source is turned on. 4 Turn the ZyXEL Device off and on. 5 If the problem continues, contact the vendor. One of the LEDs does not behave as expected. Make sure you understand the normal behavior of the LED. See Section 1.4 on page 35. Check the hardware connections. See the Quick Start Guide. Inspect your cables for damage. Contact the vendor to replace any damaged cables. Turn the ZyXEL Device off and on. If the problem continues, contact the vendor. P-660HW-Dx v2 User’s Guide 259 Chapter 21 Troubleshooting 21.2 ZyXEL Device Access and Login I forgot the IP address for the ZyXEL Device. • The default IP address is 192.168.1.1. 6 If you changed the IP address and have forgotten it, you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the ZyXEL Device (it depends on the network), so enter this IP address in your Internet browser. 7 If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 42. I forgot the password. 1 The default password is 1234. 2 If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 42. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. • The default IP address is 192.168.1.1. • If you changed the IP address (Section 6.2.1 on page 95), use the new IP address. • If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device. 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide. 3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix G on page 333. 4 If you disabled Any IP (Section 6.2.4 on page 97), make sure your computer is in the same subnet as the ZyXEL Device. (If you know that there are routers between your computer and the ZyXEL Device, skip this step.) • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Section 6.2.1 on page 95. Your ZyXEL Device is a DHCP server by default. • If there is no DHCP server on your network, make sure your computer’s IP address is in the same subnet as the ZyXEL Device. See Section 6.2.1 on page 95. 260 P-660HW-Dx v2 User’s Guide Chapter 21 Troubleshooting 5 Reset the device to its factory defaults, and try to access the ZyXEL Device with the default IP address. See Section 2.3 on page 42. 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • Try to access the ZyXEL Device using another service, such as Telnet. If you can access the ZyXEL Device, check the remote management settings and firewall rules to find out why the ZyXEL Device does not respond to HTTP. • If your computer is connected to the WAN port or is connected wirelessly, use a computer that is connected to a LAN/ETHERNET port. I can see the Login screen, but I cannot log in to the ZyXEL Device. 1 Make sure you have entered the user name and password correctly. The default password is 1234. This field is case-sensitive, so make sure [Caps Lock] is not on. 2 You cannot log in to the web configurator while someone is using Telnet to access the ZyXEL Device. Log out of the ZyXEL Device in the other session, or ask the person who is logged in to log out. 3 Turn the ZyXEL Device off and on. 4 If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 42. I cannot Telnet to the ZyXEL Device. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. 21.3 Internet Access I cannot access the Internet. P-660HW-Dx v2 User’s Guide 261 Chapter 21 Troubleshooting 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4 on page 35. 2 If your ISP gave you Internet connection information, make sure you entered it correctly in the Network > WAN > Internet Connection screen. These fields are case-sensitive, so make sure [Caps Lock] is not on. 3 If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP. 4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 5 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the ZyXEL Device), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4 on page 35. 2 Reboot the ZyXEL Device. 3 Turn the ZyXEL Device off and on. 4 If the problem continues, contact your ISP. The Internet connection is slow or intermittent. 1 There might be a lot of traffic on the network. Try closing some programs that use the Internet, especially peer-to-peer applications. 2 Check the signal strength. If the signal strength is low, look around to see if there are any devices that might be interfering with the wireless network (for example, microwaves, other wireless networks, and so on).Reboot the ZyXEL Device. 3 Turn the ZyXEL Device off and on. 4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • Check the settings for bandwidth management. If it is disabled, you might consider activating it. If it is enabled, you might consider changing the allocations. • Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications 262 P-660HW-Dx v2 User’s Guide P ART VII Appendices and Index Product Specifications and Wall Mounting (265) Wireless LANs (271) Setting up Your Computer’s IP Address (285) IP Addresses and Subnetting (301) Firewall Commands (311) Internal SPTGEN (317) Command Interpreter (331) Pop-up Windows, JavaScripts and Java Permissions (333) NetBIOS Filter Commands (339) Splitters and Microfilters (341) Triangle Route (341) Legal Information (343) Customer Support (347) Index (351) 263 264 APPENDIX Product Specifications and Wall Mounting Product Specifications The following tables summarize the ZyXEL Device’s hardware and firmware features.M4 Table 117 Hardware Specifications Dimensions (W x D x H) 180 x 128 x 36 mm Power Specification 12V AC 1A Built-in Switch Four auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet ports Operation Temperature 0º C ~ 40º C Storage Temperature -20º ~ 60º C Operation Humidity 20% ~ 85% RH (non-condensing) Storage Humidity 20% ~ 90% RH (non-condensing) Distance between the centers of the holes (for wall mounting) on the device’s back. 108 mm Screw size for wallmounting M4 Tap Screw Antenna The ZyXEL Device is equipped with one 3dBi fixed antenna. Table 118 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Admin Password 1234 Default User Password user DHCP Pool 192.168.1.33 to 192.168.1.64 Device Management Use the web configurator to easily configure the rich range of features on the ZyXEL Device. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyXEL Device. Note: Only upload firmware for your specific model! P-660HW-Dx v2 User’s Guide 265 Appendix A Product Specifications and Wall Mounting Table 118 Firmware Specifications 266 FEATURE DESCRIPTION Configuration Backup & Restoration Make a copy of the ZyXEL Device’s configuration. You can put it back on the ZyXEL Device later if you decide to revert back to an earlier configuration. Network Address Translation (NAT) Each computer on your network must have its own unique IP address. Use NAT to convert your public IP address(es) to multiple private IP addresses for the computers on your network. Port Forwarding If you have a server (mail or web server for example) on your network, you can use this feature to let people access it from the Internet. DHCP (Dynamic Host Configuration Protocol) Use this feature to have the ZyXEL Device assign IP addresses, an IP default gateway and DNS servers to computers on your network. Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can use a fixed URL, www.zyxel.com for example, with a dynamic IP address. You must register for this service with a Dynamic DNS service provider. IP Multicast IP multicast is used to send traffic to a specific group of computers. The ZyXEL Device supports versions 1 and 2 of IGMP (Internet Group Management Protocol) used to join multicast groups (see RFC 2236). IP Alias IP alias allows you to subdivide a physical network into logical networks over the same Ethernet interface with the ZyXEL Device itself as the gateway for each subnet. Time and Date Get the current time and date from an external server when you turn on your ZyXEL Device. You can also set the time manually. These dates and times are then used in logs. Logging and Tracing Use packet tracing and logs for troubleshooting. You can send logs from the ZyXEL Device to an external syslog server. PPPoE PPPoE mimics a dial-up Internet access connection. PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) enables secure transfer of data through a Virtual Private Network (VPN). The ZyXEL Device supports one PPTP connection at a time. Universal Plug and Play (UPnP) A UPnP-enabled device can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. Firewall You can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example. Content Filter The ZyXEL Device blocks or allows access to web sites that you specify and blocks access to web sites with URLs that contain keywords that you specify. You can define time periods and days during which content filtering is enabled. You can also include or exclude particular computers on your network from content filtering. You can also subscribe to category-based content filtering that allows your ZyXEL Device to check web sites against an external database. Bandwidth Management You can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and/or to particular computers. Remote Management This allows you to decide whether a service (HTTP or FTP traffic for example) from a computer on a network (LAN or WAN for example) can access the ZyXEL Device. P-660HW-Dx v2 User’s Guide Appendix A Product Specifications and Wall Mounting Table 118 Firmware Specifications FEATURE DESCRIPTION Any IP The Any IP feature allows one computer to connect to the ZyXEL Device (and then to other computers) when their IP addresses are in different subnets. This is done without changing the network settings (such as IP address and subnet mask) of the computer. Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet, thus acting as an auxiliary if your regular WAN connection fails. Triple Play The ZyXEL Device is capable of simultaneously transferring data, voice and video over the Internet. IP Policy Routing (IPPR) Traditionally, routing is based on the destination address only and the router takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Table 119 Wireless Firmware Specifications FEATURE DESCRIPTION Wireless LAN The ZyXEL Device is fully compatible with both IEEE 802.11b and IEEE 802.11g standards and can support both kinds of clients on the same network. WEP Encryption WEP (Wired Equivalent Privacy) allows the encryption of data before its transmission over networks. Wi-Fi Protected Access (WPA) WPA is part of the IEEE 802.11i security specifications standard and offers user authentication and data encryption. WPA2 WPA2 is an improvement on WPA with enhanced data encryption, user authentication and key management. WPA2-PSK WPA(2)-PSK: WPA-PSK and WPA2-PSK allow you to implement the superior WPA and WPA2 encryption standards without using a RADIUS server. Instead, WPA(2)-PSK uses pre-shared keys (PSKs) to authenticate devices on the wireless network. Output Power Management This allows you to alter the level of power used by the ZyXEL Device. For example, when access points are placed closely together power output levels may be reduced. Wireless LAN MAC Address Filtering This service checks the MAC address of a connection with a list of allowed or denied MAC addresses, ensuring only wanted connections are allowed. The following list, which is not exhaustive, illustrates the standards supported in the ZyXEL Device. Table 120 Standards Supported STANDARD DESCRIPTION RFC 867 Daytime Protocol RFC 868 Time Protocol. RFC 1058 RIP-1 (Routing Information Protocol) RFC 1112 IGMP v1 RFC 1157 SNMPv1: Simple Network Management Protocol version 1 P-660HW-Dx v2 User’s Guide 267 Appendix A Product Specifications and Wall Mounting Table 120 Standards Supported (continued) 268 STANDARD DESCRIPTION RFC 1305 Network Time Protocol (NTP version 3) RFC 1441 SNMPv2 Simple Network Management Protocol version 2 RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 1631 IP Network Address Translator (NAT) RFC 1661 The Point-to-Point Protocol (PPP) RFC 1723 RIP-2 (Routing Information Protocol) RFC 1901 SNMPv2c Simple Network Management Protocol version 2c RFC 2236 Internet Group Management Protocol, Version 2. RFC 2364 PPP over AAL5 (PPP over ATM over ADSL) RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE) RFC 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5. RFC 2766 Network Address Translation - Protocol IEEE 802.11 Also known by the brand Wi-Fi, denotes a set of Wireless LAN/WLAN standards developed by working group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). IEEE 802.11b Uses the 2.4 gigahertz (GHz) band IEEE 802.11g Uses the 2.4 gigahertz (GHz) band IEEE 802.11g+ Turbo and Super G modes IEEE 802.11d Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges IEEE 802.11x Port Based Network Access Control. IEEE 802.11e QoS IEEE 802.11 e Wireless LAN for Quality of Service ANSI T1.413, Issue 2 Asymmetric Digital Subscriber Line (ADSL) standard. G dmt(G.992.1) G.992.1 Asymmetrical Digital Subscriber Line (ADSL) Transceivers ITU G.992.1 (G.DMT) ITU standard for ADSL using discrete multitone modulation. ITU G.992.2 (G. Lite) ITU standard for ADSL using discrete multitone modulation. ITU G.992.3 (G.dmt.bis) ITU standard (also referred to as ADSL2) that extends the capability of basic ADSL in data rates. ITU G.992.3 (G.lite.bis) ITU standard (also referred to as ADSL2) that extends the capability of basic ADSL in data rates. ITU G.992.5 (ADSL2+) ITU standard (also referred to as ADSL2+) that extends the capability of basic ADSL by doubling the number of downstream bits. Microsoft PPTP MS PPTP (Microsoft's implementation of Point to Point Tunneling Protocol) MBM v2 Media Bandwidth Management v2 RFC 2383 ST2+ over ATM Protocol Specification - UNI 3.1 Version TR-069 TR-069 DSL Forum Standard for CPE Wan Management. 1.363.5 Compliant AAL5 SAR (Segmentation And Re-assembly) P-660HW-Dx v2 User’s Guide Appendix A Product Specifications and Wall Mounting Wall-mounting Instructions Complete the following steps to hang your ZyXEL Device on a wall. See the Hardware Specifications table for the size of screws to use and how far apart to place them. 1 Select a high position on a sturdy wall that is free of obstructions. 2 Drill two holes for the screws. 3 Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws. 4 Do not insert the screws all the way into the wall. Leave a small gap of about 0.5 cm between the heads of the screws and the wall. 5 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyXEL Device with the connection cables. 6 Align the holes on the back of the ZyXEL Device with the screws on the wall. Hang the ZyXEL Device on the screws. Figure 154 Wall-mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). P-660HW-Dx v2 User’s Guide 269 Appendix A Product Specifications and Wall Mounting Figure 155 Masonry Plug and M4 Tap Screw 270 P-660HW-Dx v2 User’s Guide APPENDIX Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 156 Peer-to-Peer Communication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. P-660HW-Dx v2 User’s Guide 271 Appendix B Wireless LANs Figure 157 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. 272 P-660HW-Dx v2 User’s Guide Appendix B Wireless LANs Figure 158 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. P-660HW-Dx v2 User’s Guide 273 Appendix B Wireless LANs Figure 159 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. 274 P-660HW-Dx v2 User’s Guide Appendix B Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the ZyXEL Device uses long preamble. The wireless devices MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows: Table 121 IEEE 802.11g DATA RATE (MBPS) MODULATION DBPSK (Differential Binary Phase Shift Keyed) DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. P-660HW-Dx v2 User’s Guide 275 Appendix B Wireless LANs Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device. Table 122 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Secure Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) Most Secure WPA2 You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming. • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users. • Authorization 276 P-660HW-Dx v2 User’s Guide Appendix B Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . P-660HW-Dx v2 User’s Guide 277 Appendix B Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. 278 P-660HW-Dx v2 User’s Guide Appendix B Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 123 Comparison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate – Client No Yes Optional Optional No Certificate – Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection No No Yes Yes No WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. P-660HW-Dx v2 User’s Guide 279 Appendix B Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. 280 P-660HW-Dx v2 User’s Guide Appendix B Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application Example To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. 1 The AP passes the wireless client's authentication request to the RADIUS server. 2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. 4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 160 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). 2 The AP checks each wireless client's password and allows it to join the network only if the password matches. P-660HW-Dx v2 User’s Guide 281 Appendix B Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 161 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 124 Wireless Security Relational Matrix AUTHENTICATION ENCRYPTIO METHOD/ KEY MANAGEMENT PROTOCOL N METHOD ENTER MANUAL KEY IEEE 802.1X Open No Disable None Enable without Dynamic WEP Key Open Shared 282 WEP WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKIP/AES No Enable WPA-PSK TKIP/AES Yes Disable WPA2 TKIP/AES No Enable WPA2-PSK TKIP/AES Yes Disable P-660HW-Dx v2 User’s Guide Appendix B Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage area. Antenna Gain Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. • Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. P-660HW-Dx v2 User’s Guide 283 Appendix B Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 284 P-660HW-Dx v2 User’s Guide APPENDIX Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package. TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems. After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. P-660HW-Dx v2 User’s Guide 285 Appendix C Setting up Your Computer’s IP Address Figure 162 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: In the Network window, click Add. Select Protocol and then click Add. Select Microsoft from the list of manufacturers. Select TCP/IP from the list of network protocols and then click OK. If you need Client for Microsoft Networks: Click Add. Select Client and then click Add. Select Microsoft from the list of manufacturers. Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. 286 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 163 Windows 95/98/Me: TCP/IP Properties: IP Address 3 Click the DNS Configuration tab. • If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). P-660HW-Dx v2 User’s Guide 287 Appendix C Setting up Your Computer’s IP Address Figure 164 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run. 2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration window. 3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. 288 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address Figure 165 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 166 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. P-660HW-Dx v2 User’s Guide 289 Appendix C Setting up Your Computer’s IP Address Figure 167 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 168 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. 290 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address Figure 169 Windows XP: Internet Protocol (TCP/IP) Properties If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: • In the IP Settings tab, in IP addresses, click Add. • In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. • Repeat the above two steps for each IP address you want to add. • Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. • In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. P-660HW-Dx v2 User’s Guide 291 Appendix C Setting up Your Computer’s IP Address Figure 170 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. 292 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address Figure 171 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. P-660HW-Dx v2 User’s Guide 293 Appendix C Setting up Your Computer’s IP Address Figure 172 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 173 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. 294 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window. Macintosh OS X 1 Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 174 Macintosh OS X: Apple Menu 2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. P-660HW-Dx v2 User’s Guide 295 Appendix C Setting up Your Computer’s IP Address Figure 175 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. 296 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 176 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 177 Red Hat 9.0: KDE: Ethernet Device: General P-660HW-Dx v2 User’s Guide 297 Appendix C Setting up Your Computer’s IP Address • If you have a dynamic IP address click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 178 Red Hat 9.0: KDE: Network Configuration: DNS 5 Click the Devices tab. 6 Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens. Figure 179 Red Hat 9.0: KDE: Network Configuration: Activate 7 After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen. Using Configuration Files Follow the steps below to edit the network configuration files and set your computer IP address. 1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. 298 P-660HW-Dx v2 User’s Guide Appendix C Setting up Your Computer’s IP Address Figure 180 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 181 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.10 NETMASK=255.255.255.0 USERCTL=no PEERDNS=yes TYPE=Ethernet 2 If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified. Figure 182 Red Hat 9.0: DNS Settings in resolv.conf nameserver 172.23.5.1 nameserver 172.23.5.2 3 After you edit and save the configuration files, you must restart the network card. Enter ./network restart in the /etc/rc.d/init.d directory. The following figure shows an example. Figure 183 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: Shutting down loopback interface: Setting network parameters: Bringing up loopback interface: Bringing up interface eth0: P-660HW-Dx v2 User’s Guide [OK] [OK] [OK] [OK] [OK] 299 Appendix C Setting up Your Computer’s IP Address Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 184 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# 300 P-660HW-Dx v2 User’s Guide