ZyXEL 2WG User Manual

ZyWALL 2WG

Internet Security Appliance

User’s Guide

Version 4.02
1/2007
Edition 1

www.zyxel.com

About This User's Guide

About This User's Guide

Intended Audience

This manual is intended for people who want to configure the ZyWALL using the web
configurator or System Management Terminal (SMT). You should have at least a basic
knowledge of TCP/IP networking concepts and topology.

Related Documentation

• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. It contains

information on setting up your network and configuring for Internet access.

• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary

information.

• Supporting Disk
Refer to the included CD for support documents.

• ZyXEL Web Site
Please refer to www.zyxel.com

certifications.

for additional support documentation and product

User Guide Feedback

Help us help you. Send all User Guide-related comments, questions or suggestions for
improvement to the following address, or use e-mail instead. Thank you!

The Technical Writing Team,
ZyXEL Communications Corp.,
6 Innovation Road II,
Science-Based Industrial Park,
Hsinchu, 300, Taiwan.

E-mail: techwriters@zyxel.com.tw

ZyWALL 2WG User’s Guide

3

Document Conventions

Document Conventions

Warnings and Notes

These are how warnings and notes are shown in this User’s Guide.

1 Warnings tell you about things that could harm you or your device.

" Notes tell you other important information (for example, other things you may

need to configure or helpful tips) or recommendations.

Syntax Conventions

• The ZyWALL 2WG may be referred to as the “ZyWALL”, the “device” or the “system” in
this User’s Guide.

• Product labels, screen names, field labels and field choices are all in bold font.

• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER]
means the “enter” or “return” key on your keyboard.

• “Enter” means for you to type one or more characters and then press the [ENTER] key.
“Select” or “choose” means for you to use one of the predefined choices.

• A right angle bracket ( > ) within a screen name denotes a mouse click. For example,
Maintenance > Log > Log Setting means you first click Maintenance in the navigation
panel, then the Log sub menu and finally the Log Setting tab to get to that screen.

• Units of measurement may denote the “metric” value or the “scientific” value. For
example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000”
or “1048576” and so on.

• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.

4

ZyWALL 2WG User’s Guide

Document Conventions

Icons Used in Figures

Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an
exact representation of your device.

ZyWALL Computer Notebook computer

Server DSLAM Firewall

Telephone Switch Router

ZyWALL 2WG User’s Guide

5

Safety Warnings

Safety Warnings

1 For your safety, be sure to read and follow all warning notices and instructions.

• Do NOT use this product near water, for example, in a wet basement or near a swimming
pool.

• Do NOT expose your device to dampness, dust or corrosive liquids.

• Do NOT store things on the device.

• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk
of electric shock from lightning.

• Connect ONLY suitable accessories to the device.

• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel should
service or disassemble this device. Please contact your vendor for further information.

• Make sure to connect the cables to the correct ports.

• Place connecting cables carefully so that no one will step on them or stumble over them.

• Always disconnect all cables from this device before servicing or disassembling.

• Use ONLY an appropriate power adaptor or cord for your device.

• Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in
North America or 230V AC in Europe).

• Not to remove the plug and plug into a wall outlet by itself; always attach the plug to the
power supply first before insert into the wall.

• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the
product where anyone can walk on the power adaptor or cord.

• Do NOT use the device if the power adaptor or cord is damaged as it might cause
electrocution.

• If the power adaptor or cord is damaged, remove it from the power outlet.

• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a
new one.

• Do not use the device outside, and make sure all the connections are indoors. There is a
remote risk of electric shock from lightning.

• CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED
BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE
INSTRUCTIONS. Dispose them at the applicable collection point for the recycling of
electrical and electronic equipment. For detailed information about recycling of this
product, please contact your local city office, your household waste disposal service or the
store where you purchased the product.

• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.

6

ZyWALL 2WG User’s Guide

Safety Warnings

• Antenna Warning! This device meets ETSI and FCC certification requirements when
using the included antenna(s). Only use the included antenna(s).

• If you wall mount your device, make sure that no electrical lines, gas or water pipes will
be damaged.

This product is recyclable. Dispose of it properly.

ZyWALL 2WG User’s Guide

7

Safety Warnings

8

ZyWALL 2WG User’s Guide

Contents Overview

Contents Overview

Introduction ............................................................................................................................ 49

Getting to Know Your ZyWALL .................................................................................................. 51

Introducing the Web Configurator .............................................................................................. 55

Wizard Setup ............................................................................................................................. 75

Tutorial ....................................................................................................................................... 95

Registration ............................................................................................................................. 107

Network ................................................................................................................................. 111

LAN Screens ............................................................................................................................113

Bridge Screens ........................................................................................................................ 125

WAN Screens .......................................................................................................................... 131

DMZ Screens ........................................................................................................................... 163

Wireless LAN ........................................................................................................................... 173

Security ................................................................................................................................. 199

Firewall .................................................................................................................................... 201

Content Filtering Screens ........................................................................................................ 231

Content Filtering Reports ......................................................................................................... 249

IPSec VPN ............................................................................................................................... 257

Certificates ............................................................................................................................... 297

Authentication Server .............................................................................................................. 323

Advanced .............................................................................................................................. 327

Network Address Translation (NAT) ........................................................................................ 329

Static Route ............................................................................................................................. 345

Policy Route ............................................................................................................................ 349

Bandwidth Management .......................................................................................................... 355

DNS ......................................................................................................................................... 371

Remote Management ..............................................................................................................383

UPnP ....................................................................................................................................... 405

ALG Screen ............................................................................................................................. 415

Reports, Logs and Maintenance .........................................................................................421

Logs Screens ........................................................................................................................... 423

Maintenance ............................................................................................................................ 451

ZyWALL 2WG User’s Guide

9

Contents Overview

SMT and Troubleshooting ................................................................................................... 467

Introducing the SMT ................................................................................................................ 469

SMT Menu 1 - General Setup .................................................................................................. 477

WAN and Dial Backup Setup ................................................................................................... 483

LAN Setup ............................................................................................................................... 497

Internet Access ........................................................................................................................ 503

DMZ Setup .............................................................................................................................. 509

Route Setup ............................................................................................................................. 513

Wireless Setup ........................................................................................................................ 517

Remote Node Setup ................................................................................................................ 521

IP Static Route Setup .............................................................................................................. 529

Network Address Translation (NAT) ........................................................................................ 533

Introducing the ZyWALL Firewall ............................................................................................. 553

Filter Configuration .................................................................................................................. 555

SNMP Configuration ................................................................................................................ 571

System Information & Diagnosis ............................................................................................. 573

Firmware and Configuration File Maintenance ........................................................................ 585

System Maintenance Menus 8 to 10 ....................................................................................... 599

Remote Management ..............................................................................................................607

IP Policy Routing ......................................................................................................................611

Call Scheduling ........................................................................................................................ 619

Troubleshooting ....................................................................................................................... 623

Appendices and Index ......................................................................................................... 629

10

ZyWALL 2WG User’s Guide

Table of Contents

Table of Contents

About This User's Guide ..........................................................................................................3

Document Conventions............................................................................................................4

Safety Warnings........................................................................................................................ 6

Contents Overview ...................................................................................................................9

Table of Contents.................................................................................................................... 11

List of Figures ......................................................................................................................... 29

List of Tables...........................................................................................................................41

Part I: Introduction................................................................................. 49

Chapter 1

Getting to Know Your ZyWALL.............................................................................................. 51

1.1 ZyWALL Internet Security Appliance Overview ................................................................... 51

1.2 Ways to Manage the ZyWALL ............................................................................................. 51

1.3 Good Habits for Managing the ZyWALL .............................................................................. 52

1.4 Applications for the ZyWALL ............................................................................................... 52

1.4.1 Secure Broadband Internet Access via Cable or DSL Modem .................................. 52

1.4.2 VPN Application ......................................................................................................... 53

1.4.3 3G WAN Application ................................................................................................... 53

1.4.4 Front Panel Lights ...................................................................................................... 54

Chapter 2

Introducing the Web Configurator ........................................................................................55

2.1 Web Configurator Overview ................................................................................................. 55

2.2 Accessing the ZyWALL Web Configurator .......................................................................... 55

2.3 Resetting the ZyWALL ......................................................................................................... 57

2.3.1 Procedure To Use The Reset Button ......................................................................... 57

2.3.2 Uploading a Configuration File Via Console Port ....................................................... 57

2.4 Navigating the ZyWALL Web Configurator .......................................................................... 58

2.4.1 Title Bar ...................................................................................................................... 58

2.4.2 Main Window ..............................................................................................................59

2.4.3 HOME Screen: Router Mode ................................................................................... 59

2.4.4 HOME Screen: Bridge Mode .................................................................................... 62

ZyWALL 2WG User’s Guide

11

Table of Contents

2.4.5 Navigation Panel ........................................................................................................ 65

2.4.6 Port Statistics ........................................................................................................... 69

2.4.7 Show Statistics: Line Chart ........................................................................................ 70

2.4.8 DHCP Table Screen ................................................................................................ 71

2.4.9 VPN Status ................................................................................................................. 72

2.4.10 Bandwidth Monitor .................................................................................................. 73

Chapter 3

Wizard Setup ........................................................................................................................... 75

3.1 Wizard Setup Overview ...................................................................................................... 75

3.2 Internet Access ................................................................................................................... 75

3.2.1 ISP Parameters .......................................................................................................... 76

3.2.2 Internet Access Wizard: Second Screen .................................................................... 80

3.2.3 Internet Access Wizard: Registration ......................................................................... 81

3.2.4 Internet Access Wizard: Status .................................................................................. 83

3.2.5 Internet Access Wizard: Service Activation ............................................................... 84

3.3 VPN Wizard Gateway Setting .............................................................................................. 84

3.4 VPN Wizard Network Setting ............................................................................................... 86

3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) ................................................................... 87

3.6 VPN Wizard IPSec Setting (IKE Phase 2) ........................................................................... 89

3.7 VPN Wizard Status Summary .............................................................................................. 90

3.8 VPN Wizard Setup Complete .............................................................................................. 93

Chapter 4

Tutorial ..................................................................................................................................... 95

4.1 Security Settings for VPN Traffic ......................................................................................... 95

4.2 Firewall Rule for VPN Example ........................................................................................... 95

4.2.1 Configuring the VPN Rule .......................................................................................... 96

4.2.2 Configuring the Firewall Rules ................................................................................... 99

4.3 How to Set up a 3G WAN Connection ............................................................................... 103

4.3.1 Configuring 3G WAN Settings .................................................................................. 103

4.3.2 Configuring Load Balancing ..................................................................................... 104

4.3.3 Inserting a 3G Card .................................................................................................. 104

4.3.4 Checking WAN Connections .................................................................................... 104

Chapter 5

Registration........................................................................................................................... 107

5.1 myZyXEL.com overview .................................................................................................... 107

5.1.1 Content Filtering Subscription Service ..................................................................... 107

5.2 Registration ....................................................................................................................... 108

5.3 Service ............................................................................................................................... 109

12

ZyWALL 2WG User’s Guide

Table of Contents

Part II: Network...................................................................................... 111

Chapter 6

LAN Screens.......................................................................................................................... 113

6.1 LAN, WAN and the ZyWALL ...............................................................................................113

6.2 IP Address and Subnet Mask .............................................................................................113

6.2.1 Private IP Addresses .................................................................................................114

6.3 DHCP .................................................................................................................................115

6.3.1 IP Pool Setup ............................................................................................................115

6.4 RIP Setup ...........................................................................................................................115

6.5 Multicast .............................................................................................................................115

6.6 WINS ..................................................................................................................................116

6.7 LAN .....................................................................................................................................116

6.8 LAN Static DHCP ................................................................................................................119

6.9 LAN IP Alias .................................................................................................................... 120

6.10 LAN Port Roles ................................................................................................................ 122

Chapter 7

Bridge Screens...................................................................................................................... 125

7.1 Bridge Loop ....................................................................................................................... 125

7.2 Spanning Tree Protocol (STP) ........................................................................................... 126

7.2.1 Rapid STP ................................................................................................................126

7.2.2 STP Terminology ...................................................................................................... 126

7.2.3 How STP Works ....................................................................................................... 126

7.2.4 STP Port States ........................................................................................................ 127

7.3 Bridge ................................................................................................................................ 127

7.4 Bridge Port Roles ............................................................................................................. 129

Chapter 8

WAN Screens......................................................................................................................... 131

8.1 WAN Overview .................................................................................................................. 131

8.2 Multiple WAN ..................................................................................................................... 131

8.3 Load Balancing Introduction .............................................................................................. 132

8.4 Load Balancing Algorithms ................................................................................................ 132

8.4.1 Least Load First ....................................................................................................... 132

8.4.2 Weighted Round Robin ............................................................................................ 133

8.4.3 Spillover .................................................................................................................... 134

8.5 TCP/IP Priority (Metric) ...................................................................................................... 135

8.6 WAN General ..................................................................................................................... 135

8.7 Configuring Load Balancing .............................................................................................. 139

8.7.1 Least Load First ....................................................................................................... 139

8.7.2 Weighted Round Robin ............................................................................................ 140

8.7.3 Spillover .................................................................................................................... 140

ZyWALL 2WG User’s Guide

13

Table of Contents

8.8 WAN IP Address Assignment ............................................................................................ 141

8.9 DNS Server Address Assignment ..................................................................................... 142

8.10 WAN MAC Address ......................................................................................................... 142

8.11 WAN 1 ............................................................................................................................ 143

8.11.1 WAN Ethernet Encapsulation ................................................................................. 143

8.11.2 PPPoE Encapsulation ............................................................................................ 146

8.11.3 PPTP Encapsulation ............................................................................................... 149

8.12 WAN 2 (3G WAN) ...........................................................................................................152

8.13 Traffic Redirect ........................................................................................................... 156

8.14 Configuring Traffic Redirect ............................................................................................. 156

8.15 Configuring Dial Backup .................................................................................................. 157

8.16 Advanced Modem Setup ............................................................................................... 160

8.16.1 AT Command Strings ............................................................................................. 160

8.16.2 DTR Signal ............................................................................................................. 161

8.16.3 Response Strings ................................................................................................... 161

8.17 Configuring Advanced Modem Setup .............................................................................. 161

Chapter 9

DMZ Screens ......................................................................................................................... 163

9.1 DMZ ................................................................................................................................. 163

9.2 Configuring DMZ ............................................................................................................... 163

9.3 DMZ Static DHCP ............................................................................................................ 166

9.4 DMZ IP Alias .................................................................................................................... 167

9.5 DMZ Public IP Address Example ...................................................................................... 169

9.6 DMZ Private and Public IP Address Example ................................................................... 170

9.7 DMZ Port Roles ............................................................................................................... 171

Chapter 10

Wireless LAN.........................................................................................................................173

10.1 Wireless LAN Introduction ............................................................................................... 173

10.2 Configuring WLAN ......................................................................................................... 174

10.3 WLAN Static DHCP ....................................................................................................... 177

10.4 WLAN IP Alias ............................................................................................................... 178

10.5 WLAN Port Roles ........................................................................................................... 180

10.6 Wireless Security Overview ............................................................................................. 182

10.6.1 SSID ....................................................................................................................... 182

10.6.2 MAC Address Filter ................................................................................................ 183

10.6.3 User Authentication ................................................................................................ 183

10.6.4 Encryption ..............................................................................................................183

10.6.5 Additional Installation Requirements for Using 802.1x ........................................... 184

10.7 Wireless Card ................................................................................................................ 185

10.7.1 SSID Profile ...........................................................................................................187

10.8 Configuring Wireless Security ......................................................................................... 188

14

ZyWALL 2WG User’s Guide

Table of Contents

10.8.1 No Security .............................................................................................................190

10.8.2 Static WEP ............................................................................................................. 190

10.8.3 IEEE 802.1x Only ................................................................................................... 191

10.8.4 IEEE 802.1x + Static WEP ..................................................................................... 192

10.8.5 WPA, WPA2, WPA2-MIX ........................................................................................ 194

10.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX ............................................................... 195

10.9 MAC Filter ....................................................................................................................... 196

Part III: Security.................................................................................... 199

Chapter 11

Firewall................................................................................................................................... 201

11.1 Firewall Overview ............................................................................................................ 201

11.2 Packet Direction Matrix .................................................................................................... 202

11.3 Packet Direction Examples .............................................................................................. 203

11.3.1 To VPN Packet Direction ........................................................................................ 204

11.3.2 From VPN Packet Direction ................................................................................... 206

11.3.3 From VPN To VPN Packet Direction ...................................................................... 207

11.4 Security Considerations ...................................................................................................209

11.5 Firewall Rules Example ................................................................................................... 209

11.6 Asymmetrical Routes ........................................................................................................211

11.6.1 Asymmetrical Routes and IP Alias ..........................................................................211

11.7 Firewall Default Rule (Router Mode) ................................................................................ 212

11.8 Firewall Default Rule (Bridge Mode) .............................................................................. 214

11.9 Firewall Rule Summary ................................................................................................... 215

11.9.1 Firewall Edit Rule .............................................................................................. 217

11.10 Anti-Probing ............................................................................................................... 220

11.11 Firewall Thresholds ..................................................................................................... 221

11.11.1 Threshold Values .................................................................................................. 222

11.12 Threshold Screen ........................................................................................................... 222

11.13 Service .......................................................................................................................... 224

11.13.1 Firewall Edit Custom Service .............................................................................. 225

11.14 My Service Firewall Rule Example ................................................................................ 226

Chapter 12

Content Filtering Screens ....................................................................................................231

12.1 Content Filtering Overview .............................................................................................. 231

12.1.1 Restrict Web Features ........................................................................................... 231

12.1.2 Create a Filter List .................................................................................................. 231

12.1.3 Customize Web Site Access ................................................................................. 231

12.2 Content Filter General Screen ........................................................................................ 231

ZyWALL 2WG User’s Guide

15

Table of Contents

12.3 Content Filtering with an External Database ................................................................... 234

12.4 Content Filter Categories ..............................................................................................234

12.5 Content Filter Customization ........................................................................................ 243

12.6 Customizing Keyword Blocking URL Checking ............................................................... 245

12.6.1 Domain Name or IP Address URL Checking ......................................................... 246

12.6.2 Full Path URL Checking ......................................................................................... 246

12.6.3 File Name URL Checking ....................................................................................... 246

12.7 Content Filtering Cache .................................................................................................246

Chapter 13

Content Filtering Reports.....................................................................................................249

13.1 Checking Content Filtering Activation .............................................................................. 249

13.2 Viewing Content Filtering Reports ................................................................................... 249

13.3 Web Site Submission .......................................................................................................254

Chapter 14

IPSec VPN.............................................................................................................................. 257

14.1 IPSec VPN Overview ..................................................................................................... 257

14.1.1 IKE SA Overview .................................................................................................... 258

14.2 VPN Rules (IKE) .............................................................................................................. 259

14.3 IKE SA Setup .................................................................................................................. 261

14.3.1 IKE SA Proposal .................................................................................................... 261

14.4 Additional IPSec VPN Topics ........................................................................................... 265

14.4.1 SA Life Time ........................................................................................................... 265

14.4.2 IPSec High Availability ........................................................................................... 266

14.4.3 Encryption and Authentication Algorithms ............................................................. 267

14.5 VPN Rules (IKE) Gateway Policy Edit ............................................................................. 267

14.6 IPSec SA Overview .....................................................................................................273

14.6.1 Local Network and Remote Network ...................................................................... 273

14.6.2 Active Protocol ....................................................................................................... 273

14.6.3 Encapsulation ......................................................................................................... 274

14.6.4 IPSec SA Proposal and Perfect Forward Secrecy ................................................. 274

14.7 VPN Rules (IKE): Network Policy Edit ............................................................................ 275

14.8 VPN Rules (IKE): Network Policy Move ........................................................................ 279

14.9 Dialing the VPN Tunnel via Web Configurator ................................................................. 280

14.10 VPN Troubleshooting ..................................................................................................... 281

14.10.1 VPN Log ............................................................................................................... 282

14.11 IPSec Debug .................................................................................................................. 283

14.12 IPSec SA Using Manual Keys ................................................................................... 284

14.12.1 IPSec SA Proposal Using Manual Keys ............................................................... 284

14.12.2 Authentication and the Security Parameter Index (SPI) ....................................... 284

14.13 VPN Rules (Manual) ...................................................................................................... 284

14.14 VPN Rules (Manual): Edit ........................................................................................... 286

16

ZyWALL 2WG User’s Guide

Table of Contents

14.15 VPN SA Monitor .......................................................................................................... 289

14.16 VPN Global Setting ....................................................................................................... 289

14.17 Telecommuter VPN/IPSec Examples ............................................................................ 291

14.17.1 Telecommuters Sharing One VPN Rule Example ................................................ 291

14.17.2 Telecommuters Using Unique VPN Rules Example ............................................. 292

14.18 VPN and Remote Management ..................................................................................... 294

14.19 Hub-and-spoke VPN ...................................................................................................... 294

14.19.1 Hub-and-spoke VPN Example ............................................................................. 295

14.19.2 Hub-and-spoke Example VPN Rule Addresses ................................................... 295

14.19.3 Hub-and-spoke VPN Requirements and Suggestions ......................................... 296

Chapter 15

Certificates ............................................................................................................................297

15.1 Certificates Overview ....................................................................................................... 297

15.1.1 Advantages of Certificates ..................................................................................... 298

15.2 Self-signed Certificates .................................................................................................... 298

15.3 Verifying a Certificate ....................................................................................................... 298

15.3.1 Checking the Fingerprint of a Certificate on Your Computer .................................. 298

15.4 Configuration Summary ................................................................................................... 299

15.5 My Certificates ................................................................................................................ 300

15.6 My Certificate Details ..................................................................................................... 301

15.7 My Certificate Export ...................................................................................................... 304

15.7.1 Certificate File Export Formats ............................................................................... 304

15.8 My Certificate Import ..................................................................................................... 305

15.8.1 Certificate File Formats .......................................................................................... 306

15.9 My Certificate Create ..................................................................................................... 308

15.10 Trusted CAs ................................................................................................................. 310

15.11 Trusted CA Details .........................................................................................................311

15.12 Trusted CA Import ....................................................................................................... 314

15.13 Trusted Remote Hosts ................................................................................................. 315

15.14 Trusted Remote Hosts Import ...................................................................................... 317

15.15 Trusted Remote Host Certificate Details ..................................................................... 318

15.16 Directory Servers .......................................................................................................... 320

15.17 Directory Server Add or Edit ........................................................................................ 321

Chapter 16

Authentication Server...........................................................................................................323

16.1 Authentication Server Overview ...................................................................................... 323

16.1.1 Local User Database .............................................................................................. 323

16.1.2 RADIUS ..................................................................................................................323

16.2 Local User Database .....................................................................................................323

16.3 RADIUS ......................................................................................................................... 325

ZyWALL 2WG User’s Guide

17

Table of Contents

Part IV: Advanced ................................................................................ 327

Chapter 17

Network Address Translation (NAT).................................................................................... 329

17.1 NAT Overview ................................................................................................................ 329

17.1.1 NAT Definitions ...................................................................................................... 329

17.1.2 What NAT Does ..................................................................................................... 330

17.1.3 How NAT Works ..................................................................................................... 330

17.1.4 NAT Application ...................................................................................................... 331

17.1.5 Port Restricted Cone NAT ...................................................................................... 332

17.1.6 NAT Mapping Types ............................................................................................... 332

17.2 Using NAT ........................................................................................................................ 333

17.2.1 SUA (Single User Account) Versus NAT ................................................................ 333

17.3 NAT Overview Screen ..................................................................................................... 334

17.4 NAT Address Mapping ................................................................................................... 335

17.4.1 What NAT Does ..................................................................................................... 335

17.4.2 NAT Address Mapping Edit .................................................................................. 337

17.5 Port Forwarding .............................................................................................................. 338

17.5.1 Default Server IP Address ...................................................................................... 339

17.5.2 Port Forwarding: Services and Port Numbers ........................................................ 339

17.5.3 Configuring Servers Behind Port Forwarding (Example) ....................................... 340

17.5.4 NAT and Multiple WAN ........................................................................................... 340

17.5.5 Port Translation ...................................................................................................... 340

17.6 Port Forwarding Screen ................................................................................................... 341

17.7 Port Triggering ............................................................................................................... 343

Chapter 18

Static Route ........................................................................................................................... 345

18.1 IP Static Route .............................................................................................................. 345

18.2 IP Static Route ................................................................................................................. 345

18.2.1 IP Static Route Edit .............................................................................................. 347

Chapter 19

Policy Route .......................................................................................................................... 349

19.1 Policy Route ................................................................................................................... 349

19.2 Benefits ............................................................................................................................ 349

19.3 Routing Policy .................................................................................................................. 349

19.4 IP Routing Policy Setup ...................................................................................................350

19.5 Policy Route Edit ............................................................................................................ 351

Chapter 20

Bandwidth Management.......................................................................................................355

20.1 Bandwidth Management Overview ................................................................................. 355

18

ZyWALL 2WG User’s Guide

Table of Contents

20.2 Bandwidth Classes and Filters ........................................................................................ 355

20.3 Proportional Bandwidth Allocation ................................................................................... 356

20.4 Application-based Bandwidth Management .................................................................... 356

20.5 Subnet-based Bandwidth Management .......................................................................... 356

20.6 Application and Subnet-based Bandwidth Management ................................................. 356

20.7 Scheduler ........................................................................................................................ 357

20.7.1 Priority-based Scheduler ........................................................................................ 357

20.7.2 Fairness-based Scheduler ..................................................................................... 357

20.7.3 Maximize Bandwidth Usage ................................................................................... 357

20.7.4 Reserving Bandwidth for Non-Bandwidth Class Traffic .......................................... 357

20.7.5 Maximize Bandwidth Usage Example .................................................................... 358

20.8 Bandwidth Borrowing .......................................................................................................359

20.8.1 Bandwidth Borrowing Example .............................................................................. 359

20.9 Maximize Bandwidth Usage With Bandwidth Borrowing ................................................. 360

20.10 Over Allotment of Bandwidth ......................................................................................... 361

20.11 Configuring Summary .................................................................................................... 361

20.12 Configuring Class Setup .............................................................................................. 363

20.12.1 Bandwidth Manager Class Configuration ........................................................... 364

20.12.2 Bandwidth Management Statistics ................................................................... 367

20.13 Bandwidth Manager Monitor ........................................................................................ 368

Chapter 21

DNS ........................................................................................................................................ 371

21.1 DNS Overview ............................................................................................................... 371

21.2 DNS Server Address Assignment ................................................................................... 371

21.3 DNS Servers .................................................................................................................... 371

21.4 Address Record ............................................................................................................... 372

21.4.1 DNS Wildcard ......................................................................................................... 372

21.5 Name Server Record ....................................................................................................... 372

21.5.1 Private DNS Server ................................................................................................ 372

21.6 System Screen ................................................................................................................ 373

21.6.1 Adding an Address Record .................................................................................. 375

21.6.2 Inserting a Name Server Record .......................................................................... 376

21.7 DNS Cache .................................................................................................................... 377

21.8 Configure DNS Cache ..................................................................................................... 377

21.9 Configuring DNS DHCP ................................................................................................ 379

21.10 Dynamic DNS .............................................................................................................. 380

21.10.1 DYNDNS Wildcard ............................................................................................... 380

21.10.2 High Availability .................................................................................................... 381

21.11 Configuring Dynamic DNS ............................................................................................. 381

Chapter 22

Remote Management............................................................................................................ 383

ZyWALL 2WG User’s Guide

19

Table of Contents

22.1 Remote Management Overview ...................................................................................... 383

22.1.1 Remote Management Limitations .......................................................................... 384

22.1.2 System Timeout ..................................................................................................... 384

22.2 WWW (HTTP and HTTPS) ............................................................................................. 384

22.3 WWW .............................................................................................................................. 385

22.4 HTTPS Example .............................................................................................................. 387

22.4.1 Internet Explorer Warning Messages ..................................................................... 387

22.4.2 Netscape Navigator Warning Messages ................................................................ 387

22.4.3 Avoiding the Browser Warning Messages .............................................................. 388

22.4.4 Login Screen .......................................................................................................... 389

22.5 SSH .............................................................................................................................. 391

22.6 How SSH Works .............................................................................................................. 391

22.7 SSH Implementation on the ZyWALL .............................................................................. 392

22.7.1 Requirements for Using SSH ................................................................................. 392

22.8 Configuring SSH .............................................................................................................. 393

22.9 Secure Telnet Using SSH Examples ............................................................................... 394

22.9.1 Example 1: Microsoft Windows .............................................................................. 394

22.9.2 Example 2: Linux .................................................................................................... 394

22.10 Secure FTP Using SSH Example .................................................................................. 395

22.11 Telnet ........................................................................................................................... 396

22.12 Configuring TELNET ..................................................................................................... 396

22.13 FTP .............................................................................................................................. 397

22.14 SNMP .......................................................................................................................... 398

22.14.1 Supported MIBs .................................................................................................. 399

22.14.2 SNMP Traps ......................................................................................................... 400

22.14.3 REMOTE MANAGEMENT: SNMP ....................................................................... 400

22.15 DNS ............................................................................................................................. 401

22.16 Introducing Vantage CNM ............................................................................................. 402

22.17 Configuring CNM ........................................................................................................... 402

Chapter 23

UPnP ...................................................................................................................................... 405

23.1 Universal Plug and Play Overview ................................................................................ 405

23.1.1 How Do I Know If I'm Using UPnP? ....................................................................... 405

23.1.2 NAT Traversal ........................................................................................................ 405

23.1.3 Cautions with UPnP ............................................................................................... 405

23.1.4 UPnP and ZyXEL ................................................................................................... 406

23.2 Configuring UPnP ............................................................................................................ 406

23.3 Displaying UPnP Port Mapping .................................................................................... 407

23.4 Installing UPnP in Windows Example .............................................................................. 408

23.4.1 Installing UPnP in Windows Me ............................................................................. 409

23.4.2 Installing UPnP in Windows XP ............................................................................. 410

23.5 Using UPnP in Windows XP Example ............................................................................. 410

20

ZyWALL 2WG User’s Guide

Table of Contents

23.5.1 Auto-discover Your UPnP-enabled Network Device ...............................................411

23.5.2 Web Configurator Easy Access ............................................................................. 412

Chapter 24

ALG Screen ........................................................................................................................... 415

24.1 ALG Introduction ............................................................................................................. 415

24.1.1 ALG and NAT ......................................................................................................... 415

24.1.2 ALG and the Firewall .............................................................................................. 415

24.1.3 ALG and Multiple WAN .......................................................................................... 416

24.2 FTP .................................................................................................................................. 416

24.3 H.323 ............................................................................................................................... 416

24.4 RTP .................................................................................................................................. 416

24.4.1 H.323 ALG Details ................................................................................................. 416

24.5 SIP ................................................................................................................................... 418

24.5.1 STUN ..................................................................................................................... 418

24.5.2 SIP ALG Details ..................................................................................................... 418

24.5.3 SIP Signaling Session Timeout .............................................................................. 419

24.5.4 SIP Audio Session Timeout .................................................................................... 419

24.6 ALG Screen ..................................................................................................................... 419

Part V: Reports, Logs and Maintenance ............................................ 421

Chapter 25

Logs Screens ........................................................................................................................423

25.1 Configuring View Log ...................................................................................................... 423

25.2 Log Description Example ................................................................................................. 424

25.2.1 About the Certificate Not Trusted Log .................................................................... 425

25.3 Configuring Log Settings ................................................................................................ 426

25.4 Configuring Reports ....................................................................................................... 429

25.4.1 Viewing Web Site Hits ............................................................................................ 431

25.4.2 Viewing Host IP Address ........................................................................................ 431

25.4.3 Viewing Protocol/Port ............................................................................................. 432

25.4.4 System Reports Specifications ............................................................................... 434

25.5 Log Descriptions .............................................................................................................. 434

25.6 Syslog Logs ..................................................................................................................... 448

Chapter 26

Maintenance .......................................................................................................................... 451

26.1 Maintenance Overview .................................................................................................... 451

26.2 General Setup and System Name ................................................................................... 451

26.2.1 General Setup ....................................................................................................... 451

ZyWALL 2WG User’s Guide

21

Table of Contents

26.3 Configuring Password .................................................................................................... 452

26.4 Time and Date ................................................................................................................ 453

26.5 Pre-defined NTP Time Server Pools ............................................................................... 456

26.5.1 Resetting the Time ................................................................................................. 456

26.5.2 Time Server Synchronization ................................................................................. 456

26.6 Introduction To Transparent Bridging ............................................................................... 457

26.7 Transparent Firewalls ...................................................................................................... 458

26.8 Configuring Device Mode (Router) ................................................................................. 458

26.9 Configuring Device Mode (Bridge) ................................................................................. 460

26.10 F/W Upload Screen ...................................................................................................... 461

26.11 Backup and Restore ..................................................................................................... 463

26.11.1 Backup Configuration ........................................................................................... 464

26.11.2 Restore Configuration .......................................................................................... 464

26.11.3 Back to Factory Defaults ..................................................................................... 465

26.12 Restart Screen .............................................................................................................. 466

Part VI: SMT and Troubleshooting ..................................................... 467

Chapter 27

Introducing the SMT .............................................................................................................469

27.1 Introduction to the SMT ...................................................................................................469

27.2 Accessing the SMT via the Console Port ........................................................................ 469

27.2.1 Initial Screen ..........................................................................................................469

27.2.2 Entering the Password ........................................................................................... 470

27.3 Navigating the SMT Interface .......................................................................................... 470

27.3.1 Main Menu ............................................................................................................. 471

27.3.2 SMT Menus Overview ............................................................................................ 473

27.4 Changing the System Password ..................................................................................... 474

27.5 Resetting the ZyWALL ..................................................................................................... 475

Chapter 28

SMT Menu 1 - General Setup ............................................................................................... 477

28.1 Introduction to General Setup .......................................................................................... 477

28.2 Configuring General Setup .............................................................................................. 477

28.2.1 Configuring Dynamic DNS ..................................................................................... 479

Chapter 29

WAN and Dial Backup Setup................................................................................................ 483

29.1 Introduction to WAN, 3G WAN and Dial Backup Setup ................................................... 483

29.2 WAN Setup ...................................................................................................................... 483

29.3 Dial Backup ..................................................................................................................... 484

22

ZyWALL 2WG User’s Guide

Table of Contents

29.3.1 Configuring Dial Backup in Menu 2 ........................................................................ 484

29.3.2 Advanced WAN Setup ........................................................................................... 485

29.3.3 Remote Node Profile (Backup ISP) ........................................................................ 487

29.3.4 Editing TCP/IP Options .......................................................................................... 489

29.3.5 Editing Login Script ................................................................................................ 490

29.3.6 Remote Node Filter ................................................................................................ 492

29.4 3G WAN ........................................................................................................................... 492

29.4.1 3G Modem Setup ................................................................................................... 492

29.4.2 Remote Node Profile (3G WAN) ............................................................................ 493

Chapter 30

LAN Setup.............................................................................................................................. 497

30.1 Introduction to LAN Setup ............................................................................................... 497

30.2 Accessing the LAN Menus .............................................................................................. 497

30.3 LAN Port Filter Setup ....................................................................................................... 497

30.4 TCP/IP and DHCP Ethernet Setup Menu ........................................................................ 498

30.4.1 IP Alias Setup ......................................................................................................... 501

Chapter 31

Internet Access ..................................................................................................................... 503

31.1 Introduction to Internet Access Setup .............................................................................. 503

31.2 Ethernet Encapsulation ................................................................................................... 503

31.3 Configuring the PPTP Client ............................................................................................ 505

31.4 Configuring the PPPoE Client ......................................................................................... 506

31.5 Basic Setup Complete ..................................................................................................... 507

Chapter 32

DMZ Setup ............................................................................................................................. 509

32.1 Configuring DMZ Setup ................................................................................................... 509

32.2 DMZ Port Filter Setup ...................................................................................................... 509

32.3 TCP/IP Setup ................................................................................................................... 510

32.3.1 IP Address ..............................................................................................................510

32.3.2 IP Alias Setup ..........................................................................................................511

Chapter 33

Route Setup........................................................................................................................... 513

33.1 Configuring Route Setup ................................................................................................. 513

33.2 Route Assessment ..........................................................................................................513

33.3 Traffic Redirect ................................................................................................................ 514

33.4 Route Failover ................................................................................................................. 515

Chapter 34

Wireless Setup ...................................................................................................................... 517

ZyWALL 2WG User’s Guide

23

Table of Contents

34.1 TCP/IP Setup ................................................................................................................... 517

34.1.1 IP Address ..............................................................................................................517

34.1.2 IP Alias Setup ......................................................................................................... 518

Chapter 35

Remote Node Setup..............................................................................................................521

35.1 Introduction to Remote Node Setup ................................................................................ 521

35.2 Remote Node Setup ........................................................................................................ 521

35.3 Remote Node Profile Setup ............................................................................................. 521

35.3.1 Ethernet Encapsulation .......................................................................................... 522

35.3.2 PPPoE Encapsulation ............................................................................................ 523

35.3.3 PPTP Encapsulation .............................................................................................. 524

35.4 Edit IP .............................................................................................................................. 525

35.5 Remote Node Filter ......................................................................................................... 527

Chapter 36

IP Static Route Setup............................................................................................................ 529

36.1 IP Static Route Setup ...................................................................................................... 529

Chapter 37

Network Address Translation (NAT).................................................................................... 533

37.1 Using NAT ........................................................................................................................ 533

37.1.1 SUA (Single User Account) Versus NAT ................................................................ 533

37.1.2 Applying NAT ......................................................................................................... 533

37.2 NAT Setup ....................................................................................................................... 535

37.2.1 Address Mapping Sets ........................................................................................... 536

37.3 Configuring a Server behind NAT .................................................................................... 540

37.4 General NAT Examples ................................................................................................... 543

37.4.1 Internet Access Only .............................................................................................. 543

37.4.2 Example 2: Internet Access with a Default Server ................................................. 544

37.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............................. 545

37.4.4 Example 4: NAT Unfriendly Application Programs ................................................. 548

37.5 Trigger Port Forwarding ...................................................................................................550

37.5.1 Two Points To Remember About Trigger Ports ...................................................... 550

Chapter 38

Introducing the ZyWALL Firewall ........................................................................................553

38.1 Using ZyWALL SMT Menus ............................................................................................ 553

38.1.1 Activating the Firewall ............................................................................................ 553

Chapter 39

Filter Configuration............................................................................................................... 555

39.1 Introduction to Filters ....................................................................................................... 555

24

ZyWALL 2WG User’s Guide

Table of Contents

39.1.1 The Filter Structure of the ZyWALL ........................................................................ 556

39.2 Configuring a Filter Set .................................................................................................... 558

39.2.1 Configuring a Filter Rule ........................................................................................ 559

39.2.2 Configuring a TCP/IP Filter Rule ............................................................................ 560

39.2.3 Configuring a Generic Filter Rule ........................................................................... 562

39.3 Example Filter .................................................................................................................. 564

39.4 Filter Types and NAT ....................................................................................................... 566

39.5 Firewall Versus Filters ..................................................................................................... 566

39.5.1 Packet Filtering: ..................................................................................................... 566

39.5.2 Firewall ................................................................................................................... 567

39.6 Applying a Filter .............................................................................................................. 567

39.6.1 Applying LAN Filters ............................................................................................... 568

39.6.2 Applying DMZ Filters .............................................................................................. 568

39.6.3 Applying Remote Node Filters ............................................................................... 569

Chapter 40

SNMP Configuration.............................................................................................................571

40.1 SNMP Configuration ........................................................................................................571

40.2 SNMP Traps .................................................................................................................... 572

Chapter 41

System Information & Diagnosis.........................................................................................573

41.1 Introduction to System Status .......................................................................................... 573

41.2 System Status .................................................................................................................. 573

41.3 System Information and Console Port Speed .................................................................. 575

41.3.1 System Information ................................................................................................ 575

41.3.2 Console Port Speed ............................................................................................... 576

41.4 Log and Trace .................................................................................................................. 577

41.4.1 Viewing Error Log ................................................................................................... 577

41.4.2 Syslog Logging ....................................................................................................... 578

41.4.3 Call-Triggering Packet ............................................................................................ 581

41.5 Diagnostic ........................................................................................................................ 582

41.5.1 WAN DHCP ............................................................................................................ 583

Chapter 42

Firmware and Configuration File Maintenance..................................................................585

42.1 Introduction ...................................................................................................................... 585

42.2 Filename Conventions ..................................................................................................... 585

42.3 Backup Configuration ......................................................................................................586

42.3.1 Backup Configuration ............................................................................................. 586

42.3.2 Using the FTP Command from the Command Line ............................................... 587

42.3.3 Example of FTP Commands from the Command Line .......................................... 587

42.3.4 GUI-based FTP Clients .......................................................................................... 588

ZyWALL 2WG User’s Guide

25

Table of Contents

42.3.5 File Maintenance Over WAN .................................................................................. 588

42.3.6 Backup Configuration Using TFTP ......................................................................... 588

42.3.7 TFTP Command Example ...................................................................................... 589

42.3.8 GUI-based TFTP Clients ........................................................................................ 589

42.3.9 Backup Via Console Port ....................................................................................... 589

42.4 Restore Configuration ...................................................................................................... 590

42.4.1 Restore Using FTP ................................................................................................. 591

42.4.2 Restore Using FTP Session Example .................................................................... 592

42.4.3 Restore Via Console Port ....................................................................................... 592

42.5 Uploading Firmware and Configuration Files .................................................................. 593

42.5.1 Firmware File Upload ............................................................................................. 593

42.5.2 Configuration File Upload ....................................................................................... 594

42.5.3 FTP File Upload Command from the DOS Prompt Example ................................. 595

42.5.4 FTP Session Example of Firmware File Upload .................................................... 595

42.5.5 TFTP File Upload ................................................................................................... 595

42.5.6 TFTP Upload Command Example ......................................................................... 596

42.5.7 Uploading Via Console Port ................................................................................... 596

42.5.8 Uploading Firmware File Via Console Port ............................................................ 596

42.5.9 Example Xmodem Firmware Upload Using HyperTerminal ................................... 597

42.5.10 Uploading Configuration File Via Console Port .................................................... 597

42.5.11 Example Xmodem Configuration Upload Using HyperTerminal ........................... 598

Chapter 43

System Maintenance Menus 8 to 10....................................................................................599

43.1 Command Interpreter Mode ............................................................................................ 599

43.1.1 Command Syntax ................................................................................................... 600

43.1.2 Command Usage ................................................................................................... 600

43.2 Call Control Support ........................................................................................................ 601

43.2.1 Budget Management .............................................................................................. 601

43.2.2 Call History ............................................................................................................. 602

43.3 Time and Date Setting .....................................................................................................603

Chapter 44

Remote Management............................................................................................................ 607

44.1 Remote Management ...................................................................................................... 607

44.1.1 Remote Management Limitations .......................................................................... 609

Chapter 45

IP Policy Routing .................................................................................................................. 611

45.1 IP Routing Policy Summary ..............................................................................................611

45.2 IP Routing Policy Setup ...................................................................................................612

45.2.1 Applying Policy to Packets ..................................................................................... 614

45.3 IP Policy Routing Example .............................................................................................. 615

26

ZyWALL 2WG User’s Guide

Table of Contents

Chapter 46

Call Scheduling..................................................................................................................... 619

46.1 Introduction to Call Scheduling ........................................................................................ 619

Chapter 47

Troubleshooting....................................................................................................................623

47.1 Power, Hardware Connections, and LEDs ...................................................................... 623

47.2 ZyWALL Access and Login .............................................................................................. 624

47.3 Internet Access ................................................................................................................ 626

Part VII: Appendices and Index .......................................................... 629

Appendix A Product Specifications.......................................................................................631

Appendix B Wall-mounting Instructions................................................................................639

Appendix C Pop-up Windows, JavaScripts and Java Permissions ...................................... 641

Appendix D Setting up Your Computer’s IP Address ...........................................................647

Appendix E IP Addresses and Subnetting ...........................................................................663

Appendix F Common Services .............................................................................................671

Appendix G Wireless LANs ..................................................................................................675

Appendix H Importing Certificates ........................................................................................ 691

Appendix I Command Interpreter .........................................................................................701

Appendix J NetBIOS Filter Commands ................................................................................709

Appendix K Brute-Force Password Guessing Protection..................................................... 711

Appendix L Legal Information............................................................................................... 713

Appendix M Customer Support ............................................................................................ 717

Index....................................................................................................................................... 721

ZyWALL 2WG User’s Guide

27

Table of Contents

28

ZyWALL 2WG User’s Guide

List of Figures

List of Figures

Figure 1 Secure Internet Access via Cable or DSL Modem ................................................................... 52

Figure 2 VPN Application ....................................................................................................................... 53

Figure 3 3G WAN Application ................................................................................................................. 53

Figure 4 Front Panel ............................................................................................................................... 54

Figure 5 Change Password Screen ........................................................................................................ 56

Figure 6 Replace Certificate Screen ....................................................................................................... 56

Figure 7 Example Xmodem Upload ........................................................................................................ 57

Figure 8 HOME Screen .......................................................................................................................... 58

Figure 9 Web Configurator HOME Screen in Router Mode .................................................................. 59

Figure 10 Web Configurator HOME Screen in Bridge Mode .................................................................. 63

Figure 11 HOME > Show Statistics ......................................................................................................... 70

Figure 12 HOME > Show Statistics > Line Chart .................................................................................... 71

Figure 13 HOME > DHCP Table ............................................................................................................. 72

Figure 14 HOME > VPN Status .............................................................................................................. 73

Figure 15 Home > Bandwidth Monitor .................................................................................................... 74

Figure 16 Wizard Setup Welcome .......................................................................................................... 75

Figure 17 ISP Parameters: Ethernet Encapsulation ...............................................................................76

Figure 18 ISP Parameters: PPPoE Encapsulation ................................................................................. 77

Figure 19 ISP Parameters: PPTP Encapsulation ...................................................................................79

Figure 20 Internet Access Wizard: Second Screen ................................................................................80

Figure 21 Internet Access Setup Complete ............................................................................................ 81

Figure 22 Internet Access Wizard: Registration ..................................................................................... 82

Figure 23 Internet Access Wizard: Registration in Progress .................................................................. 83

Figure 24 Internet Access Wizard: Status .............................................................................................. 83

Figure 25 Internet Access Wizard: Registration Failed ..........................................................................83

Figure 26 Internet Access Wizard: Registered Device ........................................................................... 84

Figure 27 Internet Access Wizard: Activated Services ...........................................................................84

Figure 28 VPN Wizard: Gateway Setting ............................................................................................... 85

Figure 29 VPN Wizard: Network Setting ................................................................................................ 86

Figure 30 VPN Wizard: IKE Tunnel Setting ............................................................................................ 88

Figure 31 VPN Wizard: IPSec Setting .................................................................................................... 89

Figure 32 VPN Wizard: VPN Status ....................................................................................................... 91

Figure 33 VPN Wizard Setup Complete ................................................................................................. 93

Figure 34 Firewall Rule for VPN ............................................................................................................. 96

Figure 35 SECURITY > VPN > VPN Rules (IKE) .................................................................................. 96

Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy ............................................. 97

Figure 37 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example ................................ 98

Figure 38 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy ............................................... 99

ZyWALL 2WG User’s Guide

29

List of Figures

Figure 39 SECURITY > FIREWALL > Rule Summary ......................................................................... 100

Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow ................................................... 101

Figure 41 SECURITY > FIREWALL > Rule Summary: Allow ............................................................... 102

Figure 42 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN .................................... 102

Figure 43 Tutorial: NETWORK > WAN > WAN 2 (3G WAN) ............................................................. 103

Figure 44 Tutorial: NETWORK > WAN > General ............................................................................. 104

Figure 45 Tutorial: Home .................................................................................................................... 105

Figure 46 REGISTRATION ................................................................................................................... 108

Figure 47 REGISTRATION: Registered Device ................................................................................... 109

Figure 48 REGISTRATION > Service ....................................................................................................110

Figure 49 LAN and WAN ......................................................................................................................113

Figure 50 NETWORK > LAN .................................................................................................................117

Figure 51 NETWORK > LAN > Static DHCP ........................................................................................ 120

Figure 52 Physical Network & Partitioned Logical Networks ................................................................ 121

Figure 53 NETWORK > LAN > IP Alias ................................................................................................ 121

Figure 54 NETWORK > LAN > Port Roles ...........................................................................................123

Figure 55 Port Roles Change Complete ............................................................................................... 123

Figure 56 Bridge Loop: Bridge Connected to Wired LAN ..................................................................... 125

Figure 57 NETWORK > Bridge ............................................................................................................. 128

Figure 58 NETWORK > Bridge > Port Roles ........................................................................................130

Figure 59 Port Roles Change Complete ............................................................................................... 130

Figure 60 Least Load First Example .................................................................................................... 133

Figure 61 Weighted Round Robin Algorithm Example ......................................................................... 134

Figure 62 Spillover Algorithm Example ................................................................................................. 134

Figure 63 NETWORK > WAN General ................................................................................................ 136

Figure 64 Load Balancing: Least Load First ......................................................................................... 139

Figure 65 Load Balancing: Weighted Round Robin ............................................................................. 140

Figure 66 Load Balancing: Spillover ..................................................................................................... 141

Figure 67 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) .................................................... 143

Figure 68 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) ........................................................ 147

Figure 69 NETWORK > WAN > WAN 1 (PPTP Encapsulation) .......................................................... 150

Figure 70 NETWORK > WAN > WAN 2 (3G WAN) ........................................................................... 154

Figure 71 Traffic Redirect WAN Setup .................................................................................................. 156

Figure 72 Traffic Redirect LAN Setup ................................................................................................... 156

Figure 73 NETWORK > WAN > Traffic Redirect .................................................................................. 157

Figure 74 NETWORK > WAN > Dial Backup ..................................................................................... 158

Figure 75 NETWORK > WAN > Dial Backup > Edit ........................................................................... 161

Figure 76 NETWORK > DMZ .............................................................................................................. 164

Figure 77 NETWORK > DMZ > Static DHCP ..................................................................................... 167

Figure 78 NETWORK > DMZ > IP Alias .............................................................................................. 168

Figure 79 DMZ Public Address Example .............................................................................................. 170

Figure 80 DMZ Private and Public Address Example .......................................................................... 171

Figure 81 NETWORK > DMZ > Port Roles ......................................................................................... 172

30

ZyWALL 2WG User’s Guide

List of Figures

Figure 82 Example of a Wireless Network ........................................................................................... 173

Figure 83 NETWORK > WLAN ............................................................................................................ 175

Figure 84 NETWORK > WLAN > Static DHCP ................................................................................... 178

Figure 85 NETWORK > WLAN > IP Alias ...........................................................................................179

Figure 86 WLAN Port Role Example ................................................................................................... 181

Figure 87 NETWORK > WLAN > Port Roles ....................................................................................... 181

Figure 88 NETWORK > WLAN > Port Roles: Change Complete ......................................................... 182

Figure 89 NETWORK > WIRELESS CARD ......................................................................................... 185

Figure 90 Configuring SSID .................................................................................................................. 188

Figure 91 NETWORK > WIRELESS CARD > Security ........................................................................ 189

Figure 92 NETWORK > WIRELESS CARD > Security: None ............................................................. 190

Figure 93 NETWORK > WIRELESS CARD > Security: WEP .............................................................. 191

Figure 94 NETWORK > WIRELESS CARD > Security: 802.1x Only .................................................. 192

Figure 95 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP ..................................... 193

Figure 96 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX .......................... 194

Figure 97 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK ................................................. 195

Figure 98 NETWORK > WIRELESS CARD > MAC Filter .................................................................... 196

Figure 99 Default Firewall Action .......................................................................................................... 201

Figure 100 SECURITY > FIREWALL > Default Rule (Router Mode) ................................................... 202

Figure 101 Default Block Traffic From WAN1 to DMZ Example ....................................................... 203

Figure 102 From LAN to VPN Example ............................................................................................... 205

Figure 103 Block DMZ to VPN Traffic by Default Example ............................................................... 205

Figure 104 From VPN to LAN Example ............................................................................................... 206

Figure 105 Block VPN to LAN Traffic by Default Example ............................................................... 207

Figure 106 From VPN to VPN Example .............................................................................................. 208

Figure 107 Block VPN to VPN Traffic by Default Example ............................................................... 208

Figure 108 Blocking All LAN to WAN IRC Traffic Example .................................................................. 209

Figure 109 Limited LAN to WAN IRC Traffic Example .......................................................................... 210

Figure 110 Using IP Alias to Solve the Triangle Route Problem .......................................................... 212

Figure 111 SECURITY > FIREWALL > Default Rule (Router Mode) .................................................... 212

Figure 112 SECURITY > FIREWALL > Default Rule (Bridge Mode) .................................................... 214

Figure 113 SECURITY > FIREWALL > Rule Summary ........................................................................ 216

Figure 114 SECURITY > FIREWALL > Rule Summary > Edit ............................................................ 218

Figure 115 SECURITY > FIREWALL > Anti-Probing ............................................................................ 220

Figure 116 Three-Way Handshake ....................................................................................................... 221

Figure 117 SECURITY > FIREWALL > Threshold ............................................................................ 222

Figure 118 SECURITY > FIREWALL > Service ................................................................................... 224

Figure 119 Firewall Edit Custom Service .............................................................................................. 225

Figure 120 My Service Firewall Rule Example: Service ...................................................................... 226

Figure 121 My Service Firewall Rule Example: Edit Custom Service ................................................. 227

Figure 122 My Service Firewall Rule Example: Rule Summary ........................................................... 227

Figure 123 My Service Firewall Rule Example: Rule Edit ................................................................... 228

Figure 124 My Service Firewall Rule Example: Rule Configuration ..................................................... 229

ZyWALL 2WG User’s Guide

31

List of Figures

Figure 125 My Service Firewall Rule Example: Rule Summary ........................................................... 230

Figure 126 SECURITY > CONTENT FILTER > General ...................................................................... 232

Figure 127 Content Filtering Lookup Procedure ................................................................................... 234

Figure 128 SECURITY > CONTENT FILTER > Categories ................................................................. 236

Figure 129 SECURITY > CONTENT FILTER > Customization ............................................................ 244

Figure 130 SECURITY > CONTENT FILTER > Cache ........................................................................ 247

Figure 131 myZyXEL.com: Login ......................................................................................................... 250

Figure 132 myZyXEL.com: Welcome ................................................................................................... 250

Figure 133 myZyXEL.com: Service Management ................................................................................ 251

Figure 134 Blue Coat: Login ................................................................................................................. 251

Figure 135 Content Filtering Reports Main Screen .............................................................................. 252

Figure 136 Blue Coat: Report Home .................................................................................................... 252

Figure 137 Global Report Screen Example .......................................................................................... 253

Figure 138 Requested URLs Example ................................................................................................. 254

Figure 139 Web Page Review Process Screen ................................................................................... 255

Figure 140 VPN: Example .................................................................................................................... 257

Figure 141 VPN: IKE SA and IPSec SA .............................................................................................. 258

Figure 142 Gateway and Network Policies .......................................................................................... 259

Figure 143 IPSec Fields Summary ..................................................................................................... 259

Figure 144 SECURITY > VPN > VPN Rules (IKE) .............................................................................. 260

Figure 145 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal ......................................... 261

Figure 146 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange ...................................... 262

Figure 147 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication ............................................. 262

Figure 148 VPN/NAT Example ............................................................................................................. 265

Figure 149 IPSec High Availability ....................................................................................................... 266

Figure 150 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ......................................... 268

Figure 151 VPN: Transport and Tunnel Mode Encapsulation .............................................................. 274

Figure 152 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ........................................... 276

Figure 153 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ........................................ 280

Figure 154 VPN Rule Configured ......................................................................................................... 281

Figure 155 VPN Dial ............................................................................................................................. 281

Figure 156 VPN Tunnel Established ..................................................................................................... 281

Figure 157 VPN Log Example ............................................................................................................. 282

Figure 158 IKE/IPSec Debug Example ............................................................................................... 283

Figure 159 SECURITY > VPN > VPN Rules (Manual) ........................................................................ 285

Figure 160 SECURITY > VPN > VPN Rules (Manual) > Edit .............................................................. 286

Figure 161 SECURITY > VPN > SA Monitor ...................................................................................... 289

Figure 162 SECURITY > VPN > Global Setting ................................................................................. 290

Figure 163 Telecommuters Sharing One VPN Rule Example .............................................................. 292

Figure 164 Telecommuters Using Unique VPN Rules Example ........................................................... 293

Figure 165 VPN for Remote Management Example ............................................................................ 294

Figure 166 VPN Topologies .................................................................................................................. 294

Figure 167 Hub-and-spoke VPN Example ...........................................................................................295

32

ZyWALL 2WG User’s Guide

List of Figures

Figure 168 Certificates on Your Computer ........................................................................................... 298

Figure 169 Certificate Details .............................................................................................................. 299

Figure 170 Certificate Configuration Overview ..................................................................................... 299

Figure 171 SECURITY > CERTIFICATES > My Certificates ............................................................... 300

Figure 172 SECURITY > CERTIFICATES > My Certificates > Details ................................................. 302

Figure 173 SECURITY > CERTIFICATES > My Certificates > Export ................................................. 305

Figure 174 SECURITY > CERTIFICATES > My Certificates > Import ................................................. 307

Figure 175 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 ............................... 307

Figure 176 SECURITY > CERTIFICATES > My Certificates > Create ................................................. 308

Figure 177 SECURITY > CERTIFICATES > Trusted CAs ................................................................... 310

Figure 178 SECURITY > CERTIFICATES > Trusted CAs > Details .................................................... 312

Figure 179 SECURITY > CERTIFICATES > Trusted CAs > Import ..................................................... 315

Figure 180 SECURITY > CERTIFICATES > Trusted Remote Hosts .................................................... 316

Figure 181 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ..................................... 317

Figure 182 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ..................................... 318

Figure 183 SECURITY > CERTIFICATES > Directory Servers ............................................................ 320

Figure 184 SECURITY > CERTIFICATES > Directory Server > Add ................................................... 321

Figure 185 SECURITY > AUTH SERVER > Local User Database ...................................................... 324

Figure 186 SECURITY > AUTH SERVER > RADIUS .......................................................................... 325

Figure 187 How NAT Works ................................................................................................................. 331

Figure 188 NAT Application With IP Alias ............................................................................................ 331

Figure 189 Port Restricted Cone NAT Example ................................................................................... 332

Figure 190 ADVANCED > NAT > NAT Overview .................................................................................. 334

Figure 191 ADVANCED > NAT > Address Mapping ............................................................................. 336

Figure 192 ADVANCED > NAT > Address Mapping > Edit .................................................................. 338

Figure 193 Multiple Servers Behind NAT Example .............................................................................. 340

Figure 194 Port Translation Example ................................................................................................... 341

Figure 195 ADVANCED > NAT > Port Forwarding ............................................................................... 342

Figure 196 Trigger Port Forwarding Process: Example ........................................................................ 343

Figure 197 ADVANCED > NAT > Port Triggering ................................................................................. 344

Figure 198 Example of Static Routing Topology ................................................................................... 345

Figure 199 ADVANCED > STATIC ROUTE > IP Static Route .............................................................. 346

Figure 200 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................................... 347

Figure 201 ADVANCED > POLICY ROUTE > Policy Route Summary ................................................ 350

Figure 202 Edit IP Policy Route ............................................................................................................ 352

Figure 203 Subnet-based Bandwidth Management Example .............................................................. 356

Figure 204 ADVANCED > BW MGMT > Summary .............................................................................. 362

Figure 205 ADVANCED > BW MGMT > Class Setup .......................................................................... 363

Figure 206 ADVANCED > BW MGMT > Class Setup > Add Sub-Class .............................................. 365

Figure 207 ADVANCED > BW MGMT > Class Setup > Statistics ........................................................ 368

Figure 208 ADVANCED > BW MGMT > Monitor ................................................................................. 369

Figure 209 Private DNS Server Example ............................................................................................. 373

Figure 210 ADVANCED > DNS > System DNS ................................................................................... 374

ZyWALL 2WG User’s Guide

33

List of Figures

Figure 211 ADVANCED > DNS > Add (Address Record) ..................................................................... 375

Figure 212 ADVANCED > DNS > Insert (Name Server Record) .......................................................... 376

Figure 213 ADVANCED > DNS > Cache ............................................................................................. 378

Figure 214 ADVANCED > DNS > DHCP .............................................................................................. 379

Figure 215 ADVANCED > DNS > DDNS .............................................................................................. 381

Figure 216 Secure and Insecure Remote Management From the WAN .............................................. 383

Figure 217 HTTPS Implementation ...................................................................................................... 385

Figure 218 ADVANCED > REMOTE MGMT > WWW .......................................................................... 386

Figure 219 Security Alert Dialog Box (Internet Explorer) ...................................................................... 387

Figure 220 Security Certificate 1 (Netscape) ........................................................................................ 388

Figure 221 Security Certificate 2 (Netscape) ........................................................................................ 388

Figure 222 Example: Lock Denoting a Secure Connection .................................................................. 389

Figure 223 Replace Certificate ............................................................................................................. 390

Figure 224 Device-specific Certificate .................................................................................................. 390

Figure 225 Common ZyWALL Certificate ............................................................................................. 391

Figure 226 SSH Communication Over the WAN Example .................................................................. 391

Figure 227 How SSH Works ................................................................................................................. 392

Figure 228 ADVANCED > REMOTE MGMT > SSH ............................................................................. 393

Figure 229 SSH Example 1: Store Host Key ........................................................................................ 394

Figure 230 SSH Example 2: Test ........................................................................................................ 394

Figure 231 SSH Example 2: Log in ...................................................................................................... 395

Figure 232 Secure FTP: Firmware Upload Example ............................................................................ 396

Figure 233 ADVANCED > REMOTE MGMT > Telnet .......................................................................... 396

Figure 234 ADVANCED > REMOTE MGMT > FTP ............................................................................. 397

Figure 235 SNMP Management Model ................................................................................................ 399

Figure 236 ADVANCED > REMOTE MGMT > SNMP .......................................................................... 400

Figure 237 ADVANCED > REMOTE MGMT > DNS ............................................................................. 402

Figure 238 ADVANCED > REMOTE MGMT > CNM ............................................................................ 403

Figure 239 ADVANCED > UPnP .......................................................................................................... 406

Figure 240 ADVANCED > UPnP > Ports .............................................................................................. 407

Figure 241 H.323 ALG Example .......................................................................................................... 417

Figure 242 H.323 with Multiple WAN IP Addresses

Figure 243 H.323 Calls from the WAN

Figure 244 SIP ALG Example ............................................................................................................. 419

Figure 245 ADVANCED > ALG ........................................................................................................... 420

Figure 246 LOGS > View Log ........................................................................................................... 423

Figure 247 myZyXEL.com: Download Center ...................................................................................... 425

Figure 248 myZyXEL.com: Certificate Download ................................................................................. 426

Figure 249 LOGS > Log Settings ......................................................................................................... 427

Figure 250 LOGS > Reports ................................................................................................................ 430

Figure 251 LOGS > Reports: Web Site Hits Example .......................................................................... 431

Figure 252 LOGS > Reports: Host IP Address Example ...................................................................... 432

Figure 253 LOGS > Reports: Protocol/Port Example ........................................................................... 433

with Multiple Outgoing Calls .................................................... 418

............................................................................ 417

34

ZyWALL 2WG User’s Guide

List of Figures

Figure 254 MAINTENANCE > General Setup ...................................................................................... 452

Figure 255 MAINTENANCE > Password ............................................................................................ 453

Figure 256 MAINTENANCE > Time and Date ...................................................................................... 454

Figure 257 Synchronization in Process ................................................................................................ 456

Figure 258 Synchronization is Successful ............................................................................................ 457

Figure 259 Synchronization Fail ........................................................................................................... 457

Figure 260 MAINTENANCE > Device Mode (Router Mode) ................................................................ 459

Figure 261 MAINTENANCE > Device Mode (Bridge Mode) ................................................................ 460

Figure 262 MAINTENANCE > Firmware Upload .................................................................................. 462

Figure 263 Firmware Upload In Process .............................................................................................. 462

Figure 264 Network Temporarily Disconnected ....................................................................................463

Figure 265 Firmware Upload Error ....................................................................................................... 463

Figure 266 MAINTENANCE > Backup and Restore ............................................................................. 464

Figure 267 Configuration Upload Successful ....................................................................................... 465

Figure 268 Network Temporarily Disconnected ....................................................................................465

Figure 269 Configuration Upload Error ................................................................................................. 465

Figure 270 Reset Warning Message .................................................................................................... 466

Figure 271 MAINTENANCE > Restart ................................................................................................. 466

Figure 272 Initial Screen ....................................................................................................................... 470

Figure 273 Password Screen .............................................................................................................. 470

Figure 274 Main Menu (Router Mode) ................................................................................................. 471

Figure 275 Main Menu (Bridge Mode) .................................................................................................. 472

Figure 276 Menu 23: System Password ............................................................................................... 475

Figure 277 Menu 1: General Setup (Router Mode) .............................................................................. 477

Figure 278 Menu 1: General Setup (Bridge Mode) .............................................................................. 478

Figure 279 Menu 1.1: Configure Dynamic DNS ................................................................................... 479

Figure 280 Menu 1.1.1: DDNS Host Summary .................................................................................... 480

Figure 281 Menu 1.1.1: DDNS Edit Host .............................................................................................. 481

Figure 282 MAC Address Cloning in WAN Setup ................................................................................. 483

Figure 283 Menu 2: Dial Backup Setup .............................................................................................. 485

Figure 284 Menu 2.1: Advanced WAN Setup ....................................................................................... 486

Figure 285 Menu 11.3: Remote Node Profile (Backup ISP) ................................................................ 487

Figure 286 Menu 11.3.2: Remote Node Network Layer Options .......................................................... 489

Figure 287 Menu 11.3.3: Remote Node Script .....................................................................................491

Figure 288 Menu 11.3.4: Remote Node Filter ...................................................................................... 492

Figure 289 3G Modem Setup in WAN Setup ...................................................................................... 493

Figure 290 Menu 11.2: Remote Node Profile (3G WAN) .................................................................... 494

Figure 291 Menu 3: LAN Setup ............................................................................................................ 497

Figure 292 Menu 3.1: LAN Port Filter Setup ........................................................................................ 498

Figure 293 Menu 3: TCP/IP and DHCP Setup .................................................................................... 498

Figure 294 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................................... 499

Figure 295 Menu 3.2.1: IP Alias Setup ................................................................................................. 501

Figure 296 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 504

ZyWALL 2WG User’s Guide

35

List of Figures

Figure 297 Internet Access Setup (PPTP) ........................................................................................... 506

Figure 298 Internet Access Setup (PPPoE) ......................................................................................... 507

Figure 299 Menu 5: DMZ Setup .......................................................................................................... 509

Figure 300 Menu 5.1: DMZ Port Filter Setup ........................................................................................ 509

Figure 301 Menu 5: DMZ Setup ........................................................................................................... 510

Figure 302 Menu 5.2: TCP/IP and DHCP Ethernet Setup .................................................................... 510

Figure 303 Menu 5.2.1: IP Alias Setup ..................................................................................................511

Figure 304 Menu 6: Route Setup ......................................................................................................... 513

Figure 305 Menu 6.1: Route Assessment ............................................................................................ 513

Figure 306 Menu 6.2: Traffic Redirect .................................................................................................. 514

Figure 307 Menu 6.3: Route Failover ................................................................................................... 515

Figure 308 Menu 7: WLAN Setup ......................................................................................................... 517

Figure 309 Menu 7.2: TCP/IP and DHCP Ethernet Setup .................................................................... 518

Figure 310 Menu 7.2.1: IP Alias Setup ................................................................................................. 519

Figure 311 Menu 11: Remote Node Setup ........................................................................................... 521

Figure 312 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ............................................ 522

Figure 313 Menu 11.1: Remote Node Profile for PPPoE Encapsulation .............................................. 523

Figure 314 Menu 11.1: Remote Node Profile for PPTP Encapsulation ................................................ 525

Figure 315 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation ............... 526

Figure 316 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) .............................................. 528

Figure 317 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................................. 528

Figure 318 Menu 12: IP Static Route Setup ........................................................................................ 530

Figure 319 Menu 12. 1: Edit IP Static Route ........................................................................................ 530

Figure 320 Menu 4: Applying NAT for Internet Access ......................................................................... 534

Figure 321 Menu 11.1.2: Applying NAT to the Remote Node ............................................................... 534

Figure 322 Menu 15: NAT Setup .......................................................................................................... 535

Figure 323 Menu 15.1: Address Mapping Sets .................................................................................... 536

Figure 324 Menu 15.1.255: SUA Address Mapping Rules ................................................................... 536

Figure 325 Menu 15.1.1: First Set ........................................................................................................ 538

Figure 326 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ......................................... 539

Figure 327 Menu 15.2: NAT Server Sets .............................................................................................. 540

Figure 328 Menu 15.2.x: NAT Server Sets ........................................................................................... 541

Figure 329 15.2.x.x: NAT Server Configuration .................................................................................... 541

Figure 330 Menu 15.2.1: NAT Server Setup ....................................................................................... 542

Figure 331 Server Behind NAT Example .............................................................................................. 543

Figure 332 NAT Example 1 .................................................................................................................. 543

Figure 333 Menu 4: Internet Access & NAT Example .......................................................................... 544

Figure 334 NAT Example 2 .................................................................................................................. 544

Figure 335 Menu 15.2.1: Specifying an Inside Server .......................................................................... 545

Figure 336 NAT Example 3 .................................................................................................................. 546

Figure 337 Example 3: Menu 11.1.2 ..................................................................................................... 546

Figure 338 Example 3: Menu 15.1.1.1 ................................................................................................. 547

Figure 339 Example 3: Final Menu 15.1.1 ............................................................................................ 547

36

ZyWALL 2WG User’s Guide

List of Figures

Figure 340 Example 3: Menu 15.2.1 .................................................................................................... 548

Figure 341 NAT Example 4 .................................................................................................................. 548

Figure 342 Example 4: Menu 15.1.1.1: Address Mapping Rule ........................................................... 549

Figure 343 Example 4: Menu 15.1.1: Address Mapping Rules ............................................................ 549

Figure 344 Menu 15.3.1: Trigger Port Setup ........................................................................................ 551

Figure 345 Menu 21: Filter and Firewall Setup ..................................................................................... 553

Figure 346 Menu 21.2: Firewall Setup .................................................................................................. 554

Figure 347 Outgoing Packet Filtering Process ..................................................................................... 555

Figure 348 Filter Rule Process ............................................................................................................. 557

Figure 349 Menu 21: Filter and Firewall Setup ..................................................................................... 558

Figure 350 Menu 21.1: Filter Set Configuration .................................................................................... 558

Figure 351 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................................... 560

Figure 352 Executing an IP Filter ......................................................................................................... 562

Figure 353 Menu 21.1.1.1: Generic Filter Rule .................................................................................... 563

Figure 354 Telnet Filter Example .......................................................................................................... 564

Figure 355 Example Filter: Menu 21.1.3.1 ........................................................................................... 565

Figure 356 Example Filter Rules Summary: Menu 21.1.3 .................................................................... 565

Figure 357 Protocol and Device Filter Sets .......................................................................................... 566

Figure 358 Filtering LAN Traffic ............................................................................................................ 568

Figure 359 Filtering DMZ Traffic ........................................................................................................... 568

Figure 360 Filtering Remote Node Traffic ............................................................................................. 569

Figure 361 Menu 22: SNMP Configuration ........................................................................................... 571

Figure 362 Menu 24: System Maintenance .......................................................................................... 573

Figure 363 Menu 24.1: System Maintenance: Status .......................................................................... 574

Figure 364 Menu 24.2: System Information and Console Port Speed ................................................. 575

Figure 365 Menu 24.2.1: System Maintenance: Information .............................................................. 576

Figure 366 Menu 24.2.2: System Maintenance: Change Console Port Speed .................................... 577

Figure 367 Menu 24.3: System Maintenance: Log and Trace .............................................................. 577

Figure 368 Examples of Error and Information Messages ................................................................... 578

Figure 369 Menu 24.3.2: System Maintenance: Syslog Logging ......................................................... 578

Figure 370 Call-Triggering Packet Example ......................................................................................... 582

Figure 371 Menu 24.4: System Maintenance: Diagnostic .................................................................. 583

Figure 372 WAN & LAN DHCP ............................................................................................................. 583

Figure 373 Telnet into Menu 24.5 ......................................................................................................... 587

Figure 374 FTP Session Example ........................................................................................................ 587

Figure 375 System Maintenance: Backup Configuration ..................................................................... 590

Figure 376 System Maintenance: Starting Xmodem Download Screen ............................................... 590

Figure 377 Backup Configuration Example .......................................................................................... 590

Figure 378 Successful Backup Confirmation Screen ........................................................................... 590

Figure 379 Telnet into Menu 24.6 ......................................................................................................... 591

Figure 380 Restore Using FTP Session Example ................................................................................ 592

Figure 381 System Maintenance: Restore Configuration ..................................................................... 592

Figure 382 System Maintenance: Starting Xmodem Download Screen ............................................... 592

ZyWALL 2WG User’s Guide

37

List of Figures

Figure 383 Restore Configuration Example ......................................................................................... 593

Figure 384 Successful Restoration Confirmation Screen ..................................................................... 593

Figure 385 Telnet Into Menu 24.7.1: Upload System Firmware ........................................................... 594

Figure 386 Telnet Into Menu 24.7.2: System Maintenance ................................................................. 594

Figure 387 FTP Session Example of Firmware File Upload ................................................................. 595

Figure 388 Menu 24.7.1 As Seen Using the Console Port ................................................................... 597

Figure 389 Example Xmodem Upload .................................................................................................. 597

Figure 390 Menu 24.7.2 As Seen Using the Console Port .................................................................. 598

Figure 391 Example Xmodem Upload .................................................................................................. 598

Figure 392 Command Mode in Menu 24 .............................................................................................. 599

Figure 393 Valid Commands ................................................................................................................ 600

Figure 394 Call Control ......................................................................................................................... 601

Figure 395 Budget Management .......................................................................................................... 602

Figure 396 Call History ......................................................................................................................... 603

Figure 397 Menu 24: System Maintenance .......................................................................................... 604

Figure 398 Menu 24.10 System Maintenance: Time and Date Setting ................................................ 604

Figure 399 Menu 24.11 – Remote Management Control ..................................................................... 608

Figure 400 Menu 25: Sample IP Routing Policy Summary ...................................................................611

Figure 401 Menu 25.1: IP Routing Policy Setup ................................................................................... 613

Figure 402 Menu 25.1.1: IP Routing Policy Setup ................................................................................615

Figure 403 Example of IP Policy Routing ............................................................................................. 616

Figure 404 IP Routing Policy Example 1 .............................................................................................. 616

Figure 405 IP Routing Policy Example 2 .............................................................................................. 617

Figure 406 Schedule Setup .................................................................................................................. 619

Figure 407 Schedule Set Setup ............................................................................................................ 620

Figure 408 Applying Schedule Set(s) to a Remote Node (PPPoE) ...................................................... 621

Figure 409 Applying Schedule Set(s) to a Remote Node (PPTP) ........................................................ 622

Figure 410 Console/Dial Backup Cable DB-9 End Pin Layout ............................................................. 636

Figure 411 Wall-mounting Example ...................................................................................................... 640

Figure 412 Pop-up Blocker ................................................................................................................... 641

Figure 413 Internet Options ................................................................................................................. 642

Figure 414 Internet Options .................................................................................................................. 643

Figure 415 Pop-up Blocker Settings ..................................................................................................... 643

Figure 416 Internet Options .................................................................................................................. 644

Figure 417 Security Settings - Java Scripting ....................................................................................... 645

Figure 418 Security Settings - Java ...................................................................................................... 645

Figure 419 Java (Sun) .......................................................................................................................... 646

Figure 420 WIndows 95/98/Me: Network: Configuration ...................................................................... 648

Figure 421 Windows 95/98/Me: TCP/IP Properties: IP Address .......................................................... 649

Figure 422 Windows 95/98/Me: TCP/IP Properties: DNS Configuration .............................................. 650

Figure 423 Windows XP: Start Menu .................................................................................................... 651

Figure 424 Windows XP: Control Panel ............................................................................................... 651

Figure 425 Windows XP: Control Panel: Network Connections: Properties ......................................... 652

38

ZyWALL 2WG User’s Guide

List of Figures

Figure 426 Windows XP: Local Area Connection Properties ............................................................... 652

Figure 427 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 653

Figure 428 Windows XP: Advanced TCP/IP Properties ....................................................................... 654

Figure 429 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 655

Figure 430 Macintosh OS 8/9: Apple Menu .......................................................................................... 656

Figure 431 Macintosh OS 8/9: TCP/IP ................................................................................................. 656

Figure 432 Macintosh OS X: Apple Menu ............................................................................................ 657

Figure 433 Macintosh OS X: Network .................................................................................................. 658

Figure 434 Red Hat 9.0: KDE: Network Configuration: Devices ......................................................... 659

Figure 435 Red Hat 9.0: KDE: Ethernet Device: General .................................................................. 659

Figure 436 Red Hat 9.0: KDE: Network Configuration: DNS ............................................................... 660

Figure 437 Red Hat 9.0: KDE: Network Configuration: Activate ........................................................ 660

Figure 438 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 ............................................... 661

Figure 439 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 ................................................... 661

Figure 440 Red Hat 9.0: DNS Settings in resolv.conf ........................................................................ 661

Figure 441 Red Hat 9.0: Restart Ethernet Card ................................................................................. 661

Figure 442 Red Hat 9.0: Checking TCP/IP Properties ....................................................................... 662

Figure 443 Peer-to-Peer Communication in an Ad-hoc Network ......................................................... 675

Figure 444 Basic Service Set ............................................................................................................... 676

Figure 445 Infrastructure WLAN ........................................................................................................... 677

Figure 446 RTS/CTS ........................................................................................................................... 678

Figure 447 WPA(2) with RADIUS Application Example ....................................................................... 685

Figure 448 WPA(2)-PSK Authentication ............................................................................................... 686

Figure 449 Roaming Example .............................................................................................................. 687

Figure 450 Security Certificate ............................................................................................................. 691

Figure 451 Login Screen ...................................................................................................................... 692

Figure 452 Certificate General Information before Import .................................................................... 692

Figure 453 Certificate Import Wizard 1 ................................................................................................. 693

Figure 454 Certificate Import Wizard 2 ................................................................................................. 693

Figure 455 Certificate Import Wizard 3 ................................................................................................. 694

Figure 456 Root Certificate Store ......................................................................................................... 694

Figure 457 Certificate General Information after Import ....................................................................... 695

Figure 458 ZyWALL Trusted CA Screen .............................................................................................. 696

Figure 459 CA Certificate Example ...................................................................................................... 697

Figure 460 Personal Certificate Import Wizard 1 .................................................................................. 697

Figure 461 Personal Certificate Import Wizard 2 .................................................................................. 698

Figure 462 Personal Certificate Import Wizard 3 .................................................................................. 698

Figure 463 Personal Certificate Import Wizard 4 .................................................................................. 699

Figure 464 Personal Certificate Import Wizard 5 .................................................................................. 699

Figure 465 Personal Certificate Import Wizard 6 .................................................................................. 699

Figure 466 Access the ZyWALL Via HTTPS ........................................................................................ 700

Figure 467 SSL Client Authentication ................................................................................................... 700

Figure 468 ZyWALL Secure Login Screen ........................................................................................... 700

ZyWALL 2WG User’s Guide

39

List of Figures

Figure 469 Displaying Log Categories Example .................................................................................. 702

Figure 470 Displaying Log Parameters Example ................................................................................. 702

Figure 471 Routing Command Example .............................................................................................. 704

Figure 472 Backup Gateway ................................................................................................................ 705

Figure 473 Managing the Bandwidth of an IPSec SA .......................................................................... 706

Figure 474 Managing the Bandwidth of an IKE SA .............................................................................. 706

Figure 475 Routing Command Example .............................................................................................. 707

40

ZyWALL 2WG User’s Guide

List of Tables

List of Tables

Table 1 Front Panel Lights ..................................................................................................................... 54

Table 2 Title Bar: Web Configurator Icons ............................................................................................. 58

Table 3 Web Configurator HOME Screen in Router Mode .................................................................... 59

Table 4 Web Configurator HOME Screen in Bridge Mode .................................................................... 63

Table 5 Bridge and Router Mode Features Comparison ....................................................................... 65

Table 6 Screens Summary .................................................................................................................... 66

Table 7 HOME > Show Statistics ........................................................................................................... 70

Table 8 HOME > Show Statistics > Line Chart ...................................................................................... 71

Table 9 HOME > DHCP Table ............................................................................................................... 72

Table 10 HOME > VPN Status ............................................................................................................... 73

Table 11 ADVANCED > BW MGMT > Monitor ....................................................................................... 74

Table 12 ISP Parameters: Ethernet Encapsulation ...............................................................................76

Table 13 ISP Parameters: PPPoE Encapsulation ................................................................................. 78

Table 14 ISP Parameters: PPTP Encapsulation .................................................................................... 79

Table 15 Internet Access Wizard: Registration ...................................................................................... 82

Table 16 VPN Wizard: Gateway Setting ................................................................................................ 85

Table 17 VPN Wizard: Network Setting ................................................................................................. 86

Table 18 VPN Wizard: IKE Tunnel Setting ............................................................................................. 88

Table 19 VPN Wizard: IPSec Setting ..................................................................................................... 90

Table 20 VPN Wizard: VPN Status ........................................................................................................ 91

Table 21 REGISTRATION ................................................................................................................... 108

Table 22 REGISTRATION > Service ....................................................................................................110

Table 23 NETWORK > LAN ..................................................................................................................117

Table 24 NETWORK > LAN > Static DHCP ........................................................................................ 120

Table 25 NETWORK > LAN > IP Alias ................................................................................................ 122

Table 26 NETWORK > LAN > Port Roles ............................................................................................ 123

Table 27 STP Path Costs .................................................................................................................... 126

Table 28 STP Port States .................................................................................................................... 127

Table 29 NETWORK > Bridge ............................................................................................................. 128

Table 30 NETWORK > Bridge > Port Roles ........................................................................................130

Table 31 Least Load First: Example 1 ................................................................................................. 133

Table 32 Least Load First: Example 2 ................................................................................................. 133

Table 33 NETWORK > WAN General ................................................................................................. 137

Table 34 Load Balancing: Least Load First ......................................................................................... 139

Table 35 Load Balancing: Weighted Round Robin .............................................................................. 140

Table 36 Load Balancing: Spillover ...................................................................................................... 141

Table 37 Private IP Address Ranges ................................................................................................... 141

Table 38 Example of Network Properties for LAN Servers with Fixed IP Addresses .......................... 142

ZyWALL 2WG User’s Guide

41

List of Tables

Table 39 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) ....................................................... 144

Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) ......................................................... 147

Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation) ............................................................ 150

Table 42 2G, 2.5G, 2.75G and 3G of Wireless Technologies ............................................................... 153

Table 43 NETWORK > WAN > WAN 2 (3G WAN) .............................................................................. 154

Table 44 NETWORK > WAN > Traffic Redirect ................................................................................... 157

Table 45 NETWORK > WAN > Dial Backup ........................................................................................ 158

Table 46 NETWORK > WAN > Dial Backup > Edit .............................................................................. 162

Table 47 NETWORK > DMZ ................................................................................................................ 164

Table 48 NETWORK > DMZ > Static DHCP ........................................................................................ 167

Table 49 NETWORK > DMZ > IP Alias ............................................................................................... 168

Table 50 NETWORK > DMZ > Port Roles ...........................................................................................172

Table 51 NETWORK > WLAN ............................................................................................................. 175

Table 52 NETWORK > WLAN > Static DHCP ..................................................................................... 178

Table 53 NETWORK > WLAN > IP Alias ............................................................................................. 179

Table 54 NETWORK > WLAN > Port Roles ........................................................................................ 182

Table 55 Types of Encryption for Each Type of Authentication ........................................................... 184

Table 56 NETWORK > WIRELESS CARD .......................................................................................... 186

Table 57 Configuring SSID .................................................................................................................. 188

Table 58 Security Modes ..................................................................................................................... 189

Table 59 NETWORK > WIRELESS CARD > Security ......................................................................... 189

Table 60 NETWORK > WIRELESS CARD > Security: None .............................................................. 190

Table 61 NETWORK > WIRELESS CARD > Security: WEP .............................................................. 191

Table 62 NETWORK > WIRELESS CARD > Security: 802.1x Only ................................................... 192

Table 63 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP ...................................... 193

Table 64 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX ............................ 194

Table 65 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK .................................................. 195

Table 66 NETWORK > WIRELESS CARD > MAC Filter ..................................................................... 197

Table 67 Blocking All LAN to WAN IRC Traffic Example ..................................................................... 210

Table 68 Limited LAN to WAN IRC Traffic Example ............................................................................ 210

Table 69 SECURITY > FIREWALL > Default Rule (Router Mode) ...................................................... 213

Table 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) ...................................................... 215

Table 71 SECURITY > FIREWALL > Rule Summary .......................................................................... 216

Table 72 SECURITY > FIREWALL > Rule Summary > Edit ................................................................ 219

Table 73 SECURITY > FIREWALL > Anti-Probing .............................................................................. 221

Table 74 SECURITY > FIREWALL > Threshold .................................................................................. 223

Table 75 SECURITY > FIREWALL > Service ...................................................................................... 224

Table 76 SECURITY > FIREWALL > Service > Add ........................................................................... 226

Table 77 SECURITY > CONTENT FILTER > General ........................................................................ 232

Table 78 SECURITY > CONTENT FILTER > Categories .................................................................... 236

Table 79 SECURITY > CONTENT FILTER > Customization .............................................................. 244

Table 80 SECURITY > CONTENT FILTER > Cache ........................................................................... 247

Table 81 SECURITY > VPN > VPN Rules (IKE) ................................................................................. 260

42

ZyWALL 2WG User’s Guide

List of Tables

Table 82 VPN Example: Matching ID Type and Content ..................................................................... 263

Table 83 VPN Example: Mismatching ID Type and Content ............................................................... 263

Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ............................................. 269

Table 85 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy .............................................. 277

Table 86 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ............................................ 280

Table 87 SECURITY > VPN > VPN Rules (Manual) ........................................................................... 285

Table 88 SECURITY > VPN > VPN Rules (Manual) > Edit ................................................................. 287

Table 89 SECURITY > VPN > SA Monitor ..........................................................................................289

Table 90 SECURITY > VPN > Global Setting ......................................................................................290

Table 91 Telecommuters Sharing One VPN Rule Example ................................................................. 292

Table 92 Telecommuters Using Unique VPN Rules Example ............................................................. 293

Table 93 SECURITY > CERTIFICATES > My Certificates .................................................................. 300

Table 94 SECURITY > CERTIFICATES > My Certificates > Details ................................................... 302

Table 95 SECURITY > CERTIFICATES > My Certificates > Export .................................................... 305

Table 96 SECURITY > CERTIFICATES > My Certificates > Import .................................................... 307

Table 97 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 .................................. 307

Table 98 SECURITY > CERTIFICATES > My Certificates > Create ................................................... 308

Table 99 SECURITY > CERTIFICATES > Trusted CAs .......................................................................311

Table 100 SECURITY > CERTIFICATES > Trusted CAs > Details ..................................................... 312

Table 101 SECURITY > CERTIFICATES > Trusted CAs Import ......................................................... 315

Table 102 SECURITY > CERTIFICATES > Trusted Remote Hosts .................................................... 316

Table 103 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import ...................................... 317

Table 104 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details ..................................... 319

Table 105 SECURITY > CERTIFICATES > Directory Servers ............................................................ 321

Table 106 SECURITY > CERTIFICATES > Directory Server > Add ................................................... 322

Table 107 SECURITY > AUTH SERVER > Local User Database ....................................................... 325

Table 108 SECURITY > AUTH SERVER > RADIUS .......................................................................... 325

Table 109 NAT Definitions ................................................................................................................... 329

Table 110 NAT Mapping Types ............................................................................................................ 333

Table 111 ADVANCED > NAT > NAT Overview ................................................................................... 334

Table 112 ADVANCED > NAT > Address Mapping ............................................................................. 336

Table 113 ADVANCED > NAT > Address Mapping > Edit ................................................................... 338

Table 114 Services and Port Numbers ................................................................................................ 339

Table 115 ADVANCED > NAT > Port Forwarding ................................................................................ 342

Table 116 ADVANCED > NAT > Port Triggering .................................................................................. 344

Table 117 ADVANCED > STATIC ROUTE > IP Static Route ............................................................... 346

Table 118 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................................... 347

Table 119 ADVANCED > POLICY ROUTE > Policy Route Summary ................................................. 351

Table 120 ADVANCED > POLICY ROUTE > Edit ............................................................................... 352

Table 121 Application and Subnet-based Bandwidth Management Example ..................................... 356

Table 122 Maximize Bandwidth Usage Example ................................................................................. 358

Table 123 Priority-based Allotment of Unused and Unbudgeted Bandwidth Example ........................ 358

Table 124 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example ..................... 359

ZyWALL 2WG User’s Guide

43

List of Tables

Table 125 Bandwidth Borrowing Example ........................................................................................... 360

Table 126 Over Allotment of Bandwidth Example ............................................................................... 361

Table 127 ADVANCED > BW MGMT > Summary ............................................................................... 362

Table 128 ADVANCED > BW MGMT > Class Setup ........................................................................... 363

Table 129 ADVANCED > BW MGMT > Class Setup > Add Sub-Class ............................................... 365

Table 130 Services and Port Numbers ................................................................................................ 367

Table 131 ADVANCED > BW MGMT > Class Setup > Statistics ......................................................... 368

Table 132 ADVANCED > BW MGMT > Monitor .................................................................................. 369

Table 133 ADVANCED > DNS > System DNS .................................................................................... 374

Table 134 ADVANCED > DNS > Add (Address Record) ..................................................................... 376

Table 135 ADVANCED > DNS > Insert (Name Server Record) .......................................................... 377

Table 136 ADVANCED > DNS > Cache ..............................................................................................378

Table 137 ADVANCED > DNS > DHCP .............................................................................................. 379

Table 138 ADVANCED > DNS > DDNS .............................................................................................. 381

Table 139 ADVANCED > REMOTE MGMT > WWW ........................................................................... 386

Table 140 ADVANCED > REMOTE MGMT > SSH ............................................................................. 393

Table 141 ADVANCED > REMOTE MGMT > Telnet ........................................................................... 397

Table 142 ADVANCED > REMOTE MGMT > FTP .............................................................................. 398

Table 143 SNMP Traps ........................................................................................................................ 400

Table 144 ADVANCED > REMOTE MGMT > SNMP .......................................................................... 401

Table 145 ADVANCED > REMOTE MGMT > DNS ............................................................................. 402

Table 146 ADVANCED > REMOTE MGMT > CNM ............................................................................. 403

Table 147 ADVANCED > UPnP ........................................................................................................... 406

Table 148 ADVANCED > UPnP > Ports .............................................................................................. 407

Table 149 ADVANCED > ALG ............................................................................................................. 420

Table 150 LOGS > View Log ............................................................................................................... 424

Table 151 Log Description Example .................................................................................................... 424

Table 152 LOGS > Log Settings .......................................................................................................... 428

Table 153 LOGS > Reports ................................................................................................................. 430

Table 154 LOGS > Reports: Web Site Hits Report .............................................................................. 431

Table 155 LOGS > Reports: Host IP Address .....................................................................................432

Table 156 LOGS > Reports: Protocol/ Port .......................................................................................... 433

Table 157 Report Specifications .......................................................................................................... 434

Table 158 System Maintenance Logs .................................................................................................. 434

Table 159 System Error Logs .............................................................................................................. 436

Table 160 Access Control Logs ........................................................................................................... 436

Table 161 TCP Reset Logs .................................................................................................................. 437

Table 162 Packet Filter Logs ............................................................................................................... 437

Table 163 ICMP Logs .......................................................................................................................... 437

Table 164 CDR Logs ........................................................................................................................... 438

Table 165 PPP Logs ............................................................................................................................ 438

Table 166 UPnP Logs .......................................................................................................................... 438

Table 167 Content Filtering Logs ......................................................................................................... 439

44

ZyWALL 2WG User’s Guide

List of Tables

Table 168 Attack Logs ......................................................................................................................... 439

Table 169 Remote Management Logs ................................................................................................. 441

Table 170 IPSec Logs .......................................................................................................................... 441

Table 171 IKE Logs ............................................................................................................................. 442

Table 172 PKI Logs ............................................................................................................................. 445

Table 173 Certificate Path Verification Failure Reason Codes ............................................................ 446

Table 174 ACL Setting Notes .............................................................................................................. 446

Table 175 ICMP Notes ......................................................................................................................... 447

Table 176 Syslog Logs ........................................................................................................................ 448

Table 177 RFC-2408 ISAKMP Payload Types .................................................................................... 449

Table 178 MAINTENANCE > General Setup ....................................................................................... 452

Table 179 MAINTENANCE > Password ..............................................................................................453

Table 180 MAINTENANCE > Time and Date ...................................................................................... 454

Table 181 MAC-address-to-port Mapping Table .................................................................................. 457

Table 182 MAINTENANCE > Device Mode (Router Mode) ................................................................. 459

Table 183 MAINTENANCE > Device Mode (Bridge Mode) ................................................................. 460

Table 184 MAINTENANCE > Firmware Upload .................................................................................. 462

Table 185 Restore Configuration ......................................................................................................... 464

Table 186 Main Menu Commands ....................................................................................................... 470

Table 187 Main Menu Summary .......................................................................................................... 472

Table 188 SMT Menus Overview ......................................................................................................... 473

Table 189 Menu 1: General Setup (Router Mode) ............................................................................... 477

Table 190 Menu 1: General Setup (Bridge Mode) ............................................................................... 478

Table 191 Menu 1.1: Configure Dynamic DNS .................................................................................... 479

Table 192 Menu 1.1.1: DDNS Host Summary ..................................................................................... 480

Table 193 Menu 1.1.1: DDNS Edit Host .............................................................................................. 481

Table 194 MAC Address Cloning in WAN Setup ................................................................................. 484

Table 195 Menu 2: Dial Backup Setup ................................................................................................ 485

Table 196 Advanced WAN Port Setup: AT Commands Fields ............................................................ 486

Table 197 Advanced WAN Port Setup: Call Control Parameters ........................................................ 487

Table 198 Menu 11.3: Remote Node Profile (Backup ISP) .................................................................. 488

Table 199 Menu 11.3.2: Remote Node Network Layer Options .......................................................... 489

Table 200 Menu 11.3.3: Remote Node Script ...................................................................................... 491

Table 201 3G Modem Setup in WAN Setup ........................................................................................ 493

Table 202 Menu 11.2: Remote Node Profile (3G WAN) ...................................................................... 494

Table 203 Menu 3.2: DHCP Ethernet Setup Fields ............................................................................. 499

Table 204 Menu 3.2: LAN TCP/IP Setup Fields .................................................................................. 500

Table 205 Menu 3.2.1: IP Alias Setup ................................................................................................. 501

Table 206 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 504

Table 207 New Fields in Menu 4 (PPTP) Screen ................................................................................ 506

Table 208 New Fields in Menu 4 (PPPoE) screen ............................................................................... 507

Table 209 Menu 6.1: Route Assessment ............................................................................................. 514

Table 210 Menu 6.2: Traffic Redirect ................................................................................................... 514

ZyWALL 2WG User’s Guide

45

List of Tables

Table 211 Menu 6.3: Route Failover .................................................................................................... 515

Table 212 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ............................................. 522

Table 213 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ......................................................... 524

Table 214 Menu 11.1: Remote Node Profile for PPTP Encapsulation ................................................. 525

Table 215 Remote Node Network Layer Options Menu Fields ............................................................ 526

Table 216 Menu 12. 1: Edit IP Static Route ......................................................................................... 530

Table 217 Applying NAT in Menus 4 & 11.1.2 ...................................................................................... 535

Table 218 SUA Address Mapping Rules ............................................................................................. 537

Table 219 Fields in Menu 15.1.1 .......................................................................................................... 538

Table 220 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set .......................................... 540

Table 221 15.2.x.x: NAT Server Configuration .................................................................................... 542

Table 222 Menu 15.3.1: Trigger Port Setup ......................................................................................... 551

Table 223 Abbreviations Used in the Filter Rules Summary Menu ..................................................... 559

Table 224 Rule Abbreviations Used .................................................................................................... 559

Table 225 Menu 21.1.1.1: TCP/IP Filter Rule ...................................................................................... 560

Table 226 Generic Filter Rule Menu Fields ......................................................................................... 563

Table 227 SNMP Configuration Menu Fields ....................................................................................... 571

Table 228 SNMP Traps ........................................................................................................................ 572

Table 229 System Maintenance: Status Menu Fields .......................................................................... 574

Table 230 Fields in System Maintenance: Information ........................................................................ 576

Table 231 System Maintenance Menu Syslog Parameters ................................................................. 578

Table 232 System Maintenance Menu Diagnostic ............................................................................... 584

Table 233 Filename Conventions ........................................................................................................ 586

Table 234 General Commands for GUI-based FTP Clients ................................................................ 588

Table 235 General Commands for GUI-based TFTP Clients .............................................................. 589

Table 236 Valid Commands ................................................................................................................. 600

Table 237 Budget Management ........................................................................................................... 602

Table 238 Call History .......................................................................................................................... 603

Table 239 Menu 24.10 System Maintenance: Time and Date Setting ................................................. 605

Table 240 Menu 24.11 – Remote Management Control ...................................................................... 608

Table 241 Menu 25: Sample IP Routing Policy Summary ....................................................................611

Table 242 IP Routing Policy Setup ...................................................................................................... 612

Table 243 Menu 25.1: IP Routing Policy Setup ................................................................................... 613

Table 244 Menu 25.1.1: IP Routing Policy Setup ................................................................................615

Table 245 Schedule Set Setup ............................................................................................................ 620

Table 246 Hardware Specifications ..................................................................................................... 631

Table 247 Firmware Specifications ...................................................................................................... 631

Table 248 Feature Specifications ......................................................................................................... 633

Table 249 Performance ....................................................................................................................... 633

Table 250 Console Cable Pin Assignments ......................................................................................... 636

Table 251 Console Cable Pin Assignments ......................................................................................... 636

Table 252 Ethernet Cable Pin Assignments ........................................................................................ 636

Table 253 Classes of IP Addresses ..................................................................................................... 663

46

ZyWALL 2WG User’s Guide

List of Tables

Table 254 Allowed IP Address Range By Class .................................................................................. 664

Table 255 “Natural” Masks .................................................................................................................. 665

Table 256 Alternative Subnet Mask Notation ....................................................................................... 665

Table 257 Two Subnets Example ........................................................................................................ 666

Table 258 Subnet 1 .............................................................................................................................. 666

Table 259 Subnet 2 .............................................................................................................................. 666

Table 260 Subnet 1 .............................................................................................................................. 667

Table 261 Subnet 2 .............................................................................................................................. 667

Table 262 Subnet 3 .............................................................................................................................. 668

Table 263 Subnet 4 .............................................................................................................................. 668

Table 264 Eight Subnets ...................................................................................................................... 668

Table 265 Class C Subnet Planning .................................................................................................... 668

Table 266 Class B Subnet Planning .................................................................................................... 669

Table 267 Commonly Used Services ................................................................................................... 671

Table 268 IEEE 802.11g ...................................................................................................................... 679

Table 269 Wireless Security Levels ..................................................................................................... 680

Table 270 Comparison of EAP Authentication Types .......................................................................... 683

Table 271 Wireless Security Relational Matrix .................................................................................... 686

Table 272 NetBIOS Filter Default Settings .......................................................................................... 710

Table 273 Brute-Force Password Guessing Protection Commands ....................................................711

ZyWALL 2WG User’s Guide

47

List of Tables

48

ZyWALL 2WG User’s Guide

PART I

Introduction

Getting to Know Your ZyWALL (51)

Introducing the Web Configurator (55)

Wizard Setup (75)

Tutorial (95)

Registration (107)

49

50

CHAPTER 1

Getting to Know Your ZyWALL

This chapter introduces the main features and applications of the ZyWALL.

1.1 ZyWALL Internet Security Appliance Overview

The ZyWALL is loaded with security features including VPN, firewall, content filtering and
certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by
providing separate ports for connecting publicly accessible servers. The ZyWALL is designed
for small and medium sized business that need the increased throughput and reliability of dual
WAN interfaces and load balancing. The ZyWALL provide the option to change port roles
from LAN to DMZ.

You can also deploy the ZyWALL as a transparent firewall in an existing network with
minimal configuration.

The ZyWALL provides bandwidth management, NAT, port forwarding, policy routing,
DHCP server and many other powerful features.

The ZyWALL has a built-in wireless card that allows IEEE 802.11a, IEEE 802.11b or IEEE

802.11g compatible clients to securely communicate with the ZyWALL and access the wired
network behind it. You can use the wireless card as part of the LAN, DMZ or WLAN.

Note: Only use firmware for your ZyWALL’s specific model.

See Appendix A on page 245 for a complete list of features.

1.2 Ways to Manage the ZyWALL

Use any of the following methods to manage the ZyWALL.

• Web Configurator. This is recommended for everyday management of the ZyWALL
using a (supported) web browser.

• Command Line Interface. Line commands are mostly used for troubleshooting by service
engineers.

• SMT. System Management Terminal is a text-based configuration menu that you can use
to configure your device.

• FTP for firmware upgrades and configuration backup/restore.

• SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this
User’s Guide.

ZyWALL 2WG User’s Guide

51

Chapter 1 Getting to Know Your ZyWALL

• Vantage CNM (Centralized Network Management). The device can be remotely managed
using a Vantage CNM server.

1.3 Good Habits for Managing the ZyWALL

Do the following things regularly to make the ZyWALL more secure and to manage the
ZyWALL more effectively.

• Change the password. Use a password that’s not easy to guess and that consists of
different types of characters, such as numbers and letters.

• Write down the password and put it in a safe place.

• Back up the configuration (and make sure you know how to restore it). Restoring an
earlier working configuration may be useful if the device becomes unstable or even
crashes. If you forget your password, you will have to reset the ZyWALL to its factory
default settings. If you backed up an earlier configuration file, you would not have to
totally re-configure the ZyWALL. You could simply restore your last configuration.

1.4 Applications for the ZyWALL

Here are some examples of what you can do with your ZyWALL.

1.4.1 Secure Broadband Internet Access via Cable or DSL Modem

For Internet access, connect the WAN Ethernet port to your existing Internet access gateway
(company network, or your cable or DSL modem for example). Connect computers or servers
to the LAN, DMZ or WLAN ports for shared Internet access.

The ZyWALL guarantees not only high speed Internet access, but secure internal network
protection and traffic management as well.

Figure 1 Secure Internet Access via Cable or DSL Modem

52

ZyWALL 2WG User’s Guide

1.4.2 VPN Application

ZyWALL VPN is an ideal cost-effective way to securely connect branch offices, business
partners and telecommuters over the Internet without the need (and expense) for leased lines
between sites.

Figure 2 VPN Application

1.4.3 3G WAN Application

Chapter 1 Getting to Know Your ZyWALL

Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G
base station. See Section 8.12 on page 152 for more information about 3G.

With both the primary WAN (physical WAN port) and 3G WAN connections enabled, you
can use load balancing to improve quality of service and maximize bandwidth utilization or set
one of the WAN connections as a backup.

Figure 3 3G WAN Application

ZyWALL 2WG User’s Guide

53

Chapter 1 Getting to Know Your ZyWALL

1.4.4 Front Panel Lights

Figure 4 Front Panel

The following table describes the lights.

Table 1 Front Panel Lights

LED COLOR STATUS DESCRIPTION

PWR Off The ZyWALL is turned off.

Green On The ZyWALL is ready and running.

Flashing The ZyWALL is restarting.

Red On The power to the ZyWALL is too low.

LAN/DMZ 10/
100

WAN Off The WAN connection is not ready, or has failed.

AUX Green Off The backup port is not connected.

WLAN Green Off The wireless LAN is not ready, or has failed.

CARD Off There is no 3G card inserted in the ZyWALL.

Green On The ZyWALL has a successful 10Mbps Ethernet connection.

Orange On The ZyWALL has a successful 100Mbps Ethernet

Green On The ZyWALL has a successful 10Mbps WAN connection.

Orange On The ZyWALL has a successful 100Mbps WAN connection.

Green On A 3G card is inserted and detected by the ZyWALL.

Orange On The 3G WAN connection is ready.

Off The LAN/DMZ is not connected.

Flashing The 10M LAN is sending or receiving packets.

Flashing The 100M LAN is sending or receiving packets.

Flashing The 10M WAN is sending or receiving packets.

Flashing The 100M WAN is sending or receiving packets.

On The backup port is connected.

Flashing The backup port is sending or receiving packets.

On The wireless LAN is ready.

Flashing The wireless LAN is sending or receiving packets.

Flashing The 3G WAN is sending or receiving packets.

connection.

54

ZyWALL 2WG User’s Guide

CHAPTER 2

Introducing the Web

Configurator

This chapter describes how to access the ZyWALL web configurator and provides an
overview of its screens.

2.1 Web Configurator Overview

The web configurator is an HTML-based management interface that allows easy ZyWALL
setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape
Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.

In order to use the web configurator you need to allow:

• Web browser pop-up windows from your device. Web pop-up blocking is enabled by
default in Windows XP SP (Service Pack) 2.

• JavaScripts (enabled by default).

• Java permissions (enabled by default).

See Appendix C on page 641 if you want to make sure these functions are allowed in Internet
Explorer or Netscape Navigator.

2.2 Accessing the ZyWALL Web Configurator

" By default, the packets from WLAN to WLAN/ZyWALL are dropped and users

cannot configure the ZyWALL wirelessly.

1 Make sure your ZyWALL hardware is properly connected and prepare your computer/

computer network to connect to the ZyWALL (refer to the Quick Start Guide).

2 Launch your web browser.
3 Type "192.168.1.1" as the URL.
4 Type "1234" (default) as the password and click Login. In some versions, the default

password appears automatically - if this is the case, click Login.

ZyWALL 2WG User’s Guide

55

Chapter 2 Introducing the Web Configurator

5 You should see a screen asking you to change your password (highly recommended) as

shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore.

Figure 5 Change Password Screen

6 Click Apply in the Replace Certificate screen to create a certificate using your

ZyWALL’s MAC address that will be specific to this device.

" If you do not replace the default certificate here or in the CERTIFICATES

screen, this screen displays every time you access the web configurator.

Figure 6 Replace Certificate Screen

7 You should now see the HOME screen (see Figure 9 on page 59).

" The management session automatically times out when the time period set in

the Administrator Inactivity Timer field expires (default five minutes). Simply
log back into the ZyWALL if this happens to you.

56

ZyWALL 2WG User’s Guide

2.3 Resetting the ZyWALL

If you forget your password or cannot access the web configurator, you will need to reload the
factory-default configuration file or use the RESET button on the back of the ZyWALL.
Uploading this configuration file replaces the current configuration file with the factory­default configuration file. This means that you will lose all configurations that you had
previously and the speed of the console port will be reset to the default of 9600bps with 8 data
bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234,
also.

2.3.1 Procedure To Use The Reset Button

Make sure the SYS LED is on (not blinking) before you begin this procedure.

1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to

blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.

2 Turn the ZyWALL off.
3 While pressing the RESET button, turn the ZyWALL on.
4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very

quickly after about 20 seconds. This indicates that the defaults have been restored and
the ZyWALL is now restarting.

5 Release the RESET button and wait for the ZyWALL to finish restarting.

Chapter 2 Introducing the Web Configurator

2.3.2 Uploading a Configuration File Via Console Port

1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in

a folder.

2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the

ZyWALL again. When you see the message "Press Any key to enter Debug Mode within
3 seconds", press any key to enter debug mode.

3 Enter "y" at the prompt below to go into debug mode.
4 Enter "atlc" after "Enter Debug Mode" message.
5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on

your terminal. This is an example Xmodem configuration upload using HyperTerminal.

Figure 7 Example Xmodem Upload

Type the configuration file’s location,
or click Browse to search for it.

Choose the Xmodem protocol.

Then click Send.

6 After successful firmware upload, enter "atgo" to restart the router.

ZyWALL 2WG User’s Guide

57

Chapter 2 Introducing the Web Configurator

2.4 Navigating the ZyWALL Web Configurator

The following summarizes how to navigate the web configurator from the HOME screen.

Figure 8 HOME Screen

A

B

As illustrated above, the main screen is divided into these parts:

• A - title bar

• B - navigation panel

• C - main window

• D - status bar

2.4.1 Title Bar

The title bar provides some icons in the upper right corner.

The icons provide the following functions.

Table 2 Title Bar: Web Configurator Icons

ICON DESCRIPTION

C

D

Wizards: Click this icon to open one of the web configurator wizards. See Chapter 3

on page 75 for more information.

Help: Click this icon to open the help page for the current screen.

58

ZyWALL 2WG User’s Guide

2.4.2 Main Window

The main window shows the screen you select in the navigation panel. It is discussed in more
detail in the rest of this document.

Right after you log in, the HOME screen is displayed. The screen varies according to the
device mode you select in the MAINTENANCE > Device Mode screen.

2.4.3 HOME Screen: Router Mode

The following screen displays when the ZyWALL is set to router mode. This screen displays
general status information about the ZyWALL. The ZyWALL is set to router mode by default.

WAN 2 refers to the 3G card on the supported ZyWALL in router mode.

Figure 9 Web Configurator HOME Screen in Router Mode

Chapter 2 Introducing the Web Configurator

The following table describes the labels in this screen.

Table 3 Web Configurator HOME Screen in Router Mode

LABEL DESCRIPTION

Automatic Refresh
Interval

Refresh Click this button to update the status screen statistics immediately.

System
Information

System Name This is the System Name you enter in the MAINTENANCE > General screen. It

ZyWALL 2WG User’s Guide

Select a number of seconds or None from the drop-down list box to update all
screen statistics automatically at the end of every time interval or to not update
the screen statistics.

is for identification purposes. Click the field label to go to the screen where you
can specify a name for this ZyWALL.

59

Chapter 2 Introducing the Web Configurator

Table 3 Web Configurator HOME Screen in Router Mode (continued)

LABEL DESCRIPTION

Model This is the model name of your ZyWALL.

Bootbase Version This is the bootbase version and the date created.

Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's

proprietary Network Operating System design. Click the field label to go to the
screen where you can upload a new firmware file.

Up Time This field displays how long the ZyWALL has been running since it last started up.

System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time

Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the

Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field

System Resources

Flash The first number shows how many megabytes of the flash the ZyWALL is using.

Memory The first number shows how many megabytes of the heap memory the ZyWALL

Sessions The first number shows how many sessions are currently open on the ZyWALL.

CPU This field displays what percentage of the ZyWALL’s processing ability is

Interfaces This is the port type.

The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE >
Restart), or when you reset it (see Section 2.3 on page 57).

(in hh:mm:ss format) along with the difference from the Greenwich Mean Time
(GMT) zone. The difference from GMT is based on the time zone. It is also
adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field
label to go to the screen where you can modify the ZyWALL’s date and time
settings.

field label to go to the screen where you can configure the ZyWALL as a router or
a bridge.

label to go to the screen where you can turn the firewall on or off.

is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.

The second number shows the ZyWALL's total heap memory (in megabytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar

turns from green to red when the maximum is being approached.

This includes all sessions that are currently traversing the ZyWALL, terminating at
the ZyWALL or Initiated from the ZyWALL

The second number is the maximum number of sessions that can be open at one
time.

The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.

currently used. When this percentage is close to 100%, the ZyWALL is running at
full load, and the throughput is not going to improve anymore. If you want some
applications to have more throughput, you should turn off other applications (for
example, using bandwidth management.

Click "+" to expand or "-" to collapse the IP alias drop-down lists.
Hold your cursor over an interface’s label to display the interface’s MAC Address.
Click an interface’s label to go to the screen where you can configure settings for

that interface.

60

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Table 3 Web Configurator HOME Screen in Router Mode (continued)

LABEL DESCRIPTION

Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex

setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full­duplex refers to a device's ability to send and receive simultaneously, while half­duplex indicates that traffic can flow in only one direction at a time. The Ethernet
port must use the same speed or duplex mode setting as the peer Ethernet port in
order to connect.

For the WAN interface(s) and the Dial Backup port, it displays the port speed and
duplex setting if you’re using Ethernet encapsulation or the remote node name
(configured through the SMT) for a PPP connection and Down (line is down or
not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop
(dropping a call) if you’re using PPPoE encapsulation.

IP/Netmask This shows the port’s IP address and subnet mask.

IP Assignment For the WAN, if the ZyWALL gets its IP address automatically from an ISP, this

Renew If you are using Ethernet encapsulation and the WAN port is configured to get the

Security Services

Content Filter
Expiration Date

Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it last

3G WAN Interface
Status

3G Connection
Status

Service Provider This displays the name of your network service provider or Limited Service when

Signal Strength This displays the strength of the signal. The signal strength mainly depends on

Connection Up
Time

displays DHCP client when you’re using Ethernet encapsulation and IPCP Client
when you’re using PPPoE or PPTP encapsulation. Static displays if the WAN
port is using a manually entered static (fixed) IP address.

For the LAN, WLAN or DMZ, DHCP server displays when the ZyWALL is set to
automatically give IP address information to the computers connected to the LAN.
DHCP relay displays when the ZyWALL is set to forward IP address assignment
requests to another DHCP server. Static displays if the LAN port is using a
manually entered static (fixed) IP address. In this case, you must have another
DHCP server on your LAN, or else the computers must be manually configured.

For the dial backup port, this shows N/A when dial backup is disabled and IPCP
client when dial backup is enabled.

IP address automatically from the ISP, click Renew to release the WAN port’s
dynamically assigned IP address and get the IP address afresh. Click Dial to dial
up the PPTP, PPPoE or dial backup connection. Click Drop to disconnect the
PPTP, PPPoE, 3G WAN or dial backup connection.

This is the date the category-based content filtering service subscription expires.
Click the field label to go to the screen where you can update your service
subscription.

started up. N/A displays when the service subscription has expired.

The fields below shows up on the ZyWALL with a 3G card inserted.

This displays WAN2 (the remote node name configured through the SMT) when
the 3G connection is up.

This displays Down when the 3G connection is down or not activated.
This displays Idle when the 3G connection is idle.
This displays Init when the ZyWALL is initializing the 3G card.
This displays Drop when the ZyWALL is dropping a call.
This also displays whether the ZyWALL is connected to a UMTS/HSDPA network

or GPRS/EDGE network.

the signal strength is too low.

the antenna output power and the distance between your ZyWALL and the
service provider’s base station.

This displays how long the 3G connection has been up.

ZyWALL 2WG User’s Guide

61

Chapter 2 Introducing the Web Configurator

Table 3 Web Configurator HOME Screen in Router Mode (continued)

LABEL DESCRIPTION

Tx Bytes This displays the total number of data frames transmitted.

Rx Bytes This displays the total number of data frames received.

3G Card
Manufacturer

3G Card Model This displays the model name of your 3G card.

3G Card Firmware
Revision

3G Card IMEI This displays the International Mobile Equipment Number (IMEI) which is the

SIM Card IMSI This displays the International Mobile Subscriber Identity (IMSI) stored in the SIM

Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can

Date/Time This is the date and time the alert was recorded.

Message This is the reason for the alert.

System Status

Port Statistics Click Port Statistics to see router performance statistics such as the number of

DHCP Table Click DHCP Table to show current DHCP client information.

VPN Click VPN to display the active VPN connections.

Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.

This displays the manufacturer of your 3G card.

This displays the version of the firmware currently used in the 3G card.

serial number of the 3G wireless card. IMEI is a unique 15-digit number used to
identify a mobile device.

(Subscriber Identity Module) card. The SIM card is installed in a mobile device
and used for authenticating a customer to the carrier network. IMSI is a unique
15-digit number used to identify a user on a network.

see more information in the View Log screen, such as the source and destination
IP addresses and port numbers of the incoming packets.

packets sent and number of packets received for each port.

2.4.4 HOME Screen: Bridge Mode

The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the
ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL
bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects
packets. You do not need to change the configuration of your existing network.

In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN,
DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can
configure the ZyWALL's IP address in order to access the ZyWALL for management. If you
connect your computer directly to the ZyWALL, you also need to assign your computer a
static IP address in the same subnet as the ZyWALL's IP address in order to access the
ZyWALL.

You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other
features that are available in bridge mode.

62

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Figure 10 Web Configurator HOME Screen in Bridge Mode

The following table describes the labels in this screen.

Table 4 Web Configurator HOME Screen in Bridge Mode

LABEL DESCRIPTION

Automatic
Refresh Interval

Refresh Click this button to update the screen’s statistics immediately.

System
Information

System Name This is the System Name you enter in the MAINTENANCE > General screen. It is

Model This is the model name of your ZyWALL.

Bootbase
Ver si on

Firmware
Ver si on

Up Time This field displays how long the ZyWALL has been running since it last started up.

System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time

Select a number of seconds or None from the drop-down list box to update all
screen statistics automatically at the end of every time interval or to not update the
screen statistics.

for identification purposes. Click the field label to go to the screen where you can
specify a name for this ZyWALL.

This is the bootbase version and the date created.

This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
proprietary Network Operating System design. Click the field label to go to the
screen where you can upload a new firmware file.

The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE >
Restart), or when you reset it (see Section 2.3 on page 57).

(in hh:mm:ss format) along with the difference from the Greenwich Mean Time
(GMT) zone. The difference from GMT is based on the time zone. It is also
adjusted for Daylight Saving Time if you set the ZyWALL to use it. Click the field
label to go to the screen where you can modify the ZyWALL’s date and time
settings.

ZyWALL 2WG User’s Guide

63

Chapter 2 Introducing the Web Configurator

Table 4 Web Configurator HOME Screen in Bridge Mode (continued)

LABEL DESCRIPTION

Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Click the

field label to go to the screen where you can configure the ZyWALL as a router or a
bridge.

Firewall This displays whether or not the ZyWALL’s firewall is activated. Click the field label

to go to the screen where you can turn the firewall on or off.

System
Resources

Flash The first number shows how many megabytes of the flash the ZyWALL is using.

Memory The first number shows how many megabytes of the heap memory the ZyWALL is

Sessions The first number shows how many sessions are currently open on the ZyWALL.

CPU This field displays what percentage of the ZyWALL’s processing ability is currently

Network Status

IP/Netmask
Address

Gateway IP
Address

Rapid Spanning
Tree Protocol

Bridge Priority This is the bridge priority of the ZyWALL. The bridge (or switch) with the lowest

Bridge Hello
Time

Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU)

Forward Delay This is the forward delay interval.

Bridge Port This is the port type. Port types are: WAN, LAN, Wireless Card, DMZ and WLAN

Port Status For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and

RSTP Status This is the RSTP status of the corresponding port.

using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.

The second number shows the ZyWALL's total heap memory (in megabytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar

turns from green to red when the maximum is being approached.

This includes all sessions that are currently traversing the ZyWALL, terminating at
the ZyWALL or initiated from the ZyWALL

The second number is the maximum number of sessions that can be open at one
time.

The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.

used. When this percentage is close to 100%, the ZyWALL is running at full load,
and the throughput is not going to improve anymore. If you want some applications
to have more throughput, you should turn off other applications (for example, using
bandwidth management.

This is the IP address and subnet mask of your ZyWALL in dotted decimal
notation.

This is the gateway IP address.

This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The
following labels or values relative to RSTP do not apply when RSTP is disabled.

bridge priority value in the network is the root bridge (the base of the spanning
tree).

This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.

from the root bridge.

Interface.

duplex setting. For the WAN port, it displays Down when the link is not ready or
has failed. For the wireless card, it displays the transmission rate when WLAN is
enabled or Down when WLAN is disabled.

64

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Table 4 Web Configurator HOME Screen in Bridge Mode (continued)

LABEL DESCRIPTION

RSTP Active This shows whether or not RSTP is active on the corresponding port.

RSTP Priority This is the RSTP priority of the corresponding port.

RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding

port.

Security Services

Content Filter
Expiration Date

Web Site
Blocked

Latest Alerts This table displays the five most recent alerts recorded by the ZyWALL. You can

Date/Time This is the date and time the alert was recorded.

Message This is the reason for the alert.

System Status

Port Statistics Click Port Statistics to see router performance statistics such as the number of

VPN Click VPN to display the active VPN connections.

Bandwidth Click Bandwidth to view the ZyWALL’s bandwidth usage and allotments.

This is the date the category-based content filtering service subscription expires.
Click the field label to go to the screen where you can update your service
subscription.

This displays how many web site hits the ZyWALL has blocked since it last started
up. N/A displays when the service subscription has expired.

see more information in the View Log screen, such as the source and destination
IP addresses and port numbers of the incoming packets.

packets sent and number of packets received for each port.

2.4.5 Navigation Panel

After you enter the password, use the sub-menus on the navigation panel to configure
ZyWALL features.

The following table lists the features available for each device mode.

Table 5 Bridge and Router Mode Features Comparison

FEATURE BRIDGE MODE ROUTER MODE

Internet Access Wizard O

VPN Wizard O O

DHCP Table O

System Statistics O O

Registration O O

LAN O

WAN O

DMZ O

Bridge O

WLAN O

Wireless Card O O

Firewall O O

Content Filter O O

ZyWALL 2WG User’s Guide

65

Chapter 2 Introducing the Web Configurator

Table 5 Bridge and Router Mode Features Comparison

FEATURE BRIDGE MODE ROUTER MODE

VPN O O

Certificates O O

Authentication Server O O

NAT O

Static Route O

Policy Route O

Bandwidth Management O O

DNS O

Remote Management O O

UPnP O

ALG O O

Logs O O

Maintenance O O

Table Key: An O in a mode’s column shows that the device mode has the specified feature.
The information in this table was correct at the time of writing, although it may be subject to
change.

The following table describes the sub-menus.

Table 6 Screens Summary

LINK TAB FUNCTION

HOME This screen shows the ZyWALL’s general device and network

status information. Use this screen to access the wizards,
statistics and DHCP table.

REGISTRATIONRegistration Use this screen to register your ZyWALL and activate the trial

service subscriptions.

Service Use this to manage and update the service status and license

NETWORK

LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.

Static DHCP Use this screen to assign fixed IP addresses on the LAN.

IP Alias Use this screen to partition your LAN interface into subnets.

Port Roles Use this screen to change the LAN/DMZ/WLAN port roles.

BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL.

Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the

information.

ZyWALL.

66

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Table 6 Screens Summary (continued)

LINK TAB FUNCTION

WAN General This screen allows you to configure load balancing, route priority

and traffic redirect properties.

WAN1 Use this screen to configure the WAN1 connection for Internet

access.

WAN2 Use this screen to configure the WAN2 connection for Internet

access.

Traffic
Redirect

Dial Backup Use this screen to configure the backup WAN dial-up connection.

DMZ DMZ Use this screen to configure your DMZ connection.

Static DHCP Use this screen to assign fixed IP addresses on the DMZ.

IP Alias Use this screen to partition your DMZ interface into subnets.

Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the

WLAN WLAN Use this screen to configure your WLAN connection.

Static DHCP Use this screen to assign fixed IP addresses on the WLAN.

IP Alias Use this screen to partition your WLAN interface into subnets.

Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the

WIRELESS
CARD

SECURITY

FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction

CONTENT
FILTER

VPN VPN Rules

Wireless Card Use this screen to configure the wireless LAN settings.

Security Use this screen to configure the WLAN security settings.

MAC Filter Use this screen to change MAC filter settings on the ZyWALL

Rule Summary This screen shows a summary of the firewall rules, and allows you

Anti-Probing Use this screen to change your anti-probing settings.

Threshold Use this screen to configure the threshold for DoS attacks.

Service Use this screen to configure custom services.

General This screen allows you to enable content filtering and block certain

Categories Use this screen to select which categories of web pages to filter

Customization Use this screen to customize the content filter list.

Cache Use this screen to view and configure the ZyWALL’s URL caching.

(IKE)

VPN Rules
(Manual)

SA Monitor Use this screen to display and manage active VPN connections.

Global Setting Use this screen to configure the IPSec timer settings.

Use this screen to configure your traffic redirect properties and
parameters.

ZyWALL.

ZyWALL.

of network traffic to which to apply the rule

to edit/add a firewall rule.

web features.

out, as well as to register for external database content filtering
and view reports.

Use this screen to configure VPN connections using IKE key
management and view the rule summary.

Use this screen to configure VPN connections using manual key
management and view the rule summary.

ZyWALL 2WG User’s Guide

67

Chapter 2 Introducing the Web Configurator

Table 6 Screens Summary (continued)

LINK TAB FUNCTION

CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage

Trusted CAs Use this screen to view and manage the list of the trusted CAs.

Trusted
Remote Hosts

Directory
Servers

AUTH SERVER Local User

Database

RADIUS Configure this screen to use an external server to authenticate

ADVANCED

NAT NAT Overview Use this screen to enable NAT.

Address
Mapping

Port
Forwarding

Port
Triggering

STATIC ROUTE IP Static Route Use this screen to configure IP static routes.

POLICY ROUTE Policy Route

Summary

BW MGMT Summary Use this screen to enable bandwidth management on an interface.

Class Setup Use this screen to set up the bandwidth classes.

Monitor Use this screen to view the ZyWALL’s bandwidth usage and

DNS System Use this screen to configure the address and name server

Cache Use this screen to configure the DNS resolution cache.

DHCP Use this screen to configure LAN/DMZ/WLAN DNS information.

DDNS Use this screen to set up dynamic DNS.

certificates and certification requests.

Use this screen to view and manage the certificates belonging to
the trusted remote hosts.

Use this screen to view and manage the list of the directory
servers.

Use this screen to configure the local user account(s) on the
ZyWALL.

wireless and/or VPN users.

Use this screen to configure network address translation mapping
rules.

Use this screen to configure servers behind the ZyWALL.

Use this screen to change your ZyWALL’s port triggering settings.

Use this screen to view a summary list of all the policies and
configure policies for use in IP policy routing.

allotments.

records.

68

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Table 6 Screens Summary (continued)

LINK TAB FUNCTION

REMOTE
MGMT

UPnP UPnP Use this screen to enable UPnP on the ZyWALL.

ALG ALG Use this screen to allow certain applications to pass through the

LOGS View Log Use this screen to view the logs for the categories that you

MAINTENANCE General This screen contains administrative.

LOGOUT Click this label to exit the web configurator.

WWW Use this screen to configure through which interface(s) and from

which IP address(es) users can use HTTPS or HTTP to manage
the ZyWALL.

SSH Use this screen to configure through which interface(s) and from

which IP address(es) users can use Secure Shell to manage the
ZyWALL.

TELNET Use this screen to configure through which interface(s) and from

which IP address(es) users can use Telnet to manage the
ZyWALL.

FTP Use this screen to configure through which interface(s) and from

which IP address(es) users can use FTP to access the ZyWALL.

SNMP Use this screen to configure your ZyWALL’s settings for Simple

DNS Use this screen to configure through which interface(s) and from

CNM Use this screen to configure and allow your ZyWALL to be

Ports Use this screen to view the NAT port mapping rules that UPnP

Log Settings Use this screen to change your ZyWALL’s log settings.

Reports Use this screen to have the ZyWALL record and display the

Password Use this screen to change your password.

Time and Date Use this screen to change your ZyWALL’s time and date.

Device Mode Use this screen to configure and have your ZyWALL work as a

F/W Upload Use this screen to upload firmware to your ZyWALL

Backup &
Restore

Restart This screen allows you to reboot the ZyWALL without turning the

Network Management Protocol management.

which IP address(es) users can send DNS queries to the ZyWALL.

managed by the Vantage CNM server.

creates on the ZyWALL.

ZyWALL.

selected.

network usage reports.

router or a bridge.

Use this screen to backup and restore the configuration or reset
the factory defaults to your ZyWALL.

power off.

2.4.6 Port Statistics

Click Port Statistics in the HOME screen. Read-only information here includes port status
and packet specific statistics. The Poll Interval(s) field is configurable. Not all items
described are available on all models.

ZyWALL 2WG User’s Guide

69

Chapter 2 Introducing the Web Configurator

Figure 11 HOME > Show Statistics

The following table describes the labels in this screen.

Table 7 HOME > Show Statistics

LABEL DESCRIPTION

Click the icon to display the chart of throughput statistics.

Port These are the ZyWALL’s interfaces.

Status For the WAN interface(s) and the Dial Backup port, this displays the port speed and

duplex setting if you’re using Ethernet encapsulation or the remote node name for a
PPP connection and Down (line is down or not connected), Idle (line (ppp) idle),
Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE
encapsulation. Dial backup is not available in bridge mode.

For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting.
For the WLAN card, this displays the transmission rate when WLAN is enabled or

Down when WLAN is disabled.

TxPkts This is the number of transmitted packets on this port.

RxPkts This is the number of received packets on this port.

Tx B/s This displays the transmission speed in bytes per second on this port.

Rx B/s This displays the reception speed in bytes per second on this port.

Up Time This is the total amount of time the line has been up.

System Up Time This is the total time the ZyWALL has been on.

Automatic
Refresh Interval

Refresh Click this button to update the screen’s statistics immediately.

Select a number of seconds or None from the drop-down list box to update all
screen statistics automatically at the end of every time interval or to not update the
screen statistics.

2.4.7 Show Statistics: Line Chart

70

Click the icon in the Show Statistics screen. This screen shows you a line chart of each port’s
throughput statistics.

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Figure 12 HOME > Show Statistics > Line Chart

The following table describes the labels in this screen.

Table 8 HOME > Show Statistics > Line Chart

LABEL DESCRIPTION

Click the icon to go back to the Show Statistics screen.

Port Select the check box(es) to display the throughput statistics of the corresponding

B/s Specify the direction of the traffic for which you want to show throughput statistics in

Throughput
Range

interface(s).

this table.
Select Tx to display transmitted traffic throughput statistics and the amount of traffic

(in bytes). Select Rx to display received traffic throughput statistics and the amount
of traffic (in bytes).

Set the range of the throughput (in B/s, KB/s or MB/s) to display.
Click Set Range to save this setting back to the ZyWALL.

2.4.8 DHCP Table Screen

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another
DHCP server on your LAN, or else the computer must be manually configured.

Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode.
Read-only information here relates to your DHCP status. The DHCP table shows current
DHCP client information (including IP Address, Host Name and MAC Address) of all
network clients using the ZyWALL’s DHCP server.

ZyWALL 2WG User’s Guide

71

Chapter 2 Introducing the Web Configurator

Figure 13 HOME > DHCP Table

The following table describes the labels in this screen.

Table 9 HOME > DHCP Table

LABEL DESCRIPTION

Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the

specified interface.

# This is the index number of the host computer.

IP Address This field displays the IP address relative to the # field listed above.

Host Name This field displays the computer host name.

MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area

Network) is unique to your computer (six pairs of hexadecimal notation).
A network interface card such as an Ethernet adapter has a hardwired address that is

assigned at the factory. This address follows an industry standard that ensures no
other adapter has a similar address.

Reserve Select the check box in the heading row to automatically select all check boxes or

select the check box(es) in each entry to have the ZyWALL always assign the
selected entry(ies)’s IP address(es) to the corresponding MAC address(es) (and host
name(s)). You can select up to 128 entries in this table. After you click Apply, the
MAC address and IP address also display in the corresponding LAN, DMZ or WLAN
Static DHCP screen (where you can edit them).

Refresh Click Refresh to reload the DHCP table.

2.4.9 VPN Status

Click VPN in the HOME screen. This screen displays read-only information about the active
VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is
the group of security settings related to a specific VPN tunnel.

72

ZyWALL 2WG User’s Guide

Chapter 2 Introducing the Web Configurator

Figure 14 HOME > VPN Status

The following table describes the labels in this screen.

Table 10 HOME > VPN Status

LABEL DESCRIPTION

# This is the security association index number.

Name This field displays the identification name for this VPN policy.

Local Network This field displays the IP address of the computer using the VPN IPSec feature of

your ZyWALL.

Remote Network This field displays IP address (in a range) of computers on the remote network

behind the remote IPSec router.

Encapsulation This field displays Tun nel or Transport mode.

IPSec Algorithm This field displays the security protocols used for an SA.

Both AH and ESP increase ZyWALL processing requirements and communications
latency (delay).

Automatic
Refresh Interval

Refresh Click this button to update the screen’s statistics immediately.

Select a number of seconds or None from the drop-down list box to update all
screen statistics automatically at the end of every time interval or to not update the
screen statistics.

2.4.10 Bandwidth Monitor

Click Bandwidth in the HOME screen to display the bandwidth monitor. This screen displays
the device’s bandwidth usage and allotments.

ZyWALL 2WG User’s Guide

73

Chapter 2 Introducing the Web Configurator

Figure 15 Home > Bandwidth Monitor

The following table describes the labels in this screen.

Tabl e 11 ADVANCED > BW MGMT > Monitor

LABEL DESCRIPTION

Interface Select an interface from the drop-down list box to view the bandwidth usage

Class This field displays the name of the bandwidth class.

Budget (kbps) This field displays the amount of bandwidth allocated to the bandwidth class.

Current Usage (kbps) This field displays the amount of bandwidth that each bandwidth class is

Automatic Refresh
Interval

Refresh Click this button to update the screen’s statistics immediately.

of its bandwidth classes.

A Default Class automatically displays for all the bandwidth in the Root
Class that is not allocated to bandwidth classes. If you do not enable
maximize bandwidth usage on an interface, the ZyWALL uses the bandwidth
in this default class to send traffic that does not match any of the bandwidth
classes.

using.

Select a number of seconds or None from the drop-down list box to update all
screen statistics automatically at the end of every time interval or to not
update the screen statistics.

A

74

A. If you allocate all the root class’s bandwidth to the bandwidth classes, the default class still displays a budget of 2

kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class).

ZyWALL 2WG User’s Guide

CHAPTER 3

Wizard Setup

This chapter provides information on the Wizard Setup screens in the web configurator. The
Internet access wizard is only applicable when the ZyWALL is in router mode.

3.1 Wizard Setup Overview

The web configurator's setup wizards help you configure Internet and VPN connection
settings.

In the HOME screen, click the Wizard icon
The following summarizes the wizards you can select:

• Internet Access Setup

Click this link to open a wizard to set up an Internet connection for WAN 1 (the WAN
port) on the ZyWALL (in router mode).

• VPN Setup

Use VPN SETUP to configure a VPN connection that uses a pre-shared key. If you want
to set the rule to use a certificate, please go to the VPN screens for configuration. See

Section 3.3 on page 84.

Figure 16 Wizard Setup Welcome

to open the Wizard Setup Welcome screen.

3.2 Internet Access

The Internet access wizard screen has three variations depending on what encapsulation type
you use. Refer to information provided by your ISP to know what to enter in each field. Leave
a field blank if you don’t have that information.

ZyWALL 2WG User’s Guide

75

Chapter 3 Wizard Setup

3.2.1 ISP Parameters

The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.

The wizard screen varies according to the type of encapsulation that you select in the
Encapsulation field.

3.2.1.1 Ethernet

For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still
online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your
ISP to find the correct port number.

Choose Ethernet when the WAN port is used as a regular Ethernet.

Figure 17 ISP Parameters: Ethernet Encapsulation

76

The following table describes the labels in this screen.

Table 12 ISP Parameters: Ethernet Encapsulation

LABEL DESCRIPTION

ISP Parameters
for Internet
Access

Encapsulation You must choose the Ethernet option when the WAN port is used as a regular

Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.

WAN IP Address
Assignment

IP Address
Assignment

Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.

Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.

ZyWALL 2WG User’s Guide

Table 12 ISP Parameters: Ethernet Encapsulation

LABEL DESCRIPTION

My WAN IP
Address

My WAN IP
Subnet Mask

Gateway IP
Address

First DNS Server
Second DNS

Server

Back Click Back to return to the previous wizard screen.

Apply Click Apply to save your changes and go to the next screen.

Enter your WAN IP address in this field.

Enter the IP subnet mask in this field.

Enter the gateway IP address in this field.

Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not

configure a DNS server, you must know the IP address of a machine in order to
access it.

3.2.1.2 PPPoE Encapsulation

Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an
IETF (Internet Engineering Task Force) standard specifying how a host personal computer
interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access
to high-speed data networks.

Chapter 3 Wizard Setup

Figure 18 ISP Parameters: PPPoE Encapsulation

ZyWALL 2WG User’s Guide

77

Chapter 3 Wizard Setup

The following table describes the labels in this screen.

Table 13 ISP Parameters: PPPoE Encapsulation

LABEL DESCRIPTION

ISP Parameter
for Internet
Access

Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet

Service Name Type the name of your service provider.

User Name Type the user name given to you by your ISP.

Password Type the password associated with the user name above.

Retype to
Confirm

Nailed-Up Select Nailed-Up if you do not want the connection to time out.

Idle Timeout Type the time in seconds that elapses before the router automatically disconnects

WAN IP Address
Assignment

IP Address
Assignment

My WAN IP
Address

First DNS Server
Second DNS

Server

Back Click Back to return to the previous wizard screen.

Apply Click Apply to save your changes and go to the next screen.

forms a dial-up connection.

Type your password again for confirmation.

from the PPPoE server. The default time is 100 seconds.

Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.

Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.

Enter your WAN IP address in this field.

Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not

configure a DNS server, you must know the IP address of a machine in order to
access it.

3.2.1.3 PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data
from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/
IP-based networks.

PPTP supports on-demand, multi-protocol, and virtual private networking over public
networks, such as the Internet.

" The ZyWALL supports one PPTP server connection at any given time.

78

ZyWALL 2WG User’s Guide

Figure 19 ISP Parameters: PPTP Encapsulation

Chapter 3 Wizard Setup

The following table describes the labels in this screen.

Table 14 ISP Parameters: PPTP Encapsulation

LABEL DESCRIPTION

ISP Parameters for
Internet Access

Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must

User Name Type the user name given to you by your ISP.

Password Type the password associated with the User Name above.

Retype to Confirm Type your password again for confirmation.

Nailed-Up Select Nailed-Up if you do not want the connection to time out.

Idle Timeout Type the time in seconds that elapses before the router automatically

PPTP
Configuration

My IP Address Type the (static) IP address assigned to you by your ISP.

ZyWALL 2WG User’s Guide

configure the User Name and Password fields for a PPP connection and the
PPTP parameters for a PPTP connection.

disconnects from the PPTP server.

79

Chapter 3 Wizard Setup

Table 14 ISP Parameters: PPTP Encapsulation

LABEL DESCRIPTION

My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).

Server IP Address Type the IP address of the PPTP server.

Connection ID/
Name

WAN IP Address
Assignment

IP Address
Assignment

My WAN IP
Address

First DNS Server
Second DNS

Server

Back Click Back to return to the previous wizard screen.

Apply Click Apply to save your changes and go to the next screen.

Enter the connection ID or connection name in this field. It must follow the "c:id"
and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your xDSL modem.

Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.

Select Static If the ISP assigned a fixed IP address.
The fields below are available only when you select Static.

Enter your WAN IP address in this field.

Enter the DNS server's IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do

not configure a DNS server, you must know the IP address of a machine in order
to access it.

3.2.2 Internet Access Wizard: Second Screen

Click Next to go to the screen where you can register your ZyWALL and activate the free
content filtering trial application. Otherwise, click Skip to display the congratulations screen
and click Close to complete the Internet access setup.

Figure 20 Internet Access Wizard: Second Screen

80

ZyWALL 2WG User’s Guide

Figure 21 Internet Access Setup Complete

Chapter 3 Wizard Setup

3.2.3 Internet Access Wizard: Registration

If you clicked Next in the previous screen (see Figure 20 on page 80), the following screen
displays.

Use this screen to register the ZyWALL with myZyXEL.com. You must register your
ZyWALL before you can activate trial applications of services like content filtering, anti­spam, anti-virus and IDP.

" If you want to activate a standard service with your iCard’s PIN number

(license key), use the REGISTRATION > Service screen.

ZyWALL 2WG User’s Guide

81

Chapter 3 Wizard Setup

Figure 22 Internet Access Wizard: Registration

The following table describes the labels in this screen.

Table 15 Internet Access Wizard: Registration

LABEL DESCRIPTION

Device Registration If you select Existing myZyXEL.com account, only the User Name and

New myZyXEL.com
account

Existing myZyXEL.com
account

User Name Enter a user name for your myZyXEL.com account. The name should be

Check Click this button to check with the myZyXEL.com database to verify the user

Password Enter a password of between six and 20 alphanumeric characters (and the

Confirm Password Enter the password again for confirmation.

E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters

Country Select your country from the drop-down box list.

Back Click Back to return to the previous screen.

Next Click Next to continue.

Password fields are available.

If you haven’t created an account at myZyXEL.com, select this option and
configure the following fields to create an account and register your
ZyWALL.

If you already have an account at myZyXEL.com, select this option and enter
your user name and password in the fields below to register your ZyWALL.

from six to 20 alphanumeric characters (and the underscore). Spaces are
not allowed.

name you entered has not been used.

underscore). Spaces are not allowed.

(periods and the underscore are also allowed) without spaces.

82

After you fill in the fields and click Next, the following screen shows indicating the
registration is in progress. Wait for the registration progress to finish.

ZyWALL 2WG User’s Guide

Figure 23 Internet Access Wizard: Registration in Progress

3.2.4 Internet Access Wizard: Status

Chapter 3 Wizard Setup

This screen shows your device registration and service subscription status. Click Close to
leave the wizard screen when the registration and activation are done.

Figure 24 Internet Access Wizard: Status

The following screen appears if the registration was not successful. Click Return to go back to
the Device Registration screen and check your settings.

Figure 25 Internet Access Wizard: Registration Failed

ZyWALL 2WG User’s Guide

83

Chapter 3 Wizard Setup

3.2.5 Internet Access Wizard: Service Activation

If the ZyWALL has been registered, the Device Registration screen is read-only and the
Service Activation screen appears indicating what trial applications are activated after you
click Next.

Figure 26 Internet Access Wizard: Registered Device

Figure 27 Internet Access Wizard: Activated Services

3.3 VPN Wizard Gateway Setting

Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at
either end of the VPN tunnel.

Click VPN Setup in the Wizard Setup Welcome screen (Figure 16 on page 75) to open the
VPN configuration wizard. The first screen displays as shown next.

84

ZyWALL 2WG User’s Guide

Chapter 3 Wizard Setup

Figure 28 VPN Wizard: Gateway Setting

The following table describes the labels in this screen.

Table 16 VPN Wizard: Gateway Setting

LABEL DESCRIPTION

Gateway Policy
Property

Name Type up to 32 characters to identify this VPN gateway policy. You may use any

character, including spaces, but the ZyWALL drops trailing spaces.

My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name

of your ZyWALL or leave the field set to 0.0.0.0.
The following applies if the My ZyWALL field is configured as 0.0.0.0:
When the WAN interface operation mode is set to Active/Passive, the ZyWALL uses

the IP address (static or dynamic) of the WAN interface that is in use.
When the WAN interface operation mode is set to Active/Active, the ZyWALL uses

the IP address (static or dynamic) of the primary (highest priority) WAN interface to
set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is
up. If the corresponding WAN1 or WAN2 connection goes down, the ZyWALL uses
the IP address of the other WAN interface.

If both WAN connections go down, the ZyWALL uses the dial backup IP address for
the VPN tunnel when using dial backup or the LAN IP address when using traffic
redirect. See the chapter on WAN for details on dial backup and traffic redirect.

When the ZyWALL is in bridge mode, this field is read-only and displays the
ZyWALL’s IP address.

Remote
Gateway
Address

Back Click Back to return to the previous screen.

Next Click Next to continue.

Enter the WAN IP address or domain name of the remote IPSec router (secure
gateway) in the field below to identify the remote IPSec router by its IP address or a
domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN
IP address.

ZyWALL 2WG User’s Guide

85

Chapter 3 Wizard Setup

3.4 VPN Wizard Network Setting

Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind
the IPSec routers at either end of a VPN tunnel.

Two active SAs cannot have the local and remote IP address(es) both the same. Two active
SAs can have the same local or remote IP address, but not both. You can configure multiple
SAs between the same local and remote IP addresses, as long as only one is active at any time.

Figure 29 VPN Wizard: Network Setting

The following table describes the labels in this screen.

Table 17 VPN Wizard: Network Setting

LABEL DESCRIPTION

Network Policy
Property

Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build

Name Type up to 32 characters to identify this VPN network policy. You may use any

Network Policy
Setting

Local Network Local IP addresses must be static and correspond to the remote IPSec router's

the tunnel.
Clear the Active check box to turn the network policy off. The ZyWALL does not

apply the policy. Packets for the tunnel do not trigger the tunnel.

character, including spaces, but the ZyWALL drops trailing spaces.

configured remote IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP

addresses. Select Subnet to specify IP addresses on a network by their subnet
mask.

86

ZyWALL 2WG User’s Guide

Table 17 VPN Wizard: Network Setting

LABEL DESCRIPTION

Starting IP
Address

Ending IP
Address/
Subnet Mask

Remote
Network

Starting IP
Address

Ending IP
Address/
Subnet Mask

Back Click Back to return to the previous screen.

Next Click Next to continue.

When the Local Network field is configured to Single, enter a (static) IP address on
the LAN behind your ZyWALL. When the Local Network field is configured to Range
IP, enter the beginning (static) IP address, in a range of computers on the LAN behind
your ZyWALL. When the Local Network field is configured to Subnet, this is a
(static) IP address on the LAN behind your ZyWALL.

When the Local Network field is configured to Single, this field is N/A. When the
Local Network field is configured to Range IP, enter the end (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the Local Network field
is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.

Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.

Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet
mask.

When the Remote Network field is configured to Single, enter a (static) IP address
on the network behind the remote IPSec router. When the Remote Network field is
configured to Range IP, enter the beginning (static) IP address, in a range of
computers on the network behind the remote IPSec router. When the Remote
Network field is configured to Subnet, enter a (static) IP address on the network
behind the remote IPSec router

When the Remote Network field is configured to Single, this field is N/A. When the
Remote Network field is configured to Range IP, enter the end (static) IP address, in
a range of computers on the network behind the remote IPSec router. When the
Remote Network field is configured to Subnet, enter a subnet mask on the network
behind the remote IPSec router.

Chapter 3 Wizard Setup

3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1)

Use this screen to specify the authentication, encryption and other settings needed to negotiate
a phase 1 IKE SA.

ZyWALL 2WG User’s Guide

87

Chapter 3 Wizard Setup

Figure 30 VPN Wizard: IKE Tunnel Setting

The following table describes the labels in this screen.

Table 18 VPN Wizard: IKE Tunnel Setting

LABEL DESCRIPTION

Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow

more incoming connections from dynamic IP addresses to use separate
passwords.

Note: Multiple SAs (security associations) connecting through a

secure gateway must have the same negotiation mode.

Encryption
Algorithm

Authentication
Algorithm

Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to

SA Life Time
(Seconds)

When DES is used for data communications, both sender and receiver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than

3DES.

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.

Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.

Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.

A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.

88

ZyWALL 2WG User’s Guide

Table 18 VPN Wizard: IKE Tunnel Setting (continued)

LABEL DESCRIPTION

Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a

communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.

Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62
hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key
with a "0x (zero x), which is not counted as part of the 16 to 62 character range
for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key
is hexadecimal and 0123456789ABCDEF is the key itself.

Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a PYLD_MALFORMED (payload malformed) packet if the same pre­shared key is not used on both ends.

Back Click Back to return to the previous screen.

Next Click Next to continue.

3.6 VPN Wizard IPSec Setting (IKE Phase 2)

Use this screen to specify the authentication, encryption and other settings needed to negotiate
a phase 2 IPSec SA.

Chapter 3 Wizard Setup

Figure 31 VPN Wizard: IPSec Setting

ZyWALL 2WG User’s Guide

89

Chapter 3 Wizard Setup

The following table describes the labels in this screen.

Table 19 VPN Wizard: IPSec Setting

LABEL DESCRIPTION

Encapsulation Mode Tunnel is compatible with NAT, Transport is not.

IPSec Protocol Select the security protocols used for an SA.

Encryption Algorithm When DES is used for data communications, both sender and receiver must

Authentication
Algorithm

SA Life Time
(Seconds)

Perfect Forward
Secret (PFS)

Back Click Back to return to the previous screen.

Next Click Next to continue.

Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel
mode is required for gateway services to provide access to internal systems.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
Transport mode is used to protect upper layer protocols and only affects the
data in the IP packet. In Transport mode, the IP packet contains the security
protocol (AH or ESP) located after the original IP header and options, but before
any upper layer protocols contained in the packet (such as TCP and UDP).

Both AH and ESP increase ZyWALL processing requirements and
communications latency (delay).

know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than

3DES. Select NULL to set up a tunnel without encryption. When you select
NULL, you do not enter an encryption key.

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.

Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.

A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.

Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.

Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)
random number (more secure, yet slower).

3.7 VPN Wizard Status Summary

This read-only screen shows the status of the current VPN setting. Use the summary table to
check whether what you have configured is correct.

90

ZyWALL 2WG User’s Guide

Figure 32 VPN Wizard: VPN Status

Chapter 3 Wizard Setup

The following table describes the labels in this screen.

Table 20 VPN Wizard: VPN Status

LABEL DESCRIPTION

Gateway Policy
Property

Name This is the name of this VPN gateway policy.

Gateway Policy
Setting

My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router

Remote Gateway
Address

Network Policy
Property

Active This displays whether this VPN network policy is enabled or not.

Name This is the name of this VPN network policy.

ZyWALL 2WG User’s Guide

mode or the ZyWALL’s IP address in bridge mode.

This is the IP address or the domain name used to identify the remote IPSec
router.

91

Chapter 3 Wizard Setup

Table 20 VPN Wizard: VPN Status (continued)

LABEL DESCRIPTION

Network Policy
Setting

Local Network

Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL.

Ending IP Address/
Subnet Mask

Remote Network

Starting IP Address This is a (static) IP address on the network behind the remote IPSec router.

Ending IP Address/
Subnet Mask

IKE Tunnel Setting
(IKE Phase 1)

Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through

Encryption
Algorithm

Authentication
Algorithm

Key Group This is the key group you chose for phase 1 IKE setup.

SA Life Time
(Seconds)

Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE

IPSec Setting (IKE
Phase 2)

Encapsulation Mode This shows Tunn el mode or Transport mode.

IPSec Protocol ESP or AH are the security protocols used for an SA.

Encryption
Algorithm

Authentication
Algorithm

SA Life Time
(Seconds)

Perfect Forward
Secret (PFS)

Back Click Back to return to the previous screen.

Finish Click Finish to complete and save the wizard setup.

When the local network is configured for a single IP address, this field is N/A.
When the local network is configured for a range IP address, this is the end
(static) IP address, in a range of computers on the LAN behind your ZyWALL.
When the local network is configured for a subnet, this is a subnet mask on the
LAN behind your ZyWALL.

When the remote network is configured for a single IP address, this field is N/A.
When the remote network is configured for a range IP address, this is the end
(static) IP address, in a range of computers on the network behind the remote
IPSec router. When the remote network is configured for a subnet, this is a
subnet mask on the network behind the remote IPSec router.

a secure gateway must have the same negotiation mode.

This is the method of data encryption. Options can be DES, 3DES or AES.

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.

This is the length of time before an IKE SA automatically renegotiates.

negotiation.

This is the method of data encryption. Options can be DES, 3DES, AES or

NULL.

MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash

algorithms used to authenticate packet data.

This is the length of time before an IKE SA automatically renegotiates.

Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. Otherwise, DH1 or DH2 are selected to enable PFS.

92

ZyWALL 2WG User’s Guide

3.8 VPN Wizard Setup Complete

Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already
had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule.

Figure 33 VPN Wizard Setup Complete

Chapter 3 Wizard Setup

ZyWALL 2WG User’s Guide

93

Chapter 3 Wizard Setup

94

ZyWALL 2WG User’s Guide

CHAPTER 4

Tutorial

This chapter describes how to apply security settings to VPN traffic and how to set up a 3G
WAN connection.

4.1 Security Settings for VPN Traffic

The ZyWALL can apply the firewall and content filtering to the traffic going to or from the
ZyWALL’s VPN tunnels. The ZyWALL applies the security settings to the traffic before
encrypting VPN traffic that it sends out or after decrypting received VPN traffic.

" The security settings apply to VPN traffic going to or from the ZyWALL’s VPN

tunnels. They do not apply to other VPN traffic for which the ZyWALL is not
one of the gateways (VPN pass-through traffic).

You can turn on content filtering for all of the ZyWALL’s VPN traffic (regardless of its
direction of travel). You can apply firewall security to VPN traffic based on its direction of
travel. The following examples show how you do this for the firewall.

4.2 Firewall Rule for VPN Example

The firewall provides even more fine-tuned control for VPN tunnels. You can configure
default and custom firewall rules for VPN packets.

Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind
device A. You could configure a VPN rule to allow the network behind device B to access
your LAN FTP server through a VPN tunnel. Now, if you don’t want other services like chat
or e-mail going to the FTP server, you can configure firewall rules that allow only FTP traffic
to come from VPN tunnels to the FTP server. Furthermore, you can configure the firewall rule
so that only the network behind device B can access the FTP server through a VPN tunnel (not
other remote networks that have VPN tunnels with the ZyWALL).

ZyWALL 2WG User’s Guide

95

Chapter 4 Tutorial

Figure 34 Firewall Rule for VPN

4.2.1 Configuring the VPN Rule

This section shows how to configure a VPN rule on device A to let the network behind B
access the FTP server. You would also have to configure a corresponding rule on device B.

1 Click Security > VPN to open the following screen. Click the Add Gateway Policy

icon.

Figure 35 SECURITY > VPN > VPN Rules (IKE)

2 Use this screen to set up the connection between the routers. Configure the fields that are

circled as follows and click Apply.

96

ZyWALL 2WG User’s Guide

Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy

Chapter 4 Tutorial

3 Click the Add Network Policy icon.

ZyWALL 2WG User’s Guide

97

Chapter 4 Tutorial

Figure 37 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example

4 Use this screen to specify which computers behind the routers can use the VPN tunnel.

Configure the fields that are circled as follows and click Apply. You may notice that the
example does not specify the port numbers. This is due to the following reasons.

• While FTP uses a control session on port 20, the port for the data session is not fixed.
So this example uses the firewall’s FTP application layer gateway (ALG) to handle
this instead of specifying port numbers in this VPN network policy.

• The firewall provides better security because it operates at layer 4 and checks traffic
sessions. The VPN network policy only operates at layer 3 and just checks IP
addresses and port numbers.

98

ZyWALL 2WG User’s Guide

Figure 38 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy

Chapter 4 Tutorial

4.2.2 Configuring the Firewall Rules

Suppose you have several VPN tunnels but you only want to allow device B’s network to
access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to
block all other traffic types (like chat, e-mail, web and so on). The following sections show
how to configure firewall rules to enforce these restrictions.

ZyWALL 2WG User’s Guide

99

Chapter 4 Tutorial

4.2.2.1 Firewall Rule to Allow Access Example

Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server.

1 Click Security > Firewall > Rule Summary.
2 Select VPN to LAN as the packet direction and click Insert.

Figure 39 SECURITY > FIREWALL > Rule Summary

3 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s

remote network and the destination address is the LAN FTP server.

100

ZyWALL 2WG User’s Guide