The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a
retrieval system, translated into any language, or transmitted in any form or by any means, electronic,
mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written
permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software
described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
ZyXEL further reserves the right to make changes in any products described herein without notice.
This publication is subject to change without notice.
Trademarks
Trademarks mentioned in this publication are used for identification purposes only and may be properties of
their respective owners.
ii Copyright
Page 3
ZyWALL 10~100 Series Internet Security Gateway
Federal Communications Commission (FCC)
Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
This device may not cause harmful interference.
This device must accept any interference received, including interference that may cause undesired
operations.
This equipment has been tested and found to comply with the limits for a CLASS B digital device pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy, and if not installed and used in accordance with the instructions, may cause harmful interference to
radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of
the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and the receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance could void the
user's authority to operate the equipment.
Certifications
Refer to the product page at www.zyxel.com.
FCC iii
Page 4
ZyWALL 10~100 Series Internet Security Gateway
Information for Canadian Users
The Industry Canada label identifies certified equipment. This certification means that the equipment meets
certain telecommunications network protective, operation, and safety requirements. The Industry Canada
does not guarantee that the equipment will operate to a user's satisfaction.
Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of
the local telecommunications company. The equipment must also be installed using an acceptable method of
connection. In some cases, the company's inside wiring associated with a single line individual service may
be extended by means of a certified connector assembly. The customer should be aware that the compliance
with the above conditions may not prevent degradation of service in some situations.
Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by
the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may
give the telecommunications company cause to request the user to disconnect the equipment.
For their own protection, users should ensure that the electrical ground connections of the power utility,
telephone lines, and internal metallic water pipe system, if present, are connected together. This precaution
may be particularly important in rural areas.
Caution
Users should not attempt to make such connections themselves, but should contact the appropriate electrical
inspection authority, or electrician, as appropriate.
Note
This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set
out in the radio interference regulations of Industry Canada.
iv Information for Canadian Users
Page 5
ZyWALL 10~100 Series Internet Security Gateway
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or
workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon
proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials,
ZyXEL will, at its discretion, repair or replace the defective products or components without charge for
either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to
proper operating condition. Any replacement will consist of a new or re-manufactured functionally
equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to
abnormal working conditions.
NOTE
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This
warranty is in lieu of all other warranties, express or implied, including any implied warranty of
merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect
or consequential damages of any kind of character to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material
Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be
insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty
will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor.
All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage
Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country
to country.
Online Registration
Register online registration at www.zyxel.com for free future product updates and information.
Warranty v
Page 6
ZyWALL 10~100 Series Internet Security Gateway
Customer Support
When you contact your customer support representative please have the following information ready:
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Information in Menu 24.2.1 – System Information.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
LOCATION
WORLDWIDE
AMERICA
METHOD
support@zyxel.com.tw
sales@zyxel.com.tw
support@zyxel.com +1-800-255-4101 www.us.zyxel.com NORTH
Customer Support ......................................................................................................................................vi
List of Figures ........................................................................................................................................ xviii
List of Tables ............................................................................................................................................xxv
Getting Started ................................................................................................................................................. I
Chapter 1 Getting to Know Your ZyWALL .......................................................................................... 1-1
1.1ZyWALL Internet Security Gateway Overview ........................................................................ 1-1
1.2ZyWALL Features ..................................................................................................................... 1-2
1.3Applications for the ZyWALL................................................................................................... 1-8
Chapter 2 Introducing the Web Configurator ......................................................................................2-1
DMZ and WAN ............................................................................................................................................. III
NAT and Static Route ................................................................................................................................... IV
10.2Configuring IP Static Route ................................................................................................. 10-1
Firewall and Content Filters ..........................................................................................................................V
VPN/IPSec ..................................................................................................................................................... VI
Chapter 14 Introduction to IPSec......................................................................................................... 14-1
40.2Using SA Monitor ................................................................................................................40-1
Appendices and Index.................................................................................................................................. XV
Appendix A Troubleshooting .....................................................................................................................A
Appendix B Hardware Specifications....................................................................................................... E
Appendix C Safety Warnings and Instructions......................................................................................... J
Appendix D Removing and Installing a ZyWALL 100 Fuse ...................................................................K
Index ...........................................................................................................................................................M
Table of Contents xvii
Page 18
ZyWALL 10~100 Series Internet Security Gateway
List of Figures
Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem.........................................................1-9
Figure 4-4 Time Zone .....................................................................................................................................4-5
Figure 5-3 IP Alias ..........................................................................................................................................5-7
Figure 8-5 RR Service Type ...........................................................................................................................8-9
Figure 8-6 IP Setup.......................................................................................................................................8-10
Figure 8-7 MAC Setup .................................................................................................................................8-13
Figure 8-8 Traffic Redirect WAN Setup .......................................................................................................8-14
Figure 8-9 Traffic Redirect LAN Setup ........................................................................................................8-14
Figure 9-1 How NAT Works .......................................................................................................................... 9-3
Figure 9-2 NAT Application With IP Alias .................................................................................................... 9-4
Figure 9-3 Multiple Servers Behind NAT Example ....................................................................................... 9-8
Figure 11-3 SYN Flood.................................................................................................................................11-5
Figure 15-8 SA Monitor..............................................................................................................................15-26
Figure 15-9 Global Setting .........................................................................................................................15-27
Figure 15-10 Telecommuters Sharing One VPN Rule Example.................................................................15-29
Figure 15-11 Telecommuters Using Unique VPN Rules Example .............................................................15-30
Figure 16-1 Telnet Configuration on a TCP/IP Network ..............................................................................16-3
Figure 19-4 Web Site Hits Report Example..................................................................................................19-9
Figure 19-5 Protocol/Port Report Example ................................................................................................19-10
Figure 19-6 LAN IP Address Report Example ...........................................................................................19-11
Figure 20-1 System Status............................................................................................................................20-1
Figure 20-2 System Status: Show Statistics..................................................................................................20-3
Table 3-4 Private IP Address Ranges ............................................................................................................. 3-8
Table 3-5 Example of Network Properties for LAN Servers with Fixed IP Addresses................................ 3-10
Table 3-6 WAN Setup ...................................................................................................................................3-11
Table 4-1 System General Setup .................................................................................................................... 4-1
Table 4-4 Time Zone ...................................................................................................................................... 4-6
Table 5-1 IP .................................................................................................................................................... 5-4
Table 5-3 IP Alias........................................................................................................................................... 5-7
Table 6-4 Local User Database .................................................................................................................... 6-13
Table 8-5 RR Service Type ............................................................................................................................ 8-9
Table 8-6 IP Setup.........................................................................................................................................8-11
Table 10-1 IP Static Route Summary........................................................................................................... 10-2
Table 10-2 Edit IP Static Route.................................................................................................................... 10-3
List of Tables xxv
Page 26
ZyWALL 10~100 Series Internet Security Gateway
Table 11-1 Common IP Ports........................................................................................................................ 11-4
Table 11-2 ICMP Commands That Trigger Alerts ........................................................................................11-6
Table 14-1 VPN and NAT.............................................................................................................................14-6
Table 15-1 AH and ESP................................................................................................................................15-2
Table 15-10 SA Monitor .............................................................................................................................15-26
Table 15-11 SA Monitor .............................................................................................................................15-27
Table 15-12 Telecommuter and Headquarters Configuration Example ......................................................15-28
Table 16-6 DNS ..........................................................................................................................................16-12
Table 20-1 System Status ............................................................................................................................. 20-2
Table 20-2 System Status: Show Statistics................................................................................................... 20-3
Table 21-1 Main Menu Commands.............................................................................................................. 21-2
Table 21-2 Main Menu Summary ................................................................................................................ 21-3
Table 22-1 General Setup Menu Field ......................................................................................................... 22-1
Table 22-2 Configure Dynamic DNS Menu Fields...................................................................................... 22-3
Table 23-1 MAC Address Cloning in WAN Setup....................................................................................... 23-2
Table 23-2 Menu 2: Dial Backup Setup ....................................................................................................... 23-3
Table 23-3 Advanced WAN Port Setup: AT Commands Fields ................................................................... 23-4
Table 23-4 Advanced WAN Port Setup: Call Control Parameters ............................................................... 23-5
Table 23-5 Fields in Menu 11.1 Remote Node Profile (Backup ISP) .......................................................... 23-6
Table 23-6 Remote Node Network Layer Options Menu Fields................................................................ 23-10
Table 23-7 Menu 11.4: Remote Node Script Menu Fields......................................................................... 23-13
Table 24-1 DHCP Ethernet Setup Menu Fields............................................................................................ 24-3
Table 24-2 LAN TCP/IP Setup Menu Fields................................................................................................ 24-4
Table 24-3 IP Alias Setup Menu Fields ........................................................................................................ 24-5
Table 24-4 Wireless LAN Setup Menu Fields.............................................................................................. 24-7
Table 26-1 Menu 4: Internet Access Setup Menu Fields.............................................................................. 26-1
Table 26-2 New Fields in Menu 4 (PPTP) Screen ....................................................................................... 26-4
Table 26-3 New Fields in Menu 4 (PPPoE) screen ...................................................................................... 26-5
Table 27-1 Fields in Menu 11.1.................................................................................................................... 27-3
Table 27-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ............................................................... 27-6
Table 27-3 Fields in Menu 11.1 (PPTP Encapsulation)................................................................................ 27-7
Table 27-4 Remote Node Network Layer Options Menu Fields.................................................................. 27-8
Table 35-3 Call History Fields ...................................................................................................................... 35-5
Table 35-4 Time and Date Setting Fields......................................................................................................35-7
Table 36-1 Menu 24.11 – Remote Management Control..............................................................................36-2
Table 37-1 IP Routing Policy Setup..............................................................................................................37-3
Table 37-2 IP Routing Policy........................................................................................................................37-4
Table 38-1Schedule Set Setup Fields............................................................................................................38-2
Table 39-1 Menu 27.1: IPSec Summary .......................................................................................................39-3
Table 39-2 Menu 27.1.1: IPSec Setup...........................................................................................................39-6
Table 39-3 Menu 27.1.1.1: IKE Setup ........................................................................................................39-12
Table 39-4 Active Protocol: Encapsulation and Security Protocol .............................................................39-14
Table 39-5 Menu 27.1.1.2: Manual Setup...................................................................................................39-15
Table 40-1 Menu 27.2: SA Monitor..............................................................................................................40-2
xxviii List of Tables
Page 29
ZyWALL 10~100 Series Internet Security Gateway
Preface
About Your ZyWALL
Congratulations on your purchase of the ZyWALL Internet Security Gateway.
About This User's Manual
This manual is designed to guide you through the configuration of your ZyWALL for its various
applications.
Use the web configurator, System Management Terminal (SMT) or command
interpreter interface to configure your ZyWALL. Not all features can be configured
through all interfaces.
The web configurator parts of this guide contain background information on features configurable by the web
configurator and the SMT. The SMT parts of this guide contain background information on features not
configurable by the web configurator.
This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL.
This manual covers the ZyWALL 10 to100 models. Supported features and the details of the features, vary
from model to model. Not every feature applies to every model; refer to the Model Comparison Chart in
chapter 1 of this user’s guide to see what features are specific to your ZyWALL model.
Related Documentation
Support Disk
Refer to the included CD for support documents.
Read Me First or Quick Start Guide
The Read Me First or Quick Start Guide is designed to help you get up and running right away. It
contains a detailed easy-to-follow connection diagram, default settings, handy checklists and
information on setting up your network and configuring for Internet access.
Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary information.
Packing List Card
The Packing List Card lists all items that should have come in the package.
Reference Guide
The Reference Guide provides background information on some of the ZyWALL’s features and also
includes commands for use with the command interpreter.
Certifications
Refer to the product page at www.zyxel.com
ZyXEL Glossary and Web Site
Preface xxix
for information on product certifications.
Page 30
ZyWALL 10~100 Series Internet Security Gateway
Please refer to www.zyxel.com for an online glossary of networking terms and additional support
documentation.
User’s Guide Feedback
Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to
techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications
Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
Syntax Conventions
• The version number on the title page is the latest firmware version that is documented in this User’s
Guide. Earlier versions may also be included.
• “Enter” means for you to type one or more characters and press the carriage return. “Select” or
“Choose” means for you to use one of the predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Command and arrow keys are
enclosed in square brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape
key and [SPACE BAR] means the Space Bar.
• The choices of a menu item are in Bold Arial font.
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control
Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control
Panels and then click Modem.
• For brevity’s sake, we will use “e.g.” as a shorthand for “for instance” and “i.e.” for “that is” or “in other
words” throughout this manual.
xxx Preface
Page 31
Getting Started
Part I:
Getting Started
This part helps you get to know your ZyWALL, introduces the web configurator and covers how to
configure the Wizard Setup screens.
I
Page 32
Page 33
ZyWALL 10~100 Series Internet Security Gateway
Chapter 1
Getting to Know Your ZyWALL
This chapter introduces the main features and applications of the ZyWALL.
1.1 ZyWALL Internet Security Gateway Overview
The ZyWALL is the ideal secure gateways for all data passing between the Internet and the LAN.
By integrating NAT, firewall and VPN capability, ZyXEL’s ZyWALL is a complete security solution that
protects your Intranet and efficiently manages data traffic on your network.
The embedded web configurator is easy to operate and totally independent of your computer’s operating
system.
1.1.1 ZyWALL 10 Internet Security Gateway for Small/Home Offices
The ZyWALL 10 offers all necessary basic firewall functionality for small office or home use. It supports
VPN connections, real time attack alert and log systems, and content filtering while providing a user-friendly
interface for installation and configuration.
1.1.2 ZyWALL 10W Wireless Ready Internet Security Gateway
The ZyWALL 10W is wireless ready; thus giving you the option of adding a wireless LAN to your home or
small business network.
1.1.3 ZyWALL 30W Internet Security Gateway with Wireless Ready for
SOHO
The ZyWALL 30W adds more firewall protection and gives you the option of adding a wireless LAN to your
small office or home office (SOHO).
1.1.4 ZyWALL 50 Internet Security Gateway for Small/Home Office and
Small Businesses
The ZyWALL 50 adds more processing power to provide the robust firewall protection necessary for small
to medium businesses to handle e-business.
Getting to Know Your ZyWALL 1-1
Page 34
ZyWALL 10~100 Series Internet Security Gateway
1.1.5 ZyWALL 100 Internet Security Gateway for Small to Medium
Businesses
The ZyWALL 100 offers the highest degree of functionality and security for business applications. It
supports up to 100 IPSec VPN connections and increases network security by adding a De-Militarized Zone
(DMZ) port for use with publicly accessible servers.
1.2 ZyWALL Features
The following sections describe ZyWALL features. Features vary by ZyWALL model.
1.2.1 Physical Features
Auto-negotiating 10/100 Mbps Ethernet LAN
The LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet.
Auto-crossover 10/100 Mbps Ethernet LAN
The LAN interface automatically adjusts to either a crossover or straight-through Ethernet cable. This feature
is not available on all models.
Auto-negotiating 10/100 Mbps Ethernet DMZ
Public servers (Web, FTP, etc.) attached to the DeMilitarized Zone (DMZ) port are visible to the outside
world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of
Death) and can also be accessed from the secure LAN. This feature is not available on all models.
10/100 Mbps Ethernet WAN
The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or router. This feature is
not available on all models.
Backup WAN or Auxiliary
The Dial Backup or Auxiliary port can be used in reserve as a traditional dial-up connection when/if ever the
broadband connection to the WAN port fails. This feature is not available on all models.
Time and Date
The ZyWALL allows you to get the current time and date from an external server when you turn on your
ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps track of the time and date
(not available in all models).
Reset Button
The ZyWALL reset button is built into the rear panel. Use this button to restore the factory default password
to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of
32 IP addresses starting at 192.168.1.33. This feature is not available on all models.
1-2 Getting to Know Your ZyWALL
Page 35
ZyWALL 10~100 Series Internet Security Gateway
PCMCIA Port
The PCMCIA port provides the option of a wireless LAN. This feature is not available on all models.
IEEE 802.11b 11 Mbps Wireless LAN
The optional 11 Mbps wireless LAN card provides mobility and a fast network environment for small and
home offices. Users can connect to the local area network without any wiring efforts and enjoy reliable highspeed connectivity. This feature is not available on all models.
1.2.2 Non-Physical Features
Bandwidth Management
Bandwidth management allows you to allocate network resources according to defined policies. This policybased bandwidth allocation helps your network to better handle real-time applications such as Voice-over-IP
(VoIP).
IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data
encryption and the Internet to provide secure communications without the expense of leased site-to-site lines.
The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN
products.
Firewall
The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the
firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the
LAN. The ZyWALL firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts,
reports and logs.
RADIUS (RFC2138, 2139)
RADIUS (Remote Authentication Dial In User Service) server enables authentication, authorization and
accounting for your wireless network. This feature is not available on all models.
IEEE 802.1x for Network Security
The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user
authentication. With the local user profile, the ZyWALL allows you to configure up 32 user profiles without
a network authentication server. In addition, centralized user and accounting management is possible on an
optional network authentication server. This feature is not available on all models.
Content Filtering
The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable
web proxies. The ZyWALL can block specific URLs by using the keyword feature. It also allows the
Getting to Know Your ZyWALL 1-3
Page 36
ZyWALL 10~100 Series Internet Security Gateway
administrator to define time periods and days during which content filtering is enabled and to include or
exclude a range of users on the LAN from content filtering.
Wireless LAN MAC Address Filtering
MAC Address Filtering together with ESSID (Extended Service Set IDentifier) and WEP (Wired Equivalent
Privacy) ensure the most secure wireless solution. This feature is not available on all models.
Brute-Force Password Guessing Protection
The ZyWALL has a special protection mechanism to discourage brute-force password guessing attacks on
the ZyWALL’s management interfaces. You can specify a wait-time that must expire before entering a fourth
password after three incorrect passwords have been entered. Please see the appendices for details about this
feature.
1
Packet Filtering
The packet filtering mechanism blocks unwanted traffic from entering/leaving your network.
Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyWALL and other UPnP enabled devices can dynamically join a
network, obtain an IP address and convey its capabilities to other devices on the network. This feature is not
available on all models.
Call Scheduling
Configure call time periods to restrict and allow access for users on remote nodes.
PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data
networks via a familiar "dial-up networking" user interface.
PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a
remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.
PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the
Internet. The ZyWALL supports one PPTP server connection at any given time.
Dynamic DNS Support
With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP
address, allowing the host to be more easily accessible from various locations on the Internet. You must
register for this service with a Dynamic DNS service provider.
1
Brute Force Password Protection was not available on every model at the time of writing.
1-4 Getting to Know Your ZyWALL
Page 37
ZyWALL 10~100 Series Internet Security Gateway
IP Multicast
Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group Management
Protocol) is the protocol used to support multicast groups. The latest version is version 2 (see RFC 2236); the
ZyWALL supports both versions 1 and 2.
IP Alias
IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface.
The ZyWALL supports three logical LAN interfaces via its single physical Ethernet LAN interface with the
ZyWALL itself as the gateway for each LAN network.
IP Policy Routing
IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding
based on the policies defined by the network administrator. This feature is not available on all models.
Central Network Management
Central Network Management (CNM) allows an enterprise or service provider network administrator to
manage your ZyWALL. The enterprise or service provider network administrator can configure your
ZyWALL, perform firmware upgrades and do troubleshooting for you.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information
between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP
agent functionality, which allows a manager station to manage and monitor the ZyWALL through the
network. The ZyWALL supports SNMP version one (SNMPv1).
Network Address Translation (NAT)
Network Address Translation (NAT) allows the translation of an Internet protocol address used within one
network (for example a private IP address used in a local network) to a different IP address known within
another network (for example a public IP address used on the Internet).
Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL cannot connect
to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails. This feature is
not available on all models.
Port Forwarding
Use this feature to forward incoming service requests to a server on your local network. You may enter a
single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to obtain the TCP/IP
configuration at start-up from a centralized DHCP server. The ZyWALL has built-in DHCP server
Getting to Know Your ZyWALL 1-5
Page 38
ZyWALL 10~100 Series Internet Security Gateway
capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS
servers to all systems that support the DHCP client. The ZyWALL can also act as a surrogate DHCP server
(DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.
Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily access the
ZyWALL’s management settings and configure the firewall. Most functions of the ZyWALL are also
software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven
interface that you can access from a terminal emulator through the console port or over a telnet connection.
RoadRunner Support
In addition to standard cable modem services, the ZyWALL supports Time Warner’s RoadRunner Service.
The firmware of the ZyWALL can be upgraded via the LAN.
Embedded FTP and TFTP Servers
The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration
file backups and restoration.
1.2.3 Model Specific Features
This table lists the differences between models; it does not include features that are common to all of the
ZyWALL 10 to 100 models.
Table 1-1 Model Specific Features
ZYWALL MODEL
FEATURES
Firmware Version Number 3.52 3.52 3.61 3.61 3.52
Dial Backup (or Auxiliary) O * *
PCMCIA Slot O O O
PCMCIA Card Release Button O O
1-6 Getting to Know Your ZyWALL
100 50 30W 10W 10
Page 39
ZyWALL 10~100 Series Internet Security Gateway
Table 1-1 Model Specific Features
ZYWALL MODEL
FEATURES
802.11b Wireless LAN Support O O O
802.1x Wireless LAN Support O O O
Real Time Chip O O O O
Auto-crossover 10/100 Mbps Ethernet LAN O O
Auto-negotiating 10/100 Mbps Ethernet DMZ O
Auto-negotiating 10/100 Mbps Ethernet WAN O O O O
Reset Button O O O O
Uplink Button O O O
Power Switch O
Traffic Redirect O O O O
Bandwidth Management O
IP Policy Routing O
Number of Static Routes 50 30 30 12 12
Number of Firewall Rules 400 100 100 50 30
Number of Custom Ports for Firewall Rules 50 30 30 30 10
Number of IPSec VPN Security Associations 100 50 30 10 10
UPnP O O
Static DHCP O O O O
Trigger Port Forwarding O O O
Reports O O O
DHCP Address Reserve O O
100 50 30W 10W 10
* The ZyWALL 10W and 30W use the same port for console management and for an auxiliary (backup)
WAN connection.
Table Key: An “O” in a model’s column shows that the model has the specified feature.
Getting to Know Your ZyWALL 1-7
Page 40
ZyWALL 10~100 Series Internet Security Gateway
1.2.4 ZyWALL 100 Note
The ZyWALL 100 is designed to act as a secure gateway for all data passing between the Internet and the
LAN or the DMZ. It has three Ethernet ports, one RS-232 auxiliary port and one PCMCIA port (for optional
wireless applications), which are used to physically separate the network into three areas.
I. LAN Network (a trusted network)
LAN port: The auto-negotiating 10/100 Mbps Ethernet LAN interface automatically
detects if it’s on a 10 or a 100 Mbps Ethernet. Attach computers that are to be secured from the
outside world to this port. These computers will have access to e-mail, FTP and the World Wide
Web but incoming connections (from the Internet) are only allowed if the connection is originally
initiated from the LAN computer or a firewall rule has been specifically configured to allow access.
II. DMZ Network
DMZ port: Attach public servers (Web, FTP, etc.) to the DeMilitarized Zone (DMZ) port.
Computers attached to this port are visible to the outside world (while still being protected from
DoS (Denial of Service) attacks such as SYN flooding and Ping of Death) and can also be accessed
from the secure LAN.
III. WAN Network
WAN port: The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or
router.
Dial Backup port: This auxiliary port can be used as a backup line when/if the broadband
connection to the WAN port fails.
1.3 Applications for the ZyWALL
Here are some examples of what you can do with your ZyWALL.
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem
You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband Internet access via
Ethernet or wireless port on the modem. The ZyWALL guarantees not only high speed Internet access, but
secure internal network protection and traffic management as well.
1-8 Getting to Know Your ZyWALL
Page 41
ZyWALL 10~100 Series Internet Security Gateway
Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem
1.3.2 VPN Application
ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners over the
Internet without the need (and expense) for leased lines between sites.
Getting to Know Your ZyWALL 1-9
Page 42
ZyWALL 10~100 Series Internet Security Gateway
Figure 1-2 VPN Application
1-10 Getting to Know Your ZyWALL
Page 43
ZyWALL 10~100 Series Internet Security Gateway
Chapter 2
Introducing the Web Configurator
This chapter describes how to access the ZyWALL web configurator and provides an overview of
its screens.
2.1 Web Configurator Overview
The embedded web configurator allows you to manage the ZyWALL from anywhere through a browser such
as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape
Navigator 7.0 and later versions with JavaScript enabled. It is recommended that you set your screen
resolution to 1024 by 768 pixels. The screens you see in the web configurator may vary somewhat from the
ones shown in this document due to differences between individual ZyWALL models or firmware versions.
2.2 Accessing the ZyWALL Web Configurator
Step 1. Make sure your ZyWALL hardware is properly connected and prepare your
computer/computer network to connect to the ZyWALL (refer to the Quick Start Guide).
Step 2. Launch your web browser.
Step 3. Type "192.168.1.1" as the URL.
Step 4. Type "1234" (default) as the password and click Login. In some versions, the default password
appears automatically - if this is the case, click Login.
Step 5. You should see a screen asking you to change your password (highly recommended) as shown
next. Type a new password (and retype it to confirm) and click Apply or click Ignore.
Figure 2-1 Change Password Screen
Step 6. You should now see the MAIN MENU screen (see Figure 2-3).
Introducing the Web Configurator 2-1
Page 44
ZyWALL 10~100 Series Internet Security Gateway
The ZyWALL automatically times out after five minutes of inactivity. Simply log
back into the ZyWALL if this happens to you.
2.3 Resetting the ZyWALL
If you forget your password or cannot access the SMT menu, you will need to reload the factory-default
configuration file or use the RESET button the back of the ZyWALL. Uploading this configuration file
replaces the current configuration file with the factory-default configuration file. This means that you will
lose all configurations that you had previously and the speed of the console port will be reset to the default of
9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to
“1234”, also.
2.3.1 Procedure To Use The Reset Button
Make sure the SYS LED is on (not blinking) before you begin this procedure.
Step 1. Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the
defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
Step 2. Turn the ZyWALL off.
Step 3. While pressing the RESET button, turn the ZyWALL on.
Step 4. Continue to hold the RESET button. The SYS LED will begin to blink andflicker very quickly
after about 10 or 15 seconds. This indicates that the defaults have been restored and the ZyWALL
is now restarting.
Step 5. Release the RESETbutton and wait for the ZyWALL to finish restarting.
2.3.2 Uploading a Configuration File Via Console Port
Step 6. Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
Step 7. Turn off the ZyWALL, begin a terminal emulation software session and turn on the ZyWALL
again. When you see the message "Press Any key to enter Debug Mode within 3 seconds", press
any key to enter debug mode.
Step 8. Enter "y" at the prompt below to go into debug mode.
Step 9. Enter "atlc" after "Enter Debug Mode" message.
Step 10. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your
terminal. This is an example Xmodem configuration upload using HyperTerminal.
Step 11. Click Transfer, then Send File to display the following screen.
2-2 Introducing the Web Configurator
Page 45
ZyWALL 10~100 Series Internet Security Gateway
Type the configuration file’s
location, or click Browse to
search for it.
Choose the Xmodem
protocol.
Then click Send.
Figure 2-2 Example Xmodem Upload
Step 12. After successful firmware upload, enter "atgo" to restart the router.
2.4 Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the MAIN MENU screen.
Follow the instructions you see in the MAIN MENU screen or click the icon
(located in the top right corner of most screens) to view online help.
The icon does not appear in the MAIN MENU screen.
Introducing the Web Configurator 2-3
Page 46
ZyWALL 10~100 Series Internet Security Gateway
A
Click WIZARD SETUP for initial
configuration including general
setup, ISP parameters for Internet
ccess and WAN IP/DNS
Server/MAC address assignment.
Use submenus to configure ZyWALL features.
Click LOGOUT at
any time to exit the
web configurator.
Click MAINTENANCE to view information about your ZyWALL or upgrade
configuration/firmware files. Maintenance includes SYSTEM STATUS (Statistics), DHCP
TABLE, F/W (firmware) UPGRADE and CONFIGURATION (Backup, Restore Default).
Figure 2-3 The MAIN MENU Screen of the Web Configurator
2-4 Introducing the Web Configurator
Page 47
ZyWALL 10~100 Series Internet Security Gateway
Chapter 3
Wizard Setup
This chapter provides information on the Wizard Setup screens in the web configurator.
3.1 Wizard Setup Overview
The web configurator’s setup wizard helps you configure your device to access the Internet. The second
screen has three variations depending on what encapsulation type you use. Refer to your ISP checklist in the
Quick Start Guide to know what to enter in each field. Leave a field blank if you don’t have that information.
3.2 Wizard Setup: General Setup and System Name
General Setup contains administrative and system-related information. System Name is for identification
purposes. However, because some ISPs check this name you should enter your computer's "Computer
Name".
• In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the
entry for the Computer Name field and enter it as the System Name.
• In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the
Network Identification tab and then the Properties button. Note the entry for the Computer name
field and enter it as the System Name.
• In Windows XP, click Start, My Computer, View system information and then click the Computer
Name tab. Note the entry in the Full computer name field and enter it as the ZyWALL System Name.
3.2.1 Domain Name
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the
domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name)
on each individual computer, the domain name can be assigned from the ZyWALL via DHCP.
Click Next to configure the ZyWALL for internet access.
Wizard Setup 3-1
Page 48
ZyWALL 10~100 Series Internet Security Gateway
Figure 3-1 Wizard 1
3.3 Wizard Setup: Screen 2
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
3.3.1 Ethernet
Choose Ethernet when the WAN port is used as a regular Ethernet.
3-2 Wizard Setup
Page 49
Figure 3-2 Wizard 2: Ethernet Encapsulation
The following table describes the fields in this screen.
ZyWALL 10~100 Series Internet Security Gateway
Table 3-1 Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation
Service Type
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
You must choose the Ethernet option when the WAN port is used as a regular
Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
The following fields are not applicable (N/A) for the Standard service type.
Wizard Setup 3-3
Page 50
ZyWALL 10~100 Series Internet Security Gateway
Table 3-1 Ethernet Encapsulation
LABEL DESCRIPTION
Login Server IP
Address
Login Server
(Telia Login only)
Relogin Period
(min) (Telia Login
only)
Next
Back
Type the authentication server IP address here if your ISP gave you one.
Type the domain name of the Telia login server, for example “login1.telia.com”.
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait between
logins.
Click Next to continue.
Click Back to return to the previous screen.
3.3.2 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote
client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the
Internet.
Refer to the Reference Guide for more information on PPTP.
3-4 Wizard Setup
Page 51
ZyWALL 10~100 Series Internet Security Gateway
The ZYWALL supports one PPTP server connection at any given time.
Figure 3-3 Wizard 2: PPTP Encapsulation
The following table describes the fields in this screen.
Table 3-2 PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation
User Name Type the user name given to you by your ISP.
Select PPTP from the drop-down list box.
Wizard Setup 3-5
Page 52
ZyWALL 10~100 Series Internet Security Gateway
Table 3-2 PPTP Encapsulation
LABEL DESCRIPTION
Password Type the password associated with the User Name above.
Nailed Up
Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
PPTP Configuration
My IP Address Type the (static) IP address assigned to you by your ISP.
My IP Subnet
Mask
Server IP Address Type the IP address of the PPTP server.
Connection
ID/Name
Next
Back
Select Nailed Up Connection if you do not want the connection to time out.
from the PPTP server. The default is 45 seconds.
Type the subnet mask assigned to you by your ISP (if given).
Enter the connection ID or connection name in this field. It must follow the "c:id" and
"n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your xDSL modem.
Click Next to continue.
Click Back to return to the previous screen.
3.3.3 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet
Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband
modem (for example xDSL, cable, wireless, etc.) to achieve access to high-speed data networks. It preserves
the existing Microsoft Dial-Up Networking experience and requires no new learning or procedures.
For the service provider, PPPoE offers an access and authentication method that works with existing access
control systems (for instance, Radius). For the user, PPPoE provides a login and authentication method that
the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or
procedures for Windows users.
One of the benefits of PPPoE is the ability to let end users access one of multiple network services, a function
known as dynamic service selection. This enables the service provider to easily create and offer new IP
services for specific users.
Operationally, PPPoE saves significant effort for both the subscriber and the ISP/carrier, as it requires no
specific configuration of the broadband modem at the subscriber’s site.
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the
LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with
NAT, all of the LAN's computers will have Internet access.
Refer to the Reference Guide for more information on PPPoE.
3-6 Wizard Setup
Page 53
ZyWALL 10~100 Series Internet Security Gateway
Figure 3-4 Wizard2: PPPoE Encapsulation
The following table describes the fields in this screen.
Table 3-3 PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for Internet Access
Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up
connection.
Service Name Type the name of your service provider.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Nailed Up
Connection
Select Nailed Up Connection if you do not want the connection to time out.
Wizard Setup 3-7
Page 54
ZyWALL 10~100 Series Internet Security Gateway
Table 3-3 PPPoE Encapsulation
LABEL DESCRIPTION
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from
the PPPoE server. The default time is 100 seconds.
Next
Back
Click Next to continue.
Click Back to return to the previous screen.
3.4 Wizard Setup: Screen 3
The third wizard screen allows you to configure WAN IP address assignment, DNS server address
assignment and the WAN MAC address.
3.4.1 WAN IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated from the
Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts
without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following
three blocks of IP addresses specifically for private networks.
Table 3-4 Private IP Address Ranges
10.0.0.0 -10.255.255.255
172.16.0.0 -172.31.255.255
192.168.0.0 -192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you
belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the
Internet addresses for your local networks. On the other hand, if you are part of a much larger organization,
you should consult your network administrator for the appropriate IP addresses.
3-8 Wizard Setup
Page 55
ZyWALL 10~100 Series Internet Security Gateway
Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address assignment,
please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466,
Guidelines for Management of IP Address Space.
3.4.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a LAN share one
common network number.
Where you obtain your network number depends on your particular situation. If the ISP or your network
administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP
addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single user account
and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is
recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the
Network Address Translation (NAT) feature of the ZyWALL. The Internet Assigned Number Authority
(IANA) reserved this block of addresses specifically for private use; please do not use any other number
unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254
individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first
three numbers specify the network number while the last number identifies an individual computer on that
network.
Once you have decided on the network number, pick an IP address that is easy to remember, for instance,
192.168.1.1, for your ZyWALL, but make sure that no other device on your network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyWALL will compute the
subnet mask automatically based on the IP address that you entered. You don't need to change the subnet
mask computed by the ZyWALL unless you are instructed to do otherwise.
3.4.3 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for
instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because
without it, you must know the IP address of a computer before you can access it.
The ZyWALL can get the DNS server addresses in the following ways.
1. The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign
up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
2. If the ISP did not give you DNS server information, leave the DNS Server fields in DHCP Setup set to
0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses.
3.4.4 WAN MAC Address
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at
the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Wizard Setup 3-9
Page 56
ZyWALL 10~100 Series Internet Security Gateway
You can configure the WAN port's MAC address by either using the factory default or cloning the MAC
address from a computer on your LAN. Once it is successfully configured, the address will be copied to the
"rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different
"rom" file.
ZyXEL recommends you clone the MAC address from a computer on your LAN
even if your ISP does not require MAC address authentication.
Your ZyWALL WAN Port is always set at half-duplex mode as most cable/DSL modems only support halfduplex mode. Make sure your modem is in half-duplex mode. Your ZyWALL supports full duplex mode on
the LAN side.
Table 3-5 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask 255.255.255.0
Gateway (or default route) 192.168.1.1(ZyWALL LAN IP)
The third wizard screen varies according to the type of encapsulation that you select in the second wizard
screen.
3-10 Wizard Setup
Page 57
ZyWALL 10~100 Series Internet Security Gateway
Figure 3-5 Wizard 3
The following table describes the fields in this screen.
Table 3-6 WAN Setup
LABEL DESCRIPTION
WAN IP Address Assignment
Get automatically from
Use fixed IP address Select this option If the ISP assigned a fixed IP address.
IP Address
IP Subnet Mask
Select this option If your ISP did not assign you a fixed IP address. This is the
ISP
default selection.
Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Enter the IP subnet mask in this field if you selected Use Fixed IP Address.
This field is not available when you select PPPoE encapsulation in the previous
wizard screen.
Wizard Setup 3-11
Page 58
ZyWALL 10~100 Series Internet Security Gateway
Table 3-6 WAN Setup
LABEL DESCRIPTION
Gateway IP Address
DNS Server Address
Assignment
Get automatically from
ISP
Use fixed IP address -
DNS Server IP Address
Primary/Secondary
DNS Server
WAN MAC Address The MAC address field allows you to configure the WAN port's MAC Address by
Factory Default Select this option to use the factory assigned default MAC Address.
Spoof this Computer's
MAC address - IP
Address
Back
Finish
Enter the gateway IP address in this field if you selected Use Fixed IP Address. This field is not available when you select PPPoE encapsulation in
the previous wizard screen.
DNS (Domain Name System) is for mapping a domain name to its
corresponding IP address and vice versa, e.g., the IP address of
www.zyxel.com is 204.217.0.2. The DNS server is extremely important because
without it, you must know the IP address of a machine before you can access it.
Select this option if your ISP does not give you DNS server addresses. This
option is selected by default.
Select this option If your ISP provides you a DNS server address.
If you selected the Use fixed IP address – Primary/Secondary DNS Server
option, enter the provided DNS addresses in these fields.
either using the factory default or cloning the MAC address from a computer on
your LAN.
Select this option and enter the IP address of the computer on the LAN whose
MAC you are cloning. Once it is successfully configured, the address will be
copied to the rom file (ZyNOS configuration file). It will not change unless you
change the setting or upload a different rom file. It is advisable to clone the
MAC address from a computer on your LAN even if your ISP does not presently
require MAC address authentication.
Click Back to return to the previous screen.
Click Finish to complete and save the wizard setup.
3.5 Basic Setup Complete
Well done! You have successfully set up your ZyWALL to operate on your network and access the Internet.
3-12 Wizard Setup
Page 59
System, LAN and Wireless LAN
Part II:
System, LAN and Wireless LAN
This part covers configuration of the system, LAN, and wireless LAN screens.
II
Page 60
Page 61
ZyWALL 10~100 Series Internet Security Gateway
System Screens
This chapter provides information on the System screens.
4.1 System Overview
See the Wizard Setup chapter for more information on the next few screens.
4.2 Configuring General Setup
Click SYSTEM to open the General screen.
Chapter 4
Figure 4-1 System General Setup
The following table describes the fields in this screen.
Table 4-1 System General Setup
LABEL DESCRIPTION
System Name Choose a descriptive name for identification purposes. It is recommended you enter
your computer’s “Computer name” in this field (see the Wizard Setup chapter for how
to find your computer’s name). This name can be up to 30 alphanumeric characters
long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
System 4-1
Page 62
ZyWALL 10~100 Series Internet Security Gateway
Table 4-1 System General Setup
LABEL DESCRIPTION
Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may
assign a domain name via DHCP.
The domain name entered by you is given priority over the ISP assigned domain
name.
Administrator
Inactivity Timer
Apply
Reset
Type how many minutes a management session (either via the web configurator or
SMT) can be left idle before the session times out. The default is 5 minutes. After it
times out you have to log in with your password again. Very long idle timeouts may
have security risks. A value of "0" means a management session never times out, no
matter how long it has been left idle (not recommended).
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
4.3 Dynamic DNS
Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS
services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP
server or Web site on your own computer using a DNS-like address (for instance myhost.dhs.org, where
myhost is a name of your choice) that will never change instead of using an IP address that changes each
time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP
address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people
with a dynamic IP from their ISP or DHCP server that would still like to have a DNS name. The Dynamic
DNS service provider will give you a password or key.
4.3.1 DYNDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address
as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example,
www.yourhost.dyndns.org and still reach your hostname.
If you have a private WAN IP address, then you cannot use Dynamic DNS.
4.4 Configuring Dynamic DNS
To change your ZyWALL’s DDNS, click SYSTEM, then the DDNS tab. The screen appears as shown.
4-2 System
Page 63
ZyWALL 10~100 Series Internet Security Gateway
Figure 4-2 DDNS
The following table describes the fields in this screen.
Table 4-2 DDNS
LABEL DESCRIPTION
Active Select this check box to use dynamic DNS.
Service Provider Select the name of your Dynamic DNS service provider.
DDNS Type Select the type of service that you are registered for from your Dynamic DNS
service provider.
Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host
names in each field separated by a comma (",").
User Enter your user name.
Password Enter the password assigned to you.
System 4-3
Page 64
ZyWALL 10~100 Series Internet Security Gateway
Table 4-2 DDNS
LABEL DESCRIPTION
Enable Wildcard Select the check box to enable DYNDNS Wildcard.
Off Line
Edit Update IP Address:
Server Auto Detect Select this option to update the IP address of the host name(s) automatically by
User Specify Select this option to update the IP address of the host name(s) to the IP address
IP Addr
Apply
Reset
This option is available when CustomDNS is selected in the DDNS Type field.
Check with your Dynamic DNS service provider to have traffic redirected to a
URL (that you can specify) while you are off line.
the DDNS server. It is recommended that you select this option.
specified below. Use this option if you have a static IP address.
Enter the IP address if you select the User Specify option.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
4.5 Configuring Password
To change your ZyWALL’s password (recommended), click SYSTEM, then the Password tab. The screen
appears as shown. This screen allows you to change the ZyWALL’s password.
Figure 4-3 Password
The following table describes the fields in this screen.
4-4 System
Page 65
ZyWALL 10~100 Series Internet Security Gateway
Table 4-3 Password
LABEL DESCRIPTION
Old Password Type the default password or the existing password you use to access the system
in this field.
New Password Type the new password in this field.
Retype to Confirm Type the new password again in this field.
Apply
Reset
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
4.6 Configuring Time Zone
To change your ZyWALL’s time and date, click SYSTEM, then the Time Zone tab. The screen appears as
shown. Use this screen to configure the ZyWALL’s time based on your local time zone.
Figure 4-4 Time Zone
System 4-5
Page 66
ZyWALL 10~100 Series Internet Security Gateway
The following table describes the fields in this screen.
Table 4-4 Time Zone
LABEL DESCRIPTION
Use Time Server
when Bootup
Select the time service protocol that your time server sends when you turn on the
ZyWALL. Not all time servers support all protocols, so you may have to check with
your ISP/network administrator or use trial and error to find a protocol that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server.
Time (RFC 868) format displays a 4-byte integer giving the total number of seconds
since 1970/1/1 at 0:0:0.
The default, NTP (RFC 1305), is similar to Time (RFC 868).
Select None to enter the time and date manually.
Time Server IP
Address
Current Time This field displays the time of your ZyWALL.
New Time This field displays the last updated time from the time server.
Current Date This field displays the date of your ZyWALL.
New Date This field displays the last updated date from the time server.
Time Zone Choose the Time Zone of your location. This will set the time difference between
Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period from
Start Date Enter the month and day that your daylight-savings time starts on if you selected
End Date Enter the month and day that your daylight-savings time ends on if you selected
Enter the IP address of your time server. Check with your ISP/network administrator
if you are unsure of this information (the default is tick.stdtime.gov.tw).
Each time you reload this page, the ZyWALL synchronizes the time with the time
server.
When you select None in the Use Time Server when Bootup field, enter the new
time in this field and then click Apply.
Each time you reload this page, the ZyWALL synchronizes the time with the time
server.
When you select None in the Use Time Server when Bootup field, enter the new
date in this field and then click Apply.
your time zone and Greenwich Mean Time (GMT).
late spring to early fall when many countries set their clocks ahead of normal local
time by one hour to give more daytime light in the evening.
Daylight Savings.
Daylight Savings.
4-6 System
Page 67
ZyWALL 10~100 Series Internet Security Gateway
Table 4-4 Time Zone
LABEL DESCRIPTION
Apply
Reset
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
System 4-7
Page 68
Page 69
ZyWALL 10~100 Series Internet Security Gateway
Chapter 5
LAN Screens
This chapter describes how to configure LAN settings. Static DHCP does not apply to the ZyWALL
10.
5.1 LAN Overview
Local Area Network (LAN) is a shared communication system to which many computers are attached. The
LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical
network into logical networks.
5.2 DHCP Setup
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain
TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable
it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients. If set to
None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the
computer must be manually configured.
5.2.1 IP Pool Setup
The ZyWALL is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64.
This configuration leaves 31 IP addresses (excluding the ZyWALL itself) in the lower range for other server
computers, for instance, servers for mail, FTP, TFTP, web, etc., that you may have.
5.2.2 Primary and Secondary DNS Server
Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter.
5.3 LAN TCP/IP
The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that
support DHCP client capability.
5.3.1 Factory LAN Defaults
The LAN parameters of the ZyWALL are preset in the factory with the following values:
IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
DHCP server enabled with 32 client IP addresses starting from 192.168.1.33.
LAN 5-1
Page 70
ZyWALL 10~100 Series Internet Security Gateway
These parameters should work for the majority of installations. If your ISP gives you explicit DNS server
address(es), read the embedded web configurator help regarding what fields need to be configured.
5.3.2 IP Address and Subnet Mask
Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.
5.3.3 RIP Setup
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing
information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set
to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP
packets and will ignore any RIP packets received.
RIP Version controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it
recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more
information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet
broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines
since they generally do not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.
5.3.4 Multicast
Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or
Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the
network - not everybody and not just 1.
IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a
Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over
version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed
information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of
RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to
239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers.
The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address
224.0.0.2 is assigned to the multicast routers group.
The ZyWALL supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the
ZyWALL queries all directly connected networks to gather group membership. After that, the ZyWALL
periodically updates this information. IP multicasting can be enabled/disabled on the ZyWALL LAN and/or
WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these
interfaces.
5-2 LAN
Page 71
5.4 Configuring IP
Click LAN to open the IP screen.
ZyWALL 10~100 Series Internet Security Gateway
Figure 5-1 IP
The following table describes the fields in this screen.
LAN 5-3
Page 72
ZyWALL 10~100 Series Internet Security Gateway
Table 5-1 IP
LABEL DESCRIPTION
DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
individual clients (workstations) to obtain TCP/IP configuration at startup from a
server. Unless you are instructed by your ISP, leave the DHCP Server check box
selected. Clear it to disable the ZyWALL acting as a DHCP server. When configured
as a server, the ZyWALL provides TCP/IP configuration for the clients. If not, DHCP
service is disabled and you must have another DHCP sever on your LAN, or else the
workstation must be manually configured. When set as a server, fill in the following
four fields.
IP Pool Starting
Address
Pool Size This field specifies the size, or count of the IP address pool.
Primary DNS
Server
Secondary DNS
Server
LAN TCP/IP
IP Address Type the IP address of your ZyWALL in dotted decimal notation 192.168.1.1 (factory
IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your
RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
This field specifies the first of the contiguous addresses in the IP address pool.
Enter the IP addresses of the DNS servers. The DNS servers are passed to the
DHCP clients along with the IP address and the subnet mask. Leave these entries at
0.0.0.0 if they are provided by a WAN DHCP server.
default).
ZyWALL will automatically calculate the subnet mask based on the IP address that
you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL 255.255.255.0.
exchange routing information with other routers. The RIP Direction field controls the
sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its
routing table periodically. When set to Both or In Only, it will incorporate the RIP
information that it receives; when set to None, it will not send any RIP packets and
will ignore any RIP packets received. Both is the default.
5-4 LAN
Page 73
ZyWALL 10~100 Series Internet Security Gateway
Table 5-1 IP
LABEL DESCRIPTION
RIP Version
Multicast
Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or
UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dialup services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes
be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the
WAN.
Allow From LAN to
WAN
Allow From LAN to
DMZ
Apply
Reset
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that
RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can
reduce the load on non-router machines since they generally do not listen to the RIP
multicast address and so will not receive the RIP packets. However, if one router
uses multicasting, then all routers on your network must use multicasting, also. By
default, RIP direction is set to Both and the Version set to RIP-1.
Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is
a network-layer protocol used to establish membership in a Multicast group - it is not
used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version
1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more
detailed information about interoperability between IGMP version 2 and version 1,
please see sections 4 and 5 of RFC 2236.
Select this option to forward NetBIOS packets from the LAN port to the WAN port.
Select this option to forward NetBIOS packets from the LAN port to the DMZ port.
(Not all ZyWALL models have a DMZ port.)
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
5.5 Configuring Static DHCP
This table allows you to assign IP addresses on the LAN to specific individual computers based on their
MAC Addresses.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at
the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
To change your ZyWALL’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears
as shown.
LAN 5-5
Page 74
ZyWALL 10~100 Series Internet Security Gateway
Figure 5-2 Static DHCP
The following table describes the fields in this screen.
Table 5-2 Static DHCP
LABEL DESCRIPTION
#
MAC Address Type the MAC address (with colons) of a computer on your LAN.
IP Address This field specifies the size, or count of the IP address pool.
Apply
Reset
This is the index number of the Static IP table entry (row).
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
5.6 Configuring IP Alias
IP Alias allows you to partition a physical network into different logical networks over the same Ethernet
interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with
the ZyWALL itself as the gateway for each LAN network.
5-6 LAN
Page 75
ZyWALL 10~100 Series Internet Security Gateway
To change your ZyWALL’s IP Alias settings, click LAN, then the IP Alias tab. The screen appears as
shown.
Figure 5-3 IP Alias
The following table describes the fields in this screen.
Table 5-3 IP Alias
LABEL DESCRIPTION
IP Alias 1,2 Select the check box to configure another LAN network for the ZyWALL.
IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address
that you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL.
LAN 5-7
Page 76
ZyWALL 10~100 Series Internet Security Gateway
Table 5-3 IP Alias
LABEL DESCRIPTION
RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls the
sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast its
routing table periodically. When set to Both or In Only, it will incorporate the RIP
information that it receives; when set to None, it will not send any RIP packets and
will ignore any RIP packets received.
RIP Version
Apply
Reset
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that
RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can
reduce the load on non-router machines since they generally do not listen to the RIP
multicast address and so will not receive the RIP packets. However, if one router
uses multicasting, then all routers on your network must use multicasting, also. By
default, RIP direction is set to Both and the Version set to RIP-1.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
5-8 LAN
Page 77
ZyWALL 10~100 Series Internet Security Gateway
Chapter 6
Wireless LAN Screens
This chapter discusses how to configure Wireless LAN on the ZyWALL 100, 30W and 10W.
6.1 Wireless LAN Overview
This section introduces the wireless LAN (WLAN) and some basic scenarios.
6.1.1 Additional Installation Requirements for Using 802.1x
A computer with an IEEE 802.11b wireless LAN card.
A computer equipped with a web browser (with JavaScript enabled) and/or Telnet.
A wireless client computer must be running IEEE 802.1x-compliant software. Currently, this is
offered in Windows XP.
An optional network RADIUS server for remote user authentication and accounting.
6.2 Wireless LAN Basics
This section provides background information on WLAN.
6.2.1 Channel
IEEE 802.11b wireless devices use ranges of radio frequencies called channels. Choose the radio channel
depending on your geographical area. Adjacent Access Points (APs) should use different channels to reduce
crosstalk. Crosstalk occurs when radio signals from access points overlap and cause interference that
degrades performance.
6.2.2 ESS ID
Extended Service Set (ESS) is defined as one or more APs acting as a bridge between a wired LAN and the
associated wireless clients. The ESS ID is a unique ID given to the APs and the wireless clients that
participate in the same wireless network. You can think of the ESS ID as being similar to a workgroup name
in a Microsoft network.
6.2.3 RTS/CTS
A hidden node occurs when two stations are within range of the same access point, but are not within range
of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the
Wireless LAN Screens 6-1
Page 78
ZyWALL 10~100 Series Internet Security Gateway
access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear” each other, that
is they do not know if the channel is currently being used. Therefore, they are considered hidden from each
other.
Figure 6-1 RTS Threshold
When station A sends data to the ZyWALL, it might not know that the station B is already using the channel.
If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP
at the same time, resulting in a loss of messages for both stations.
RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data
frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.
When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to
transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it.
The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify
them to defer their transmission. It also reserves and confirms with the requesting station the time frame for
the requested transmission.
Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request
To Send)/CTS (Clear to Send) handshake.
You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the “cost”
of resending large frames is more than the extra network overhead involved in the RTS (Request To
Send)/CTS (Clear to Send) handshake.
If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request
To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they
reach RTS/CTS size.
6-2 Wireless LAN Screens
Page 79
ZyWALL 10~100 Series Internet Security Gateway
Enabling the RTS Threshold causes redundant network overhead that could
negatively affect the throughput performance instead of providing a remedy.
6.2.4 Fragmentation Threshold
A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be
sent in the wireless network before the ZyWALL will fragment the packet into smaller data frames.
A large Fragmentation Threshold is recommended for networks not prone to interference while you should
set a smaller threshold for busy networks or networks that are prone to interference.
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented
before they reach RTS Threshold size.
6.3 Wireless Security
Wireless security is vital to your network to protect wireless communication between wireless clients, access
points and other wireless.
The figure below shows the possible wireless security levels on your ZyWALL. The highest security level is
EAP (Extensible Authentication Protocol) authentication. It requires interaction with a RADIUS (Remote
Authentication Dial In User Service) server either on the WAN or your LAN to provide authentication
service for wireless clients.
Figure 6-2 ZyWALL Wireless Security Levels
If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless
networking device that is within range.
Use the ZyWALL web configurator to configurator to set up your wireless LAN security settings. Refer to
the chapter on using the ZyWALL web configurator to see how to access the web configurator.
Wireless LAN Screens 6-3
Page 80
ZyWALL 10~100 Series Internet Security Gateway
6.3.1 WEP
WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations
must use the same WEP key to encrypt and decrypt data. Your ZyWALL allows you to configure up to four
64-bit or 128-bit WEP keys, but only one key can be enabled at any one time.
6.4 Configuring Wireless LAN
If you are configuring the ZyWALL from a computer connected to the wireless LAN
and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless
connection when you press Apply to confirm. You must then change the wireless
settings of your computer to match the ZyWALL’s new settings.
Click WIRELESS LAN to open the Wireless screen.
Figure 6-3 Wireless
6-4 Wireless LAN Screens
Page 81
ZyWALL 10~100 Series Internet Security Gateway
The following table describes the fields in this screen.
Table 6-1 Wireless
LABEL DESCRIPTION
Enable
Wireless
LAN
ESSID (Extended Service Set IDentification) The ESSID identifies the Service Set the station is to
Hide
ESSID
Channel
ID
RTS
Threshold
Frag.
Threshold
WEP WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless
The wireless LAN is turned off (No) by default, before you enable the wireless LAN you
should configure some security by setting MAC filters and/or 802.1x security; otherwise your
wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless
LAN.
connect to. Wireless clients associating to the Access Point must have the same ESSID.
Enter a descriptive name (up to 32 characters) for the wireless LAN.
Select Yes to hide the ESSID in the outgoing beacon frame so a station cannot obtain the
ESSID through passive scanning.
This allows you to set the operating frequency/channel depending on your particular region.
Select a channel from the drop-down list box.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data
with its frame size larger than this value will perform the RTS/CTS handshake. Setting this
attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the
RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a
value between 0 and 2432.
The threshold (number of bytes) for the fragmentation boundary for directed messages. It is
the maximum data fragment size that can be sent. Enter a value between 256 and 2432.
stations from accessing data transmitted over the wireless network.
Select Disable to allow wireless clients to communicate with the access points without any
data encryption.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
Although WEP is functional at 5.5 and 11 Mbps, there is significant performance degradation
when using WEP at these rates.
Wireless LAN Screens 6-5
Page 82
ZyWALL 10~100 Series Internet Security Gateway
Table 6-1 Wireless
LABEL DESCRIPTION
Key 1 to
Key 4
Apply
Reset
If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII
string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters (ASCII
string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
There are four data encryption keys to secure your data from eavesdropping by unauthorized
wireless users. The values for the keys must be set up exactly the same on the access points
as they are on the wireless client computers.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
6.5 Configuring MAC Filter
The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices
(Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). Every
Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the
factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to
know the MAC address of the devices to configure this screen.
To change your ZyWALL’s MAC Filter settings, click WIRELESS LAN, then the MAC Filter tab. The
screen appears as shown
.
6-6 Wireless LAN Screens
Page 83
ZyWALL 10~100 Series Internet Security Gateway
Figure 6-4 MAC Address Filter
The following table describes the fields in this menu.
Table 6-2 MAC Address Filter
LABELDESCRIPTION
ActiveUse the drop down list box to enable or disable MAC address filtering.
Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table.
Select Deny Association to block access to the router, MAC addresses not listed will be
allowed to access the router. Select Allow Association to permit access to the router,
MAC
Address
MAC addresses not listed will be denied access to the router.
Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are
allowed or denied access to the ZyWALL in these address fields.
Wireless LAN Screens 6-7
Page 84
ZyWALL 10~100 Series Internet Security Gateway
Table 6-2 MAC Address Filter
LABELDESCRIPTION
Apply
Reset
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
6.6 802.1x Overview
The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations
and encryption key management. Authentication can be done using the local user database internal to the
ZyWALL or an external RADIUS server for an unlimited number of users.
6.7 RADIUS
RADIUS is based on a client-sever model that supports authentication and accounting, where access point is
the client and the server is the RADIUS server. The RADIUS server handles the following tasks among
others:
• Authentication
Determines the identity of the users.
• Accounting
Keeps track of the client’s network activity.
RADIUS user is a simple package exchange in which your ZyWALL acts as a message relay between the
wireless client and the network RADIUS server.
Types of RADIUS Messages
The following types of RADIUS messages are exchanged between the access point and the RADIUS server
for user authentication:
• Access-Request
Sent by an access point requesting authentication.
• Access-Reject
Sent by a RADIUS server rejecting access.
• Access-Accept
Sent by a RADIUS server allowing access.
6-8 Wireless LAN Screens
Page 85
ZyWALL 10~100 Series Internet Security Gateway
• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The access point
sends a proper response from the user and then sends another Access-Request message.
The following types of RADIUS messages are exchanged between the access point and the RADIUS server
for user accounting:
• Accounting-Request
Sent by the access point requesting accounting.
• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a shared secret key, which
is a password, they both know. The key is not sent over the network. In addition to the shared key, password
information exchanged is also encrypted to protect the network from unauthorized access.
6.7.1 EAP Authentication Overview
EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x
transport mechanism in order to support multiple types of user authentication. By using EAP to interact with
an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform
authentication.
The type of authentication you use depends on the RADIUS server or the AP.
Your ZyWALL supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database.
The following figure shows an overview of authentication when you specify a RADIUS server on your
access point.
Figure 6-5 EAP Authentication
The details below provide a general description of how IEEE 802.1x EAP authentication works. For an
example list of EAP-MD5 authentication steps, see the IEEE 802.1x chapter in the Reference Guide.
• The wireless station sends a “start” message to the ZyWALL.
• The ZyWALL sends a “request identity” message to the wireless station for identity information.
Wireless LAN Screens 6-9
Page 86
ZyWALL 10~100 Series Internet Security Gateway
• The wireless station replies with identity information, including username and password.
• The RADIUS server checks the user information against its user profile database and determines
whether or not to authenticate the wireless station.
6.8 Local User Database
By storing user profiles locally on the ZyWALL, your ZyWALL is able to authenticate wireless users
without interacting with a network RADIUS server. However, there is a limit on the number of users you
may authenticate in this way.
6.9 Configuring 802.1X
To change your ZyWALL’s Authentication settings, click WIRELESS LAN, then the 802.1X tab. The
screen appears as shown.
Figure 6-6 802.1X Authentication
The following table describes the fields in this screen.
6-10 Wireless LAN Screens
Page 87
ZyWALL 10~100 Series Internet Security Gateway
Table 6-3 802.1X Authentication
LABEL DESCRIPTION
Active
Reauthentication
Period
Apply
Reset
Select Force Authorized, Force UnAuthorized or Auto from the drop-down list box.
Select Auto to authenticate all wireless clients before they can access the wired
network.
Select Force Authorized to allow all wireless clients to access your wired network
without authentication.
Select Force UnAuthorized to deny all wireless clients access to your wired
network.
Specify the time interval between the RADIUS server’s authentication checks of
wireless users connected to the network.
This field is activated only when you select Auto authentication control.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
6.10 Configuring Local User Database
To change your ZyWALL’s local user list, click WIRELESS LAN, then the Local User Database tab. The
screen appears as shown (some of the screen’s blank rows are not shown).
Wireless LAN Screens 6-11
Page 88
ZyWALL 10~100 Series Internet Security Gateway
Figure 6-7 Local User Database
The following table describes the fields in this screen.
6-12 Wireless LAN Screens
Page 89
ZyWALL 10~100 Series Internet Security Gateway
Table 6-4 Local User Database
LABEL DESCRIPTION
Active Select this check box to enable the user profile.
User Name Enter the user name of the user profile.
Password Enter a password up to 31 characters long for this user profile.
Apply
Reset
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
6.11 Configuring RADIUS
Use RADIUS if you want to authenticate wireless users using an external server.
To set up your ZyWALL’s RADIUS Server settings, click WIRELESS LAN, then the RADIUS tab. The
screen appears as shown.
Figure 6-8 RADIUS
Wireless LAN Screens 6-13
Page 90
ZyWALL 10~100 Series Internet Security Gateway
The following table describes the fields in this screen.
Table 6-5 RADIUS
LABEL DESCRIPTION
Authentication Server
Active
Server Address Enter the IP address of the external authentication server in dotted decimal
Port Number
Key Enter a password (up to 31 alphanumeric characters) as the key to be shared
Accounting Server
Active
Server Address Enter the IP address of the external accounting server in dotted decimal notation.
Port Number
Key Enter a password (up to 31 alphanumeric characters) as the key to be shared
Apply
Reset
Select Yes from the drop-down list box to enable user authentication through an
external authentication server.
Select No to enable user authentication using the local user profile on the
ZyWALL.
notation.
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator instructs you
to do so with additional information.
between the external authentication server and the access points.
The key is not sent over the network. This key must be the same on the external
authentication server and ZyWALL.
Select Yes from the drop-down list box to enable user authentication through an
external accounting server.
The default port of the RADIUS server for accounting is 1813.
You need not change this value unless your network administrator instructs you
to do so with additional information.
between the external accounting server and the access points.
The key is not sent over the network. This key must be the same on the external
accounting server and ZyWALL.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
6-14 Wireless LAN Screens
Page 91
DMZ and WAN
Part III:
DMZ and WAN
This part covers configuration of the DMZ and WAN screens.
III
Page 92
Page 93
ZyWALL 10~100 Series Internet Security Gateway
Chapter 7
DMZ Screens
This chapter describes how to configure the ZyWALL 100’s DMZ.
7.1 DMZ Overview
The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public
servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS
(Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be
accessed from the secure LAN.
By default the firewall allows traffic between the WAN and the DMZ, traffic from the DMZ to the LAN is
denied, and traffic from the LAN to the DMZ is allowed. Internet users can have access to host servers on the
DMZ but no access to the LAN, unless special filter rules allowing access were configured by the
administrator or the user is an authorized remote user.
It is highly recommended that you connect all of your public servers to the DMZ port. If you have more than
one public server, connect a hub to the DMZ port.
It is also highly recommended that you keep all sensitive information off of the public servers connected to
the DMZ port. Store sensitive information on LAN computers.
7.2 Configuring DMZ
From the MAIN MENU, click DMZ. The screen appears as shown next.
DMZ Screens 7-1
Page 94
ZyWALL 10~100 Series Internet Security Gateway
Figure 7-1 DMZ
The following table describes the fields in this screen.
Table 7-1 DMZ
LABELDESCRIPTION
DMZ TCP/IP
IP Address Type the IP address of your ZyWALL in dotted decimal notation 192.168.1.1
(factory default).
IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your
ZyWALL will automatically calculate the subnet mask based on the IP address that
you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyWALL 255.255.255.0.
RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the RIP
information that it receives; when set to None, it will not send any RIP packets and
will ignore any RIP packets received. Both is the default.
7-2 DMZ Screens
Page 95
ZyWALL 10~100 Series Internet Security Gateway
Table 7-1 DMZ
LABELDESCRIPTION
RIP Version
Multicast
Windows
Networking
(NetBIOS over
TCP/IP)
Allow from DMZ to
Allow from DMZ to
WAN
Apply
Reset
The RIP Version field controls the format and the broadcasting method of the RIP
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting
can reduce the load on non-router machines since they generally do not listen to
the RIP multicast address and so will not receive the RIP packets. However, if one
router uses multicasting, then all routers on your network must use multicasting,
also. By default, RIP direction is set to Both and the Version set to RIP-1.
Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over
version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to
read more detailed information about interoperability between IGMP version 2 and
version 1, please see sections 4 and 5 of RFC 2236.
Click this option to forward NetBIOS packets from the DMZ port to the LAN port.
LAN
Click this option to forward NetBIOS packets from the DMZ port to the WAN port.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
DMZ Screens 7-3
Page 96
Page 97
ZyWALL 10~100 Series Internet Security Gateway
Chapter 8
WAN Screens
This chapter describes how to configure WAN settings. Dial-backup applies to the ZyWALL 100,
30W and 10W (see Table 1-1 Model Specific Features). The Route and Traffic Redirect screens do
not apply to the ZyWALL 10.
8.1 WAN Overview
See the Wizard Setup chapter for more information on the fields in the WAN screens.
8.2 TCP/IP Priority (Metric)
The metric represents the "cost of transmission". A router determines the best route for transmission by
choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a
minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number
greater than "15" means the link is down. The smaller the number, the lower the "cost".
The metric sets the priority for the ZyWALL’s routes to the Internet. If any two of the default routes have the
same metric, the ZyWALL uses the following pre-defined priorities:
1. Normal route: designated by the ISP (see section 8.5) or a static route (see the IP Static Route Setup
chapter)
2. Traffic-redirect route (see section 8.8)
3. Dial-backup route (see section 8.9)
For example, if the normal route has a metric of "1" and the traffic-redirect route has a metric of "2" and dialbackup route has a metric of "3", then the normal route acts as the primary default route. If the normal route
fails to connect to the Internet, the ZyWALL tries the traffic-redirect route next. In the same manner, the
ZyWALL uses the dial-backup route if the traffic-redirect route also fails.
If you want the dial-backup route to take first priority over the traffic-redirect route or even the normal route,
all you need to do is set the dial-backup route’s metric to "1" and the others to "2" (or greater).
8.3 Configuring Route
Click WAN to open the Route screen.
WAN Screens 8-1
Page 98
ZyWALL 10~100 Series Internet Security Gateway
Figure 8-1 WAN Setup: Route
The following table describes the fields in this screen.
Table 8-1 WAN Setup: Route
LABEL DESCRIPTION
WAN
Traffic
Redirect
Dial Backup
Apply
Reset
The default WAN connection is "1' as your broadband connection via the WAN port
should always be your preferred method of accessing the WAN. The default priority of
the routes is WAN, Traffic Redirect and then Dial Backup (dial backup does not apply
to all ZyWALL models):
You have two choices for an auxiliary connection in the event that your regular WAN
connection goes down. If Dial Backup is preferred to Traffic Redirect, then type "14" in
the Dial BackupPriority (metric) field (and leave the Traffic RedirectPriority (metric)
at the default of "15").
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
8.4 Configuring WAN ISP
To change your ZyWALL’s WAN ISP settings, click WAN, then the WAN ISP tab. The screen differs by the
encapsulation.
8.4.1 Ethernet Encapsulation
The screen shown next is for Ethernet encapsulation.
8-2 WAN Screens
Page 99
Figure 8-2 Ethernet Encapsulation
The following table describes the fields in this screen.
Table 8-2 Ethernet Encapsulation
ZyWALL 10~100 Series Internet Security Gateway
LABEL DESCRIPTION
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
Ethernet.
Service Type
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
The following fields do not appear with the Standard service type.
Type the authentication server IP address here if your ISP gave you one.
Type the domain name of the Telia login server, for example “login1.telia.com”.
WAN Screens 8-3
Page 100
ZyWALL 10~100 Series Internet Security Gateway
Table 8-2 Ethernet Encapsulation
LABEL DESCRIPTION
Relogin Period
(min) (Telia Login
only)
Apply
Reset
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait between
logins.
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
8.4.2 PPPoE Encapsulation
The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard
(RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable,
wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.
For the service provider, PPPoE offers an access and authentication method that works with existing access
control systems (for example Radius). PPPoE provides a login and authentication method that the existing
Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures
for Windows users.
One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function
known as dynamic service selection. This enables the service provider to easily create and offer new IP
services for individuals.
Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific
configuration of the broadband modem at the customer site.
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the
LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with
NAT, all of the LANs’ computers will have access.
The screen shown next is for PPPoE encapsulation.
8-4 WAN Screens
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.