Page 1
ZyWALL 35
Internet Security Appliance
User’s Guide
Version 3.63
November 2004
Page 2
Page 3
ZyWALL 35 User’s Guide
Copyright
Copyright © 2004 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Copyright 1
Page 4
ZyWALL 35 User’s Guide
Federal Communications
Commission (FCC) Interference
Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
This equipment has been tested and found to comply with the limits for a Class B digital
device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy, and if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
Certifications
Go to www.zyxel.com
1 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
2 Select the certification you wish to view from this page
2 Federal Communications Commission (FCC) Interference Statement
Page 5
ZyWALL 35 User’s Guide
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or
subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind of character to the
purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
Safety Warnings
1 To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.
2 Do not use this product near water, for example, in a wet basement or near a swimming
pool.
3 Avoid using this product during an electrical storm. There may be a remote risk of
electric shock from lightening.
ZyXEL Limited Warranty 3
Page 6
ZyWALL 35 User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
Customer Support
METHOD
LOCATION
WORLDWIDE
NORTH
AMERICA
GERMANY
FRANCE
SPAIN
DENMARK
NORWAY
SWEDEN
FINLAND
a. “+” is the (prefix) number you enter to make an international telephone call.
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
support@zyxel.com.tw +886-3-578-3942 www.zyxel.com
sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com
support@zyxel.com +1-800-255-4101
+1-714-632-0882
sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com
support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.
sales@zyxel.de +49-2405-6909-99
info@zyxel.fr +33 (0)4 72 52 97 97 www.zyxel.fr Z yX E L F r an c e
+33 (0)4 72 52 19 20
support@zyxel.es +34 902 195 420 www.zyxel.es Z y X E L C o m m u n i c at i o n s
sales@zyxel.es +34 913 005 345
support@zyxel.dk +45 39 55 07 00 www.zyxel.dk Z y X E L C o m m u n i c a t i o n s A / S
sales@zyxel.dk +45 39 55 07 07
support@zyxel.no +47 22 80 61 80 www.zyxel.no Z y X E L C o m m u n i c a t i o n s A / S
sales@zyxel.no +47 22 80 61 81
support@zyxel.se +46 31 744 7700 www.zyxel.se ZyXEL Communications A/S
sales@zyxel.se +46 31 744 7701
support@zyxel.fi +358-9-4780-8411 www.zyxel.fi Z yXEL Comm un i cations O y
sales@zyxel.fi +358-9-4780 8448
A
WEB SITE
www.europe.zyxel.com
ftp.europe.zyxel.com
www.us.zyxel.com ZyXEL Communications Inc.
REGULAR MAIL
ZyXEL Communications Corp.
6 Innov ati on Roa d II
Sc ience Park
Hs inchu 3 00
Ta iw a n
1130 N. Miller St.
Ana hei m
CA 92806- 2001
U.S.A.
Adenauerstr. 20/A2 D-52146
Wuerselen
Germany
1 rue de s Ve rg er s
Ba t. 1 / C
69760 Limonest
France
A l e j a n d r o V i l l e g a s 3 3
1 º , 2 8 0 4 3 M a d r i d
Spain
Col um bu sv ej 5
2860 Soeborg
Denmark
Ni ls Hansens vei 13
0667 Oslo
Norway
Sjöporten 4, 41764 Göteborg
Sweden
Mal mi nk aa ri 10
00700 Helsinki
Finland
4 Customer Support
Page 7
ZyWALL 35 User’s Guide
Table of Contents
Copyright .................................................................................................................. 1
Federal Communications Commission (FCC) Interference Statement ............... 2
ZyXEL Limited Warranty.......................................................................................... 3
Customer Support.................................................................................................... 4
Preface .................................................................................................................... 45
Chapter 1
Getting to Know Your ZyWALL ............................................................................. 47
1.1 ZyWALL 35 Internet Security Appliance Overview .............................................47
1.2 ZyWALL Features ..............................................................................................47
1.2.1 Physical Features .....................................................................................48
1.2.1.1 Auto-negotiating 10/100 Mbps Ethernet LAN ..................................48
1.2.1.2 Auto-crossover 10/100 Mbps Ethernet LAN ....................................48
1.2.1.3 Auto-negotiating 10/100 Mbps Ethernet DMZ ................................48
1.2.1.4 Auto-crossover 10/100 Mbps Ethernet DMZ ...................................48
1.2.1.5 LAN/DMZ Interface .........................................................................48
1.2.1.6 Dual Auto-negotiating 10/100 Mbps Ethernet WAN .......................48
1.2.1.7 Dual Auto-crossover 10/100 Mbps Ethernet WAN ..........................48
1.2.1.8 Dial Backup WAN ...........................................................................49
1.2.1.9 Time and Date .................................................................................49
1.2.1.10 Reset Button .................................................................................49
1.2.1.11 Dual PCMCIA and CardBus Slot ..................................................49
1.2.1.12 IEEE 802.11 b/g Wireless LAN ......................................................49
1.2.2 Non-Physical Features .............................................................................49
1.2.2.1 Load Balancing ...............................................................................49
1.2.2.2 SIP Passthrough .............................................................................49
1.2.2.3 Transparent Firewall ........................................................................49
1.2.2.4 STP (Spanning Tree Protocol) / RSTP (Rapid STP) .......................50
1.2.2.5 Bandwidth Management ..................................................................50
1.2.2.6 IPSec VPN Capability ......................................................................50
1.2.2.7 X-Auth (Extended Authentication) ...................................................50
1.2.2.8 Certificates ......................................................................................50
1.2.2.9 SSH ................................................................................................50
5
Page 8
ZyWALL 35 User’s Guide
1.3 Applications for the ZyWALL ..............................................................................54
1.2.2.10 HTTPS ..........................................................................................50
1.2.2.11 Firewall ..........................................................................................50
1.2.2.12 Content Filtering ............................................................................51
1.2.2.13 Universal Plug and Play (UPnP) ..................................................51
1.2.2.14 RADIUS (RFC2138, 2139) ............................................................51
1.2.2.15 IEEE 802.1x for Network Security .................................................51
1.2.2.16 Wi-Fi Protected Access .................................................................51
1.2.2.17 Wireless LAN MAC Address Filtering ...........................................51
1.2.2.18 WEP Encryption ............................................................................51
1.2.2.19 Packet Filtering .............................................................................51
1.2.2.20 Call Scheduling .............................................................................52
1.2.2.21 PPPoE ...........................................................................................52
1.2.2.22 PPTP Encapsulation .....................................................................52
1.2.2.23 Dynamic DNS Support ..................................................................52
1.2.2.24 IP Multicast ....................................................................................52
1.2.2.25 IP Alias ..........................................................................................52
1.2.2.26 IP Policy Routing ...........................................................................52
1.2.2.27 Central Network Management ......................................................53
1.2.2.28 SNMP ............................................................................................53
1.2.2.29 Network Address Translation (NAT) ..............................................53
1.2.2.30 Traffic Redirect ..............................................................................53
1.2.2.31 Port Forwarding .............................................................................53
1.2.2.32 DHCP (Dynamic Host Configuration Protocol) ..............................53
1.2.2.33 Full Network Management ............................................................54
1.2.2.34 RoadRunner Support ...................................................................54
1.2.2.35 Logging and Tracing ......................................................................54
1.2.2.36 Upgrade ZyWALL Firmware via LAN ............................................54
1.2.2.37 Embedded FTP and TFTP Servers ...............................................54
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem .................54
1.3.2 VPN Application ........................................................................................55
Chapter 2
Introducing the Web Configurator........................................................................ 57
2.1 Web Configurator Overview ...............................................................................57
2.2 Accessing the ZyWALL Web Configurator .........................................................57
2.3 Resetting the ZyWALL .......................................................................................59
2.3.1 Procedure To Use The Reset Button ........................................................59
2.3.2 Uploading a Configuration File Via Console Port .....................................59
2.4 Navigating the ZyWALL Web Configurator ........................................................60
2.4.1 Router Mode .............................................................................................60
2.4.2 Bridge Mode .............................................................................................63
2.4.3 Navigation Panel .......................................................................................65
6
Page 9
ZyWALL 35 User’s Guide
2.4.4 System Statistics .......................................................................................68
2.4.4.1 Show Statistics: Line Chart .............................................................69
2.4.5 DHCP Table Screen .................................................................................70
2.4.6 VPN Status ...............................................................................................71
Chapter 3
Wizard Setup .......................................................................................................... 73
3.1 Wizard Setup Overview ......................................................................................73
3.2 Internet Access .................................................................................................73
3.2.1 ISP Parameters ........................................................................................73
3.2.1.1 Ethernet ...........................................................................................73
3.2.1.2 PPPoE Encapsulation .....................................................................75
3.2.1.3 PPTP Encapsulation .......................................................................76
3.2.2 WAN and DNS ..........................................................................................78
3.2.2.1 WAN IP Address Assignment ..........................................................78
3.2.2.2 IP Address and Subnet Mask ..........................................................78
3.2.2.3 DNS Server Address Assignment ...................................................79
3.2.2.4 WAN MAC Address .........................................................................79
3.2.3 Internet Access Wizard Setup Complete ..................................................81
3.3 VPN Overview ....................................................................................................82
3.3.1 IPSec ........................................................................................................82
3.3.2 Security Association .................................................................................82
3.4 VPN Wizard ........................................................................................................82
3.4.1 My IP Address ..........................................................................................83
3.4.2 Secure Gateway Address .........................................................................83
3.4.2.1 Dynamic Secure Gateway Address ................................................83
3.4.3 Network Setting ........................................................................................85
3.4.4 IKE Phases ...............................................................................................86
3.4.4.1 Negotiation Mode ............................................................................87
3.4.4.2 Pre-Shared Key ...............................................................................87
3.4.4.3 Diffie-Hellman (DH) Key Groups .....................................................88
3.4.4.4 Perfect Forward Secrecy (PFS) .....................................................88
3.5 IPSec Algorithms ................................................................................................88
3.5.1 AH (Authentication Header) Protocol ........................................................88
3.5.2 ESP (Encapsulating Security Payload) Protocol ......................................88
3.5.3 IKE Tunnel Setting (IKE Phase 1) ............................................................90
3.5.4 IPSec Setting (IKE Phase 2) .....................................................................91
3.5.5 VPN Status Summary ...............................................................................92
3.5.6 VPN Wizard Setup Complete ...................................................................94
Chapter 4
LAN Screens........................................................................................................... 97
4.1 LAN Overview ....................................................................................................97
7
Page 10
ZyWALL 35 User’s Guide
4.2 DHCP Setup .......................................................................................................97
4.3 LAN TCP/IP ........................................................................................................98
4.4 Configuring LAN .................................................................................................99
4.5 Configuring Static DHCP ..................................................................................101
4.6 Configuring IP Alias ..........................................................................................102
4.7 Configuring Port Roles .....................................................................................104
Chapter 5
Bridge Screens..................................................................................................... 107
5.1 Bridge Loop ......................................................................................................107
5.2 Spanning Tree Protocol (STP) .........................................................................107
5.3 Configuring Bridge ...........................................................................................109
5.4 Configuring Port Roles ..................................................................................... 111
4.2.1 IP Pool Setup ............................................................................................97
4.2.2 DNS Servers .............................................................................................97
4.3.1 Factory LAN Defaults ................................................................................98
4.3.2 IP Address and Subnet Mask ...................................................................98
4.3.3 RIP Setup .................................................................................................98
4.3.4 Multicast ....................................................................................................99
5.2.1 Rapid STP ..............................................................................................108
5.2.2 STP Terminology ....................................................................................108
5.2.3 How STP Works .....................................................................................108
5.2.4 STP Port States ......................................................................................109
Chapter 6
Wireless LAN and Authentication Server .......................................................... 113
6.1 Wireless LAN Overview ................................................................................... 113
6.1.1 Additional Installation Requirements for Using 802.1x ...........................113
6.2 Wireless LAN Basics ........................................................................................ 113
6.2.1 Channel .................................................................................................. 113
6.2.2 ESS ID .................................................................................................... 113
6.2.3 RTS/CTS ............................................................................................... 114
6.2.4 Fragmentation Threshold ........................................................................ 115
6.3 Wireless Security ............................................................................................. 115
6.4 Security Parameters Summary ........................................................................ 116
6.5 WEP Encrytion .................................................................................................116
6.6 802.1x Overview .............................................................................................. 117
6.7 Dynamic WEP Key Exchange ..........................................................................117
6.8 Introduction to WPA .........................................................................................117
6.8.1 User Authentication ................................................................................117
6.8.2 Encryption ............................................................................................... 118
6.9 WPA-PSK Application Example .......................................................................118
6.10 WPA with RADIUS Application Example ........................................................119
8
Page 11
ZyWALL 35 User’s Guide
6.11 Wireless Client WPA Supplicants ...................................................................120
6.12 Inserting a PCMCIA/CardBus Wireless LAN Card .........................................120
6.13 Configuring Wireless LAN ..............................................................................121
6.13.1 Static WEP ............................................................................................122
6.13.2 WPA-PSK .............................................................................................123
6.13.3 WPA ......................................................................................................125
6.13.4 802.1x + Dynamic WEP ........................................................................126
6.13.5 802.1x + Static WEP .............................................................................127
6.13.6 802.1x + No WEP .................................................................................129
6.13.7 No Access 802.1x + Static WEP ...........................................................130
6.13.8 No Access 802.1x + No WEP ...............................................................131
6.14 Configuring MAC Filter ...................................................................................131
6.15 Introduction to RADIUS ..................................................................................133
6.15.1 Types of RADIUS Messages ................................................................133
6.15.2 EAP Authentication Overview ...............................................................134
6.16 Introduction to Local User Database ..............................................................134
6.17 Authentication Server .....................................................................................135
6.18 Configuring Local User Database ..................................................................135
6.19 Configuring RADIUS ......................................................................................137
Chapter 7
WAN Screens........................................................................................................ 139
7.1 WAN Overview .................................................................................................139
7.2 Multiple WAN ....................................................................................................139
7.3 Load Balancing Introduction .............................................................................140
7.4 Load Balancing Algorithms ..............................................................................140
7.4.1 Least Load First ......................................................................................140
7.4.1.1 Example 1 .....................................................................................140
7.4.1.2 Example 2 .....................................................................................141
7.4.2 Weighted Round Robin ...........................................................................142
7.4.3 Spillover ..................................................................................................142
7.5 TCP/IP Priority (Metric) ....................................................................................143
7.6 Configuring General .........................................................................................143
7.7 Configuring Load Balancing .............................................................................146
7.7.1 Least Load First ......................................................................................146
7.7.2 Weighted Round Robin ...........................................................................147
7.7.3 Spillover ..................................................................................................148
7.8 Configuring WAN Setup ...................................................................................149
7.8.1 Ethernet Encapsulation ...........................................................................150
7.8.2 PPPoE Encapsulation .............................................................................152
7.8.3 PPTP Encapsulation ...............................................................................154
7.9 Traffic Redirect .................................................................................................156
7.10 Configuring Traffic Redirect ............................................................................157
9
Page 12
ZyWALL 35 User’s Guide
7.11 Configuring Dial Backup .................................................................................158
7.12 Advanced Modem Setup ................................................................................162
7.13 Configuring Advanced Modem Setup ............................................................162
Chapter 8
DMZ Screens ........................................................................................................ 165
8.1 DMZ Overview .................................................................................................165
8.2 Configuring DMZ ..............................................................................................165
8.3 Configuring IP Alias ..........................................................................................167
8.4 DMZ Public IP Address Example .....................................................................169
8.5 DMZ Private and Public IP Address Example ..................................................169
8.6 Configuring Port Roles .....................................................................................170
Chapter 9
Firewalls................................................................................................................ 173
7.12.1 AT Command Strings ............................................................................162
7.12.2 DTR Signal ...........................................................................................162
7.12.3 Response Strings ..................................................................................162
9.1 Firewall Overview .............................................................................................173
9.2 Types of Firewalls ............................................................................................173
9.2.1 Packet Filtering Firewalls ........................................................................173
9.2.2 Application-level Firewalls ......................................................................173
9.2.3 Stateful Inspection Firewalls ...................................................................174
9.3 Introduction to ZyXEL’s Firewall .......................................................................174
9.4 Denial of Service ..............................................................................................175
9.4.1 Basics .....................................................................................................175
9.4.2 Types of DoS Attacks .............................................................................176
9.4.2.1 ICMP Vulnerability ........................................................................178
9.4.2.2 Illegal Commands (NetBIOS and SMTP) ......................................178
9.4.2.3 Traceroute .....................................................................................179
9.5 Stateful Inspection ............................................................................................179
9.5.1 Stateful Inspection Process ....................................................................180
9.5.2 Stateful Inspection and the ZyWALL .......................................................181
9.5.3 TCP Security ...........................................................................................181
9.5.4 UDP/ICMP Security ................................................................................182
9.5.5 Upper Layer Protocols ............................................................................182
9.6 Guidelines For Enhancing Security With Your Firewall ....................................183
9.7 Packet Filtering Vs Firewall ..............................................................................183
9.7.1 Packet Filtering: ......................................................................................183
9.7.1.1 When To Use Filtering ...................................................................183
9.7.2 Firewall ...................................................................................................184
9.7.2.1 When To Use The Firewall ............................................................184
10
Page 13
ZyWALL 35 User’s Guide
Chapter 10
Firewall Screens................................................................................................... 185
10.1 Access Methods .............................................................................................185
10.2 Firewall Policies Overview .............................................................................185
10.3 Rule Logic Overview ......................................................................................186
10.3.1 Rule Checklist .......................................................................................186
10.3.2 Security Ramifications ..........................................................................187
10.3.3 Key Fields For Configuring Rules .........................................................187
10.3.3.1 Action ..........................................................................................187
10.3.3.2 Service ........................................................................................187
10.3.3.3 Source Address ...........................................................................187
10.3.3.4 Destination Address ....................................................................188
10.4 Connection Direction Examples .....................................................................188
10.4.1 LAN To WAN Rules ..............................................................................188
10.4.2 WAN To LAN Rules ..............................................................................188
10.5 Alerts ..............................................................................................................189
10.6 Configuring Firewall .......................................................................................189
10.6.1 Rule Summary ......................................................................................192
10.6.2 Configuring Firewall Rules ....................................................................193
10.6.3 Configuring Custom Services ...............................................................196
10.7 Example Firewall Rule ...................................................................................196
10.8 Predefined Services .......................................................................................200
10.9 Anti-Probing ...................................................................................................202
10.10 Configuring Attack Alert ...............................................................................203
10.10.1 Threshold Values ................................................................................204
10.10.2 Half-Open Sessions ............................................................................204
10.10.2.1 TCP Maximum Incomplete and Blocking Time .........................204
Chapter 11
Content Filtering Screens ...................................................................................207
11.1 Content Filtering Overview .............................................................................207
11.1.1 Restrict Web Features ..........................................................................207
11.1.2 Create a Filter List .................................................................................207
11.1.3 Customize Web Site Access ................................................................207
11.2 General Content Filter Configuration ..............................................................207
11.3 Content Filtering with an External Database ..................................................210
11.4 Categories and Registering ............................................................................210
11.5 Customization .................................................................................................217
11.6 Customizing Keyword Blocking URL Checking ..............................................220
11.6.1 Domain Name or IP Address URL Checking ........................................220
11.6.2 Full Path URL Checking ........................................................................220
11.6.3 File Name URL Checking .....................................................................220
11
Page 14
ZyWALL 35 User’s Guide
Chapter 12
Content Filtering Registration and Reports....................................................... 221
12.1 Introduction to myZyXEL.com ........................................................................221
12.2 myZyXEL.com Account Registration ..............................................................222
12.3 Registering Your ZyXEL Device .....................................................................224
12.4 Content Filtering Registration .........................................................................227
12.5 Checking Content Filtering Activation ............................................................229
12.6 Updating Product Registration Information ....................................................230
12.7 Viewing Content Filtering Reports ..................................................................230
12.8 Configuration File ...........................................................................................232
Chapter 13
Introduction to IPSec ........................................................................................... 233
13.1 VPN Overview ................................................................................................233
13.2 IPSec Architecture .........................................................................................234
13.3 Encapsulation .................................................................................................235
13.4 IPSec and NAT ...............................................................................................236
12.1.1 A Note on myZyXEL.com Numbers ......................................................222
13.1.1 IPSec ....................................................................................................233
13.1.2 Security Association .............................................................................233
13.1.3 Other Terminology ................................................................................233
13.1.3.1 Encryption ...................................................................................233
13.1.3.2 Data Confidentiality .....................................................................234
13.1.3.3 Data Integrity ...............................................................................234
13.1.3.4 Data Origin Authentication ..........................................................234
13.1.4 VPN Applications ..................................................................................234
13.1.4.1 Linking Two or More Private Networks Together .........................234
13.1.4.2 Accessing Network Resources When NAT Is Enabled ...............234
13.1.4.3 Unsupported IP Applications .......................................................234
13.2.1 IPSec Algorithms ..................................................................................235
13.2.2 Key Management ..................................................................................235
13.3.1 Transport Mode ....................................................................................236
13.3.2 Tunnel Mode .........................................................................................236
12
Chapter 14
VPN Screens......................................................................................................... 239
14.1 VPN/IPSec Overview .....................................................................................239
14.2 IPSec Algorithms ............................................................................................239
14.2.1 AH (Authentication Header) Protocol ....................................................239
14.2.2 ESP (Encapsulating Security Payload) Protocol ..................................239
14.3 My IP Address ................................................................................................240
14.4 Secure Gateway Address ..............................................................................240
14.4.1 Dynamic Secure Gateway Address ......................................................241
Page 15
ZyWALL 35 User’s Guide
14.5 Summary Screen ...........................................................................................241
14.6 Keep Alive ......................................................................................................243
14.7 NAT Traversal ................................................................................................243
14.7.1 NAT Traversal Configuration .................................................................244
14.7.2 X-Auth (Extended Authentication) ........................................................244
14.7.3 Remote DNS Server .............................................................................244
14.8 ID Type and Content ......................................................................................245
14.8.1 ID Type and Content Examples ............................................................246
14.9 Pre-Shared Key ..............................................................................................247
14.10 Editing VPN Policies ....................................................................................247
14.11 IKE Phases ...................................................................................................254
14.11.1 X-Auth and IKE ...................................................................................255
14.11.2 Negotiation Mode ................................................................................255
14.11.3 Diffie-Hellman (DH) Key Groups .........................................................255
14.11.4 Perfect Forward Secrecy (PFS) ..........................................................256
14.12 Configuring Advanced VPN Rule .................................................................256
14.13 Manual Key Setup ........................................................................................258
14.13.1 Security Parameter Index (SPI) ..........................................................258
14.14 Configuring Manual Key ...............................................................................259
14.15 Viewing SA Monitor ......................................................................................262
14.16 Configuring Global Setting ...........................................................................263
14.17 Telecommuter VPN/IPSec Examples ...........................................................264
14.17.1 Telecommuters Sharing One VPN Rule Example ..............................264
14.17.2 Telecommuters Using Unique VPN Rules Example ...........................264
14.18 VPN and Remote Management ...................................................................266
Chapter 15
Certificates............................................................................................................ 267
15.1 Certificates Overview .....................................................................................267
15.1.1 Advantages of Certificates ....................................................................268
15.2 Self-signed Certificates ..................................................................................268
15.3 Configuration Summary .................................................................................268
15.4 My Certificates ...............................................................................................268
15.5 Certificate File Formats ..................................................................................270
15.6 Importing a Certificate ....................................................................................271
15.7 Creating a Certificate .....................................................................................272
15.8 My Certificate Details .....................................................................................274
15.9 Trusted CAs ...................................................................................................277
15.10 Importing a Trusted CA’s Certificate .............................................................279
15.11 Trusted CA Certificate Details ......................................................................280
15.12 Trusted Remote Hosts .................................................................................283
15.13 Verifying a Trusted Remote Host’s Certificate ..............................................285
15.13.1 Trusted Remote Host Certificate Fingerprints .....................................285
13
Page 16
ZyWALL 35 User’s Guide
15.14 Importing a Trusted Remote Host’s Certificate ............................................286
15.15 Trusted Remote Host Certificate Details ......................................................287
15.16 Directory Servers .........................................................................................290
15.17 Add or Edit a Directory Server .....................................................................291
Chapter 16
Network Address Translation (NAT) ................................................................... 293
16.1 NAT Overview ................................................................................................293
16.2 Using NAT ......................................................................................................297
16.3 Configuring NAT Overview .............................................................................297
16.4 Configuring Address Mapping ........................................................................299
16.5 Port Forwarding ..............................................................................................302
16.6 Configuring Port Forwarding .........................................................................305
16.7 Configuring Trigger Port .................................................................................307
16.1.1 NAT Definitions .....................................................................................293
16.1.2 What NAT Does ....................................................................................294
16.1.3 How NAT Works ...................................................................................294
16.1.4 NAT Application ....................................................................................295
16.1.5 NAT Mapping Types .............................................................................295
16.2.1 SUA (Single User Account) Versus NAT ..............................................297
16.4.1 Address Mapping Edit ...........................................................................301
16.5.1 Default Server IP Address ....................................................................303
16.5.2 Port Forwarding: Services and Port Numbers ......................................303
16.5.3 Configuring Servers Behind Port Forwarding (Example) ......................303
16.5.4 NAT and Multiple WAN .........................................................................304
16.5.5 Port Translation ....................................................................................304
14
Chapter 17
Static Route .......................................................................................................... 311
17.1 Static Route Overview ....................................................................................311
17.2 Configuring IP Static Route ............................................................................312
17.2.1 Configuring a Static Route Entry ...........................................................313
Chapter 18
Policy Route ......................................................................................................... 315
18.1 Introduction to IP Policy Routing ....................................................................315
18.2 Benefits ..........................................................................................................315
18.3 Routing Policy ................................................................................................315
18.4 IP Routing Policy Setup .................................................................................316
18.5 Configuring the IP Policy Route Entry ............................................................317
Page 17
ZyWALL 35 User’s Guide
Chapter 19
Bandwidth Management...................................................................................... 321
19.1 Bandwidth Management Overview ................................................................321
19.2 Bandwidth Classes and Filters .......................................................................321
19.3 Proportional Bandwidth Allocation .................................................................322
19.4 Bandwidth Management Usage Examples ....................................................322
19.4.1 Application-based Bandwidth Management Example ..........................322
19.4.2 Subnet-based Bandwidth Management Example .................................322
19.4.3 Application and Subnet-based Bandwidth Management Example .......323
19.5 Scheduler .......................................................................................................323
19.5.1 Priority-based Scheduler ......................................................................324
19.5.2 Fairness-based Scheduler ....................................................................324
19.6 Maximize Bandwidth Usage ...........................................................................324
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic ........................324
19.6.2 Maximize Bandwidth Usage Example ..................................................325
19.7 Bandwidth Borrowing .....................................................................................326
19.7.1 Bandwidth Borrowing Example .............................................................326
19.7.2 Maximize Bandwidth Usage With Bandwidth Borrowing ......................327
19.8 Configuring Summary ....................................................................................328
19.9 Configuring Class Setup ................................................................................329
19.9.1 Bandwidth Manager Class Configuration .............................................330
19.9.2 Bandwidth Management Statistics ........................................................333
19.10 Configuring Monitor .....................................................................................334
Chapter 20
DNS........................................................................................................................ 337
20.1 DNS Overview ................................................................................................337
20.2 DNS Server Address Assignment ..................................................................337
20.3 DNS Servers ..................................................................................................337
20.4 Address Record .............................................................................................338
20.5 Name Server Record .....................................................................................338
20.5.1 Private DNS Server ..............................................................................338
20.6 The System Screen ........................................................................................339
20.6.1 Adding an Address Record ...................................................................341
20.6.2 Inserting a Name Server record ............................................................342
20.7 DNS Cache ....................................................................................................343
20.8 Configure DNS Cache ....................................................................................344
20.9 Configuring LAN DNS ....................................................................................345
20.10 Dynamic DNS ...............................................................................................346
20.10.1 DYNDNS Wildcard ..............................................................................347
20.10.2 High Availability ..................................................................................347
20.11 Configuring Dynamic DNS ...........................................................................347
15
Page 18
ZyWALL 35 User’s Guide
Chapter 21
Remote Management ........................................................................................... 351
21.1 Remote Management Overview .....................................................................351
21.2 Introduction to HTTPS ....................................................................................352
21.3 Configuring WWW ..........................................................................................353
21.4 HTTPS Example ............................................................................................355
21.5 SSH Overview ...............................................................................................360
21.6 How SSH works .............................................................................................360
21.7 SSH Implementation on the ZyWALL .............................................................361
21.8 Configuring SSH ............................................................................................362
21.9 Secure Telnet Using SSH Examples ..............................................................363
21.10 Secure FTP Using SSH Example ................................................................364
21.11 Telnet ............................................................................................................365
21.12 Configuring TELNET ....................................................................................365
21.13 Configuring FTP ...........................................................................................366
21.14 Configuring SNMP .......................................................................................367
21.15 Configuring DNS ..........................................................................................371
21.16 Introducing Vantage CNM ............................................................................371
21.17 Configuring CNM ..........................................................................................372
21.1.1 Remote Management Limitations .........................................................352
21.1.2 Remote Management and NAT ............................................................352
21.1.3 System Timeout ...................................................................................352
21.4.1 Internet Explorer Warning Messages ...................................................355
21.4.2 Netscape Navigator Warning Messages ...............................................356
21.4.3 Avoiding the Browser Warning Messages ............................................357
21.4.4 Login Screen .........................................................................................357
21.7.1 Requirements for Using SSH ................................................................362
21.9.1 Example 1: Microsoft Windows .............................................................363
21.9.2 Example 2: Linux ..................................................................................363
21.14.1 Supported MIBs .................................................................................369
21.14.2 SNMP Traps .......................................................................................369
21.14.3 REMOTE MANAGEMENT: SNMP ......................................................369
16
Chapter 22
UPnP...................................................................................................................... 375
22.1 Universal Plug and Play Overview .................................................................375
22.1.1 How Do I Know If I'm Using UPnP? ......................................................375
22.1.2 NAT Traversal .......................................................................................375
22.1.3 Cautions with UPnP ..............................................................................375
22.2 UPnP and ZyXEL ...........................................................................................376
22.3 Configuring UPnP ..........................................................................................376
22.4 Displaying UPnP Port Mapping ......................................................................377
22.5 Installing UPnP in Windows Example ............................................................378
Page 19
ZyWALL 35 User’s Guide
22.5.1 Installing UPnP in Windows Me ............................................................379
22.5.2 Installing UPnP in Windows XP ............................................................380
22.6 Using UPnP in Windows XP Example ...........................................................380
22.6.1 Auto-discover Your UPnP-enabled Network Device .............................381
22.6.2 Web Configurator Easy Access ............................................................382
Chapter 23
Logs Screens........................................................................................................ 385
23.1 Configuring View Log .....................................................................................385
23.2 Log Description Example ...............................................................................386
23.3 Configuring Log Settings ................................................................................387
23.4 Configuring Reports .......................................................................................390
23.4.1 Viewing Web Site Hits ...........................................................................392
23.4.2 Viewing Protocol/Port ...........................................................................392
23.4.3 Viewing LAN IP Address .......................................................................393
23.4.4 Reports Specifications ..........................................................................394
Chapter 24
Maintenance ......................................................................................................... 395
24.1 Maintenance Overview ...................................................................................395
24.2 General Setup ................................................................................................395
24.2.1 General Setup and System Name ........................................................395
24.2.2 Domain Name .......................................................................................395
24.3 Configuring Password ....................................................................................396
24.4 Pre-defined NTP Time Servers List ................................................................397
24.5 Configuring Time and Date ............................................................................398
24.5.1 Time Server Synchronization ................................................................400
24.6 Configuring Device Mode ...............................................................................401
24.7 F/W Upload Screen ........................................................................................404
24.8 Configuration Screen .....................................................................................406
24.8.1 Backup Configuration ...........................................................................406
24.8.2 Restore Configuration ..........................................................................407
24.8.3 Back to Factory Defaults .......................................................................408
24.9 Restart Screen ...............................................................................................408
Chapter 25
Introducing the SMT ............................................................................................ 411
25.1 Introduction to the SMT .................................................................................. 411
25.2 Accessing the SMT via the Console Port .......................................................411
25.2.1 Initial Screen .........................................................................................411
25.2.2 Entering the Password ..........................................................................412
25.3 Navigating the SMT Interface .........................................................................412
25.3.1 Main Menu ............................................................................................413
17
Page 20
ZyWALL 35 User’s Guide
25.4 Changing the System Password ....................................................................416
25.5 Resetting the ZyWALL ...................................................................................417
Chapter 26
SMT Menu 1 - General Setup............................................................................... 419
26.1 Introduction to General Setup ........................................................................419
26.2 Configuring General Setup .............................................................................419
Chapter 27
WAN and Dial Backup Setup............................................................................... 425
27.1 Introduction to WAN and Dial Backup Setup ..................................................425
27.2 WAN Setup .....................................................................................................425
27.3 Dial Backup ....................................................................................................426
27.4 Configuring Dial Backup in Menu 2 ................................................................426
27.5 Advanced WAN Setup ....................................................................................428
27.6 Remote Node Profile (Backup ISP) ................................................................429
27.7 Editing PPP Options .......................................................................................431
27.8 Editing TCP/IP Options ..................................................................................431
27.9 Editing Login Script ........................................................................................433
27.10 Remote Node Filter ......................................................................................435
25.3.2 SMT Menus at a Glance .......................................................................415
26.2.1 Configuring Dynamic DNS ....................................................................421
26.2.1.1 Editing DDNS Host ......................................................................421
Chapter 28
LAN Setup............................................................................................................. 437
28.1 Introduction to LAN Setup ..............................................................................437
28.2 Accessing the LAN Menus .............................................................................437
28.3 LAN Port Filter Setup .....................................................................................437
28.4 TCP/IP and DHCP Ethernet Setup Menu ......................................................438
28.4.1 IP Alias Setup .......................................................................................440
28.5 Wireless LAN Setup .......................................................................................442
28.5.1 MAC Address Filter Setup ....................................................................443
Chapter 29
Internet Access .................................................................................................... 445
29.1 Introduction to Internet Access Setup ............................................................445
29.2 Ethernet Encapsulation ..................................................................................445
29.3 Configuring the PPTP Client ..........................................................................447
29.4 Configuring the PPPoE Client ........................................................................447
29.5 Basic Setup Complete ....................................................................................448
18
Page 21
ZyWALL 35 User’s Guide
Chapter 30
DMZ Setup ............................................................................................................ 449
30.1 Configuring DMZ Setup ..................................................................................449
30.2 DMZ Port Filter Setup ....................................................................................449
30.3 TCP/IP Setup .................................................................................................449
30.3.1 IP Address ............................................................................................450
30.3.2 IP Alias Setup .......................................................................................450
Chapter 31
Route Setup .......................................................................................................... 453
31.1 Configuring Route Setup ................................................................................453
31.2 Route Assessment .........................................................................................453
31.3 Traffic Redirect ...............................................................................................454
31.4 Route Failover ................................................................................................455
Chapter 32
Remote Node Setup ............................................................................................. 457
32.1 Introduction to Remote Node Setup ...............................................................457
32.2 Remote Node Setup .......................................................................................457
32.3 Remote Node Profile Setup ...........................................................................457
32.3.1 Ethernet Encapsulation .........................................................................458
32.3.2 PPPoE Encapsulation ...........................................................................459
32.3.2.1 Outgoing Authentication Protocol ................................................460
32.3.2.2 Nailed-Up Connection .................................................................460
32.3.2.3 Metric ..........................................................................................460
32.3.3 PPTP Encapsulation .............................................................................461
32.4 Edit IP .............................................................................................................462
32.5 Remote Node Filter ........................................................................................464
Chapter 33
IP Static Route Setup........................................................................................... 467
33.1 IP Static Route Setup .....................................................................................467
Chapter 34
Network Address Translation (NAT) ................................................................... 469
34.1 Using NAT ......................................................................................................469
34.1.1 SUA (Single User Account) Versus NAT ..............................................469
34.1.2 Applying NAT ........................................................................................469
34.2 NAT Setup ......................................................................................................471
34.2.1 Address Mapping Sets ..........................................................................472
34.2.1.1 SUA Address Mapping Set .........................................................472
34.2.1.2 User-Defined Address Mapping Sets ..........................................473
34.2.1.3 Ordering Your Rules ....................................................................474
19
Page 22
ZyWALL 35 User’s Guide
34.3 Configuring a Server behind NAT ..................................................................476
34.4 General NAT Examples ..................................................................................479
34.5 Trigger Port Forwarding .................................................................................486
Chapter 35
Introducing the ZyWALL Firewall ....................................................................... 489
35.1 Using ZyWALL SMT Menus ...........................................................................489
Chapter 36
Filter Configuration.............................................................................................. 491
36.1 Introduction to Filters ......................................................................................491
36.2 Configuring a Filter Set ..................................................................................494
36.3 Example Filter ................................................................................................500
36.4 Filter Types and NAT ......................................................................................502
36.5 Firewall Versus Filters ....................................................................................502
36.6 Applying a Filter ............................................................................................503
34.4.1 Internet Access Only .............................................................................479
34.4.2 Example 2: Internet Access with an Default Server ..............................480
34.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............480
34.4.4 Example 4: NAT Unfriendly Application Programs ...............................484
34.5.1 Two Points To Remember About Trigger Ports .....................................486
35.1.1 Activating the Firewall ...........................................................................489
36.1.1 The Filter Structure of the ZyWALL ......................................................492
36.2.1 Configuring a Filter Rule .......................................................................495
36.2.2 Configuring a TCP/IP Filter Rule ..........................................................496
36.2.3 Configuring a Generic Filter Rule .........................................................498
36.6.1 Applying LAN Filters .............................................................................503
36.6.2 Applying DMZ Filters ............................................................................503
36.6.3 Applying Remote Node Filters ..............................................................504
20
Chapter 37
SNMP Configuration ............................................................................................ 505
37.1 SNMP Configuration ......................................................................................505
37.2 SNMP Traps ...................................................................................................506
Chapter 38
System Information & Diagnosis........................................................................ 507
38.1 Introduction to System Status ........................................................................507
38.2 System Status ................................................................................................507
38.3 System Information and Console Port Speed ................................................509
38.3.1 System Information ...............................................................................509
38.3.2 Console Port Speed ..............................................................................510
38.4 Log and Trace ................................................................................................511
Page 23
ZyWALL 35 User’s Guide
38.4.1 Viewing Error Log ................................................................................. 511
38.4.2 UNIX Syslog .........................................................................................512
38.4.3 Call-Triggering Packet ..........................................................................515
38.5 Diagnostic ......................................................................................................515
38.5.1 WAN DHCP ..........................................................................................516
Chapter 39
Firmware and Configuration File Maintenance ................................................. 519
39.1 Introduction ....................................................................................................519
39.2 Filename Conventions ...................................................................................519
39.3 Backup Configuration .....................................................................................520
39.3.1 Backup Configuration ...........................................................................520
39.3.2 Using the FTP Command from the Command Line ..............................521
39.3.3 Example of FTP Commands from the Command Line .........................522
39.3.4 GUI-based FTP Clients .........................................................................522
39.3.5 File Maintenance Over WAN ................................................................522
39.3.6 Backup Configuration Using TFTP .......................................................523
39.3.7 TFTP Command Example ....................................................................523
39.3.8 GUI-based TFTP Clients ......................................................................524
39.3.9 Backup Via Console Port ......................................................................524
39.4 Restore Configuration ....................................................................................525
39.4.1 Restore Using FTP ...............................................................................526
39.4.2 Restore Using FTP Session Example ..................................................527
39.4.3 Restore Via Console Port .....................................................................527
39.5 Uploading Firmware and Configuration Files .................................................528
39.5.1 Firmware File Upload ............................................................................528
39.5.2 Configuration File Upload .....................................................................529
39.5.3 FTP File Upload Command from the DOS Prompt Example ................529
39.5.4 FTP Session Example of Firmware File Upload ...................................530
39.5.5 TFTP File Upload ..................................................................................530
39.5.6 TFTP Upload Command Example ........................................................531
39.5.7 Uploading Via Console Port ..................................................................531
39.5.8 Uploading Firmware File Via Console Port ...........................................531
39.5.9 Example Xmodem Firmware Upload Using HyperTerminal ..................532
39.5.10 Uploading Configuration File Via Console Port ..................................532
39.5.11 Example Xmodem Configuration Upload Using HyperTerminal .........533
Chapter 40
System Maintenance Menus 8 to 10................................................................... 535
40.1 Command Interpreter Mode ...........................................................................535
40.1.1 Command Syntax .................................................................................535
40.1.2 Command Usage ..................................................................................536
40.2 Call Control Support .......................................................................................537
21
Page 24
ZyWALL 35 User’s Guide
40.3 Time and Date Setting ....................................................................................539
Chapter 41
Remote Management ........................................................................................... 543
41.1 Remote Management .....................................................................................543
Chapter 42
IP Policy Routing.................................................................................................. 547
42.1 IP Routing Policy Summary ...........................................................................547
42.2 IP Routing Policy Setup .................................................................................548
42.3 IP Policy Routing Example .............................................................................551
Chapter 43
Call Scheduling .................................................................................................... 555
40.2.1 Budget Management ............................................................................537
40.2.2 Call History ...........................................................................................538
40.3.1 Resetting the Time ................................................................................542
41.1.1 Remote Management Limitations .........................................................545
42.2.1 Applying Policy to Packets ....................................................................550
43.1 Introduction to Call Scheduling ......................................................................555
Chapter 44
VPN/IPSec Setup .................................................................................................. 559
44.1 Introduction ....................................................................................................559
44.2 IPSec Summary Screen .................................................................................560
44.3 IPSec Setup ...................................................................................................562
44.4 IKE Setup .......................................................................................................567
44.5 Manual Setup .................................................................................................569
44.5.1 Active Protocol ......................................................................................569
44.5.2 Security Parameter Index (SPI) ............................................................569
Chapter 45
SA Monitor ............................................................................................................ 573
45.1 Introduction ....................................................................................................573
45.2 Using SA Monitor ...........................................................................................573
Chapter 46
Troubleshooting ................................................................................................... 577
46.1 Problems Starting Up the ZyWALL .................................................................577
46.2 Problems with the LAN Interface ....................................................................577
46.3 Problems with the DMZ Interface ...................................................................578
46.4 Problems with the WAN Interface ..................................................................578
46.5 Problems with Internet Access .......................................................................579
22
Page 25
ZyWALL 35 User’s Guide
46.6 Problems with the Password ..........................................................................579
46.7 Problems with Remote Management .............................................................579
Appendix A
Hardware Specifications .....................................................................................581
Appendix B
Setting up Your Computer’s IP Address............................................................ 585
Appendix C
IP Subnetting ........................................................................................................ 597
Appendix D
PPPoE ................................................................................................................... 605
Appendix E
PPTP......................................................................................................................607
Appendix F
Wireless LAN and IEEE 802.11 ...........................................................................611
Appendix G
Wireless LAN With IEEE 802.1x .......................................................................... 615
Appendix H
Types of EAP Authentication.............................................................................. 617
Appendix I
Triangle Route ...................................................................................................... 619
Appendix J
SIP Passthrough ................................................................................................. 623
Appendix K
VPN Setup............................................................................................................. 629
Appendix L
Importing Certificates .......................................................................................... 641
Appendix M
Command Interpreter........................................................................................... 653
Appendix N
Firewall Commands ............................................................................................. 655
Appendix O
NetBIOS Filter Commands .................................................................................. 661
Appendix P
23
Page 26
ZyWALL 35 User’s Guide
Certificates Commands ....................................................................................... 665
Appendix Q
Brute-Force Password Guessing Protection..................................................... 669
Appendix R
Boot Commands ..................................................................................................671
Appendix S
Log Descriptions.................................................................................................. 673
24
Page 27
ZyWALL 35 User’s Guide
List of Figures
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 55
Figure 2 VPN Application .................................................................................................... 56
Figure 3 Change Password Screen .................................................................................... 58
Figure 4 Replace Certificate Screen ................................................................................... 58
Figure 5 Example Xmodem Upload .................................................................................... 60
Figure 6 Web Configurator HOME Screen in Router Mode ................................................ 61
Figure 7 Web Configurator HOME Screen in Bridge Mode ................................................ 64
Figure 8 Home : Show Statistics ......................................................................................... 69
Figure 9 Home : Show Statistics: Line Chart ....................................................................... 70
Figure 10 Home : DHCP Table ............................................................................................ 71
Figure 11 Home : VPN Status ............................................................................................. 72
Figure 12 ISP Parameters : Ethernet Encapsulation .......................................................... 74
Figure 13 ISP Parameters : PPPoE Encapsulation ............................................................ 76
Figure 14 ISP Parameters : PPTP Encapsulation ............................................................... 77
Figure 15 WAN and DNS .................................................................................................... 80
Figure 16 Internet Access Wizard Setup Complete ............................................................ 82
Figure 17 VPN Wizard : Gateway Setting ........................................................................... 84
Figure 18 VPN Wizard : Network Setting ............................................................................ 85
Figure 19 Two Phases to Set Up the IPSec SA .................................................................. 86
Figure 20 VPN Wizard : IKE Tunnel Setting ........................................................................ 90
Figure 21 VPN Wizard : IPSec Setting ................................................................................ 91
Figure 22 VPN Wizard : VPN Status ................................................................................... 93
Figure 23 VPN Wizard Setup Complete .............................................................................. 95
Figure 24 LAN ..................................................................................................................... 100
Figure 25 Static DHCP ........................................................................................................ 102
Figure 26 Physical Network & Partitioned Logical Networks .............................................. 103
Figure 27 IP Alias ................................................................................................................ 103
Figure 28 Port Roles ...........................................................................................................105
Figure 29 Port Roles Change Complete ............................................................................. 105
Figure 30 Bridge Loop: Bridge Connected to Wired LAN ................................................... 107
Figure 31 Bridge .................................................................................................................. 110
Figure 32 RTS Threshold .................................................................................................... 114
Figure 33 ZyWALL Wireless Security Levels ...................................................................... 115
Figure 34 WPA-PSK Authentication .................................................................................... 119
Figure 35 WPA with RADIUS Application Example ............................................................ 120
Figure 36 Wireless: No Security .......................................................................................... 121
25
Page 28
ZyWALL 35 User’s Guide
Figure 37 Wireless: Static WEP .......................................................................................... 123
Figure 38 Wireless: WPA-PSK ............................................................................................ 124
Figure 39 Wireless: WPA .................................................................................................... 125
Figure 40 Wireless: 802.1x + Dynamic WEP ...................................................................... 126
Figure 41 Wireless: 802.1x + Static WEP ........................................................................... 128
Figure 42 Wireless: 802.1x + No WEP ............................................................................... 129
Figure 43 Wireless: No Access 802.1x + Static WEP ......................................................... 130
Figure 44 MAC Address Filter ............................................................................................. 132
Figure 45 EAP Authentication ............................................................................................. 134
Figure 46 Local User Database .......................................................................................... 136
Figure 47 RADIUS .............................................................................................................. 137
Figure 48 Least Load First Example .................................................................................. 141
Figure 49 Weighted Round Robin Algorithm Example ........................................................ 142
Figure 50 Spillover Algorithm Example ............................................................................... 143
Figure 51 General ............................................................................................................... 144
Figure 52 Load Balancing: Least Load First ....................................................................... 147
Figure 53 Load Balancing: Weighted Round Robin ............................................................ 148
Figure 54 Load Balancing: Spillover ................................................................................... 149
Figure 55 WAN: Ethernet Encapsulation ............................................................................. 150
Figure 56 WAN: PPPoE Encapsulation ............................................................................... 153
Figure 57 WAN: PPTP Encapsulation ................................................................................. 155
Figure 58 Traffic Redirect WAN Setup ................................................................................ 157
Figure 59 Traffic Redirect LAN Setup ................................................................................. 157
Figure 60 Traffic Redirect .................................................................................................... 158
Figure 61 Dial Backup Setup .............................................................................................. 159
Figure 62 Advanced Setup .................................................................................................. 163
Figure 63 DMZ .................................................................................................................... 166
Figure 64 IP Alias ................................................................................................................ 168
Figure 65 DMZ Public Address Example ............................................................................ 169
Figure 66 DMZ Private and Public Address Example ......................................................... 170
Figure 67 Port Roles ...........................................................................................................171
Figure 68 Port Roles Change Complete ............................................................................. 171
Figure 69 ZyWALL Firewall Application .............................................................................. 175
Figure 70 Three-Way Handshake ....................................................................................... 176
Figure 71 SYN Flood ........................................................................................................... 177
Figure 72 Smurf Attack ....................................................................................................... 178
Figure 73 Stateful Inspection ............................................................................................... 180
Figure 74 LAN to WAN Traffic ............................................................................................. 188
Figure 75 WAN to LAN Traffic ............................................................................................. 189
Figure 76 Default Rule (Router Mode) ................................................................................ 190
Figure 77 Default Rule (Bridge Mode) ................................................................................ 191
Figure 78 Rule Summary .................................................................................................... 192
Figure 79 Creating/Editing A Firewall Rule ......................................................................... 194
26
Page 29
ZyWALL 35 User’s Guide
Figure 80 Creating/Editing A Custom Service ..................................................................... 196
Figure 81 Rule Summary .................................................................................................... 197
Figure 82 Rule Edit Example .............................................................................................. 198
Figure 83 Edit Custom Service Example ............................................................................ 198
Figure 84 My Service Rule Configuration ........................................................................... 199
Figure 85 My Service Example Rule Summary .................................................................. 200
Figure 86 Anti-Probing ........................................................................................................ 203
Figure 87 Firewall Threshold ............................................................................................... 205
Figure 88 Content Filter : General ....................................................................................... 208
Figure 89 Content Filtering Lookup Procedure ................................................................... 210
Figure 90 Content Filter : Categories .................................................................................. 211
Figure 91 Content Filter : Customization ............................................................................. 218
Figure 92 myZyXEL.com Login Screen .............................................................................. 222
Figure 93 myZyXEL.com Account Registration .................................................................. 223
Figure 94 Account Registration Successful ........................................................................ 223
Figure 95 Account Confirmation E-Mail .............................................................................. 224
Figure 96 myZyXEL.com Account Activation ...................................................................... 224
Figure 97 Logged Into myZyXEL.com ................................................................................. 225
Figure 98 Product Registration ........................................................................................... 225
Figure 99 Add New Product ................................................................................................ 226
Figure 100 Product Survey ................................................................................................. 226
Figure 101 Service Management ........................................................................................ 227
Figure 102 myZyXEL.com: My Product .............................................................................. 227
Figure 103 myZyXEL.com: Service Management. .............................................................. 228
Figure 104 Service Registration ......................................................................................... 228
Figure 105 Service Registration: Successful ...................................................................... 229
Figure 106 Service Management: Service Registered ........................................................ 229
Figure 107 Cerberian Login Screen .................................................................................... 231
Figure 108 Content Filtering Reports Main Screen ............................................................. 231
Figure 109 Global Report Screen Example ........................................................................ 232
Figure 110 Requested URLs Example ................................................................................ 232
Figure 111 Encryption and Decryption ................................................................................ 234
Figure 112 IPSec Architecture ............................................................................................ 235
Figure 113 Transport and Tunnel Mode IPSec Encapsulation ............................................ 236
Figure 114 IPSec Summary Fields ...................................................................................... 241
Figure 115 VPN Rules ......................................................................................................... 242
Figure 116 NAT Router Between IPSec Routers ................................................................ 244
Figure 117 VPN Host using Intranet DNS Server Example ................................................ 245
Figure 118 Edit VPN Rule ................................................................................................... 248
Figure 119 Two Phases to Set Up the IPSec SA ................................................................ 254
Figure 120 Edit VPN Rule: Advanced ................................................................................. 256
Figure 121 VPN Manual Setup ........................................................................................... 259
Figure 122 SA Monitor ........................................................................................................ 262
27
Page 30
ZyWALL 35 User’s Guide
Figure 123 Global Setting ................................................................................................... 263
Figure 124 Telecommuters Sharing One VPN Rule Example ............................................. 264
Figure 125 Telecommuters Using Unique VPN Rules Example ......................................... 265
Figure 126 Certificate Configuration Overview ................................................................... 268
Figure 127 My Certificates .................................................................................................. 269
Figure 128 My Certificate Import ......................................................................................... 271
Figure 129 My Certificate Create ........................................................................................ 272
Figure 130 My Certificate Details ........................................................................................ 275
Figure 131 Trusted CAs ...................................................................................................... 278
Figure 132 Trusted CA Import ............................................................................................. 279
Figure 133 Trusted CA Details ............................................................................................ 281
Figure 134 Trusted Remote Hosts ...................................................................................... 284
Figure 135 Remote Host Certificates .................................................................................. 285
Figure 136 Certificate Details ............................................................................................. 286
Figure 137 Trusted Remote Host Import ............................................................................. 287
Figure 138 Trusted Remote Host Details ............................................................................ 288
Figure 139 Directory Servers .............................................................................................. 290
Figure 140 Directory Server Add ......................................................................................... 291
Figure 141 How NAT Works ................................................................................................ 295
Figure 142 NAT Application With IP Alias ........................................................................... 295
Figure 143 NAT Overview ................................................................................................... 298
Figure 144 Address Mapping .............................................................................................. 300
Figure 145 Address Mapping Edit ....................................................................................... 301
Figure 146 Multiple Servers Behind NAT Example ............................................................. 304
Figure 147 Port Translation Example .................................................................................. 305
Figure 148 Port Forwarding ................................................................................................ 306
Figure 149 Trigger Port Forwarding Process: Example ...................................................... 307
Figure 150 Port Triggering .................................................................................................. 308
Figure 151 Example of Static Routing Topology ................................................................. 311
Figure 152 IP Static Route .................................................................................................. 312
Figure 153 Edit IP Static Route ........................................................................................... 313
Figure 154 Policy Route Summary ..................................................................................... 316
Figure 155 Edit IP Policy Route .......................................................................................... 318
Figure 156 Application-based Bandwidth Management Example ....................................... 322
Figure 157 Subnet-based Bandwidth Management Example ............................................. 323
Figure 158 Application and Subnet-based Bandwidth Management Example ................... 323
Figure 159 Bandwidth Allotment Example .......................................................................... 325
Figure 160 Maximize Bandwidth Usage Example ............................................................... 326
Figure 161 Bandwidth Borrowing Example ......................................................................... 327
Figure 162 Bandwidth Manager: Summary ......................................................................... 328
Figure 163 Bandwidth Manager: Class Setup ..................................................................... 330
Figure 164 Bandwidth Manager: Edit Class ........................................................................ 331
Figure 165 Bandwidth Management Statistics .................................................................... 333
28
Page 31
ZyWALL 35 User’s Guide
Figure 166 Bandwidth Manager Monitor ............................................................................ 334
Figure 167 Private DNS Server Example ............................................................................ 339
Figure 168 System ..............................................................................................................340
Figure 169 System: Add ...................................................................................................... 341
Figure 170 System: Insert ................................................................................................... 342
Figure 171 Cache ................................................................................................................ 344
Figure 172 LAN DNS .......................................................................................................... 345
Figure 173 DDNS ................................................................................................................347
Figure 174 HTTPS Implementation ..................................................................................... 353
Figure 175 WWW ................................................................................................................ 354
Figure 176 Security Alert Dialog Box (Internet Explorer) .................................................... 355
Figure 177 Figure 18-4 Security Certificate 1 (Netscape) ................................................... 356
Figure 178 Security Certificate 2 (Netscape) ...................................................................... 356
Figure 179 Login Screen (Internet Explorer) ....................................................................... 358
Figure 180 Login Screen (Netscape) .................................................................................. 358
Figure 181 Replace Certificate ............................................................................................ 359
Figure 182 Device-specific Certificate ................................................................................. 359
Figure 183 Common ZyWALL Certificate ............................................................................ 360
Figure 184 SSH Communication Example .......................................................................... 360
Figure 185 How SSH Works ............................................................................................... 361
Figure 186 SSH ................................................................................................................... 362
Figure 187 SSH Example 1: Store Host Key ....................................................................... 363
Figure 188 SSH Example 2: Test ....................................................................................... 364
Figure 189 SSH Example 2: Log in ..................................................................................... 364
Figure 190 Secure FTP: Firmware Upload Example .......................................................... 365
Figure 191 Telnet Configuration on a TCP/IP Network ....................................................... 365
Figure 192 Telnet ................................................................................................................ 366
Figure 193 FTP ................................................................................................................... 367
Figure 194 SNMP Management Model ............................................................................... 368
Figure 195 SNMP ................................................................................................................370
Figure 196 DNS .................................................................................................................. 371
Figure 197 CNM .................................................................................................................. 372
Figure 198 Configuring UPnP ............................................................................................. 376
Figure 199 UPnP Ports ....................................................................................................... 377
Figure 200 View Log ........................................................................................................... 386
Figure 201 Log Settings ...................................................................................................... 388
Figure 202 Reports .............................................................................................................391
Figure 203 Web Site Hits Report Example ......................................................................... 392
Figure 204 Protocol/Port Report Example .......................................................................... 393
Figure 205 LAN IP Address Report Example ...................................................................... 394
Figure 206 General Setup ................................................................................................... 396
Figure 207 Password Setup ................................................................................................ 397
Figure 208 Time and Date ................................................................................................... 398
29
Page 32
ZyWALL 35 User’s Guide
Figure 209 Synchronization in Process ............................................................................... 400
Figure 210 Synchronization is Successful .......................................................................... 401
Figure 211 Synchronization Fail .......................................................................................... 401
Figure 212 Device Mode (Router Mode) ............................................................................. 402
Figure 213 Device Mode (Bridge Mode) ............................................................................. 403
Figure 214 Firmware Upload ............................................................................................... 404
Figure 215 Firmware Upload In Process ............................................................................. 405
Figure 216 Network Temporarily Disconnected .................................................................. 405
Figure 217 Firmware Upload Error ...................................................................................... 405
Figure 218 Configuration ..................................................................................................... 406
Figure 219 Configuration Upload Successful ...................................................................... 407
Figure 220 Network Temporarily Disconnected .................................................................. 407
Figure 221 Configuration Upload Error ............................................................................... 408
Figure 222 Reset Warning Message ................................................................................... 408
Figure 223 Restart Screen .................................................................................................. 409
Figure 224 Initial Screen ..................................................................................................... 412
Figure 225 Password Screen ............................................................................................. 412
Figure 226 Main Menu (Router Mode) ................................................................................ 414
Figure 227 Main Menu (Bridge Mode) ................................................................................ 414
Figure 228 ZyWALL SMT Menu Overview Example ........................................................... 416
Figure 229 Menu 23: System Password ............................................................................. 417
Figure 230 Menu 1: General Setup (Router Mode) ............................................................. 419
Figure 231 Menu 1: General Setup (Bridge Mode) ............................................................. 420
Figure 232 Menu 1.1: Configure Dynamic DNS .................................................................. 421
Figure 233 Menu 1.1.1: DDNS Host Summary ................................................................... 422
Figure 234 Menu 1.1.1: DDNS Edit Host ............................................................................ 423
Figure 235 MAC Address Cloning in WAN Setup ............................................................... 425
Figure 236 Menu 2: Dial Backup Setup ............................................................................ 427
Figure 237 Menu 2.1: Advanced WAN Setup ..................................................................... 428
Figure 238 Menu 11.3: Remote Node Profile (Backup ISP) ............................................... 429
Figure 239 Menu 11.3.1: Remote Node PPP Options ........................................................ 431
Figure 240 Menu 11.3.2: Remote Node Network Layer Options ........................................ 432
Figure 241 Menu 11.3.3: Remote Node Script .................................................................... 435
Figure 242 Menu 11.3.4: Remote Node Filter ..................................................................... 436
Figure 243 Menu 3: LAN Setup ........................................................................................... 437
Figure 244 Menu 3.1: LAN Port Filter Setup ....................................................................... 438
Figure 245 Menu 3: TCP/IP and DHCP Setup ................................................................... 438
Figure 246 Menu 3.2: TCP/IP and DHCP Ethernet Setup .................................................. 439
Figure 247 Menu 3.2.1: IP Alias Setup ............................................................................... 441
Figure 248 Menu 3.5: Wireless LAN Setup ......................................................................... 442
Figure 249 Menu 3.5.1: WLAN MAC Address Filter ........................................................... 444
Figure 250 Menu 4: Internet Access Setup (Ethernet) ........................................................ 445
Figure 251 Internet Access Setup (PPTP) .......................................................................... 447
30
Page 33
ZyWALL 35 User’s Guide
Figure 252 Internet Access Setup (PPPoE) ........................................................................ 448
Figure 253 Menu 5: DMZ Setup ......................................................................................... 449
Figure 254 Menu 5.1: DMZ Port Filter Setup ...................................................................... 449
Figure 255 Menu 5: TCP/IP Setup ...................................................................................... 450
Figure 256 Menu 5.2: TCP/IP Setup ................................................................................... 450
Figure 257 Menu 5.2.1: IP Alias Setup ............................................................................... 451
Figure 258 Menu 6: Route Setup ........................................................................................ 453
Figure 259 Menu 6.1: Route Assessment ........................................................................... 453
Figure 260 Menu 6.2: Traffic Redirect ................................................................................. 454
Figure 261 Menu 6.3: Route Failover .................................................................................. 455
Figure 262 Menu 11: Remote Node Setup .......................................................................... 457
Figure 263 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 458
Figure 264 Menu 11.1: Remote Node Profile for PPPoE Encapsulation ............................. 460
Figure 265 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 462
Figure 266 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation
463
Figure 267 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) ............................. 465
Figure 268 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) ................ 465
Figure 269 Menu 12: IP Static Route Setup ....................................................................... 467
Figure 270 Menu 12. 1: Edit IP Static Route ....................................................................... 468
Figure 271 Menu 4: Applying NAT for Internet Access ....................................................... 470
Figure 272 Menu 11.1.2: Applying NAT to the Remote Node ............................................. 470
Figure 273 Menu 15: NAT Setup ........................................................................................ 471
Figure 274 Menu 15.1: Address Mapping Sets ................................................................... 472
Figure 275 Menu 15.1.255: SUA Address Mapping Rules ................................................. 472
Figure 276 Menu 15.1.1: First Set ....................................................................................... 474
Figure 277 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 475
Figure 278 Menu 15.2: NAT Server Sets ............................................................................ 476
Figure 279 15.2.1.2: NAT Server Configuration .................................................................. 477
Figure 280 Menu 15.2: NAT Server Setup ......................................................................... 478
Figure 281 Server Behind NAT Example ............................................................................ 478
Figure 282 NAT Example 1 ................................................................................................. 479
Figure 283 Menu 4: Internet Access & NAT Example ......................................................... 479
Figure 284 NAT Example 2 ................................................................................................. 480
Figure 285 Menu 15.2.1: Specifying an Inside Server ........................................................ 480
Figure 286 NAT Example 3 ................................................................................................. 481
Figure 287 Example 3: Menu 11.1.2 ................................................................................... 482
Figure 288 Example 3: Menu 15.1.1.1 ................................................................................ 482
Figure 289 Example 3: Final Menu 15.1.1 .......................................................................... 483
Figure 290 Example 3: Menu 15.2.1 ................................................................................... 484
Figure 291 NAT Example 4 ................................................................................................. 484
Figure 292 Example 4: Menu 15.1.1.1: Address Mapping Rule .......................................... 485
Figure 293 Example 4: Menu 15.1.1: Address Mapping Rules ........................................... 485
31
Page 34
ZyWALL 35 User’s Guide
Figure 294 Menu 15.3.1: Trigger Port Setup ....................................................................... 487
Figure 295 Menu 21: Filter and Firewall Setup ................................................................... 489
Figure 296 Menu 21.2: Firewall Setup ................................................................................ 490
Figure 297 Outgoing Packet Filtering Process .................................................................... 491
Figure 298 Filter Rule Process ............................................................................................ 493
Figure 299 Menu 21: Filter and Firewall Setup ................................................................... 494
Figure 300 Menu 21.1: Filter Set Configuration .................................................................. 494
Figure 301 Menu 21.1.1.1: TCP/IP Filter Rule .................................................................... 496
Figure 302 Executing an IP Filter ........................................................................................ 498
Figure 303 Menu 21.1.1.1: Generic Filter Rule ................................................................... 499
Figure 304 Telnet Filter Example ........................................................................................ 500
Figure 305 Example Filter: Menu 21.1.3.1 .......................................................................... 501
Figure 306 Example Filter Rules Summary: Menu 21.1.3 .................................................. 501
Figure 307 Protocol and Device Filter Sets ......................................................................... 502
Figure 308 Filtering LAN Traffic .......................................................................................... 503
Figure 309 Filtering DMZ Traffic .......................................................................................... 504
Figure 310 Filtering Remote Node Traffic ........................................................................... 504
Figure 311 Menu 22: SNMP Configuration ......................................................................... 505
Figure 312 Menu 24: System Maintenance ........................................................................ 507
Figure 313 Menu 24.1: System Maintenance: Status ........................................................ 508
Figure 314 Menu 24.2: System Information and Console Port Speed ................................ 509
Figure 315 Menu 24.2.1: System Maintenance: Information ............................................ 510
Figure 316 Menu 24.2.2: System Maintenance: Change Console Port Speed ................... 511
Figure 317 Menu 24.3: System Maintenance: Log and Trace ............................................ 511
Figure 318 Examples of Error and Information Messages .................................................. 512
Figure 319 Menu 24.3.2: System Maintenance: UNIX Syslog ............................................ 512
Figure 320 Call-Triggering Packet Example ........................................................................ 515
Figure 321 Menu 24.4: System Maintenance: Diagnostic ................................................... 516
Figure 322 WAN & LAN DHCP ........................................................................................... 516
Figure 323 Telnet into Menu 24.5 ........................................................................................ 521
Figure 324 FTP Session Example ...................................................................................... 522
Figure 325 System Maintenance: Backup Configuration .................................................... 524
Figure 326 System Maintenance: Starting Xmodem Download Screen ............................. 524
Figure 327 Backup Configuration Example ......................................................................... 525
Figure 328 Successful Backup Confirmation Screen .......................................................... 525
Figure 329 Telnet into Menu 24.6 ........................................................................................ 526
Figure 330 Restore Using FTP Session Example ............................................................... 527
Figure 331 System Maintenance: Restore Configuration ................................................... 527
Figure 332 System Maintenance: Starting Xmodem Download Screen ............................. 527
Figure 333 Restore Configuration Example ........................................................................ 528
Figure 334 Successful Restoration Confirmation Screen ................................................... 528
Figure 335 Telnet Into Menu 24.7.1: Upload System Firmware .......................................... 529
Figure 336 Telnet Into Menu 24.7.2: System Maintenance ................................................ 529
32
Page 35
ZyWALL 35 User’s Guide
Figure 337 FTP Session Example of Firmware File Upload ............................................... 530
Figure 338 Menu 24.7.1 As Seen Using the Console Port ................................................. 532
Figure 339 Example Xmodem Upload ................................................................................ 532
Figure 340 Menu 24.7.2 As Seen Using the Console Port ................................................ 533
Figure 341 Example Xmodem Upload ................................................................................ 533
Figure 342 Command Mode in Menu 24 ............................................................................. 535
Figure 343 Valid Commands ............................................................................................... 536
Figure 344 Call Control ....................................................................................................... 537
Figure 345 Budget Management ......................................................................................... 538
Figure 346 Call History ........................................................................................................539
Figure 347 Menu 24: System Maintenance ........................................................................ 540
Figure 348 Menu 24.10 System Maintenance: Time and Date Setting ............................... 540
Figure 349 Menu 24.11 – Remote Management Control .................................................... 544
Figure 350 Menu 25: Sample IP Routing Policy Summary ................................................. 547
Figure 351 Menu 25.1: IP Routing Policy Setup ................................................................. 549
Figure 352 Menu 25.1.1: IP Routing Policy Setup .............................................................. 550
Figure 353 Example of IP Policy Routing ............................................................................ 551
Figure 354 IP Routing Policy Example 1 ............................................................................. 552
Figure 355 IP Routing Policy Example 2 ............................................................................. 553
Figure 356 Schedule Setup ................................................................................................. 555
Figure 357 Schedule Set Setup .......................................................................................... 556
Figure 358 Applying Schedule Set(s) to a Remote Node (PPPoE) .................................... 557
Figure 359 Applying Schedule Set(s) to a Remote Node (PPTP) ....................................... 558
Figure 360 VPN SMT Menu Tree ........................................................................................ 559
Figure 361 Menu 27: VPN/IPSec Setup .............................................................................. 560
Figure 362 Menu 27.1: IPSec Summary ............................................................................. 560
Figure 363 Menu 27.1.1: IPSec Setup ................................................................................ 563
Figure 364 Menu 27.1.1.1: IKE Setup ................................................................................. 567
Figure 365 Menu 27.1.1.2: Manual Setup ........................................................................... 570
Figure 366 Menu 27.2: SA Monitor ..................................................................................... 574
Figure 367 Console/Dial Backup Port Pin Layout ............................................................... 582
Figure 368 Ethernet Cable Pin Assignments ...................................................................... 582
Figure 369 WIndows 95/98/Me: Network: Configuration ..................................................... 586
Figure 370 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 587
Figure 371 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 588
Figure 372 Windows XP: Start Menu .................................................................................. 589
Figure 373 Windows XP: Control Panel .............................................................................. 589
Figure 374 Windows XP: Control Panel: Network Connections: Properties ....................... 590
Figure 375 Windows XP: Local Area Connection Properties .............................................. 590
Figure 376 Windows XP: Advanced TCP/IP Settings ......................................................... 591
Figure 377 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 592
Figure 378 Macintosh OS 8/9: Apple Menu ........................................................................ 593
Figure 379 Macintosh OS 8/9: TCP/IP ................................................................................ 593
33
Page 36
ZyWALL 35 User’s Guide
Figure 380 Macintosh OS X: Apple Menu ........................................................................... 594
Figure 381 Macintosh OS X: Network ................................................................................. 595
Figure 382 Single-Computer per Router Hardware Configuration ...................................... 606
Figure 383 ZyWALL as a PPPoE Client .............................................................................. 606
Figure 384 Transport PPP frames over Ethernet ............................................................... 607
Figure 385 PPTP Protocol Overview .................................................................................. 608
Figure 386 Example Message Exchange between Computer and an ANT ........................ 609
Figure 387 Peer-to-Peer Communication in an Ad-hoc Network ........................................ 612
Figure 388 ESS Provides Campus-Wide Coverage ........................................................... 613
Figure 389 Sequences for EAP MD5–Challenge Authentication ........................................ 616
Figure 390 Ideal Setup ........................................................................................................ 619
Figure 391 “Triangle Route” Problem .................................................................................. 620
Figure 392 IP Alias .............................................................................................................. 621
Figure 393 Gateways on the WAN Side .............................................................................. 621
Figure 394 SIP User Agent Server ...................................................................................... 624
Figure 395 SIP Proxy Server .............................................................................................. 625
Figure 396 SIP Redirect Server .......................................................................................... 626
Figure 397 ZyWALL SIP ALG ............................................................................................. 627
Figure 398 VPN Rules ........................................................................................................ 630
Figure 399 Headquarters VPN Rule Edit ............................................................................ 631
Figure 400 Branch Office VPN Rule Edit ............................................................................ 632
Figure 401 VPN Rule Configured ........................................................................................ 633
Figure 402 VPN Dial ........................................................................................................... 633
Figure 403 VPN Tunnel Established ................................................................................... 634
Figure 404 Menu 27: VPN/IPSec Setup .............................................................................. 634
Figure 405 Menu 27.1: IPSec Summary ............................................................................. 635
Figure 406 Headquarters Menu 27.1.1: IPSec Setup ......................................................... 635
Figure 407 Branch Office Menu 27.1.1: IPSec Setup ......................................................... 636
Figure 408 Menu 27.1.1.1: IKE Setup ................................................................................. 637
Figure 409 VPN Log Example ............................................................................................ 638
Figure 410 IKE/IPSec Debug Example .............................................................................. 639
Figure 411 Security Certificate ............................................................................................ 641
Figure 412 Login Screen ..................................................................................................... 642
Figure 413 Certificate General Information before Import ................................................... 642
Figure 414 Certificate Import Wizard 1 ............................................................................... 643
Figure 415 Certificate Import Wizard 2 ............................................................................... 643
Figure 416 Certificate Import Wizard 3 ............................................................................... 644
Figure 417 Root Certificate Store ........................................................................................ 644
Figure 418 Certificate General Information after Import ..................................................... 645
Figure 419 ZyWALL Trusted CA Screen ............................................................................. 646
Figure 420 CA Certificate Example ..................................................................................... 647
Figure 421 Personal Certificate Import Wizard 1 ................................................................ 648
Figure 422 Personal Certificate Import Wizard 2 ................................................................ 648
34
Page 37
ZyWALL 35 User’s Guide
Figure 423 Personal Certificate Import Wizard 3 ................................................................ 649
Figure 424 Personal Certificate Import Wizard 4 ................................................................ 649
Figure 425 Personal Certificate Import Wizard 5 ................................................................ 650
Figure 426 Personal Certificate Import Wizard 6 ................................................................ 650
Figure 427 Access the ZyWALL Via HTTPS ....................................................................... 650
Figure 428 SSL Client Authentication ................................................................................. 651
Figure 429 ZyWALL Secure Login Screen .......................................................................... 651
Figure 430 Option to Enter Debug Mode ............................................................................ 671
Figure 431 Boot Module Commands .................................................................................. 672
Figure 432 Displaying Log Categories Example ................................................................. 687
Figure 433 Displaying Log Parameters Example ................................................................ 687
35
Page 38
ZyWALL 35 User’s Guide
36
Page 39
ZyWALL 35 User’s Guide
List of Tables
Table 1 Feature Specifications ........................................................................................... 47
Table 2 Web Configurator HOME Screen in Router Mode ................................................. 61
Table 3 Web Configurator HOME Screen in Bridge Mode ................................................. 64
Table 4 Feature Comparison .............................................................................................. 65
Table 5 Screens Summary ................................................................................................. 66
Table 6 Home : Show Statistics .......................................................................................... 69
Table 7 Home : Show Statistics: Line Chart ....................................................................... 70
Table 8 Home : DHCP Table .............................................................................................. 71
Table 9 Home : VPN Status ................................................................................................ 72
Table 10 ISP Parameters : Ethernet Encapsulation ........................................................... 74
Table 11 ISP Parameters : PPPoE Encapsulation ............................................................. 76
Table 12 ISP Parameters : PPTP Encapsulation ............................................................... 77
Table 13 Private IP Address Ranges ................................................................................. 78
Table 14 Example of Network Properties for LAN Servers with Fixed IP Addresses ......... 80
Table 15 WAN and DNS ..................................................................................................... 81
Table 16 VPN Wizard : Gateway Setting ............................................................................ 84
Table 17 VPN Wizard : Network Setting ............................................................................. 85
Table 18 ESP and AH ........................................................................................................ 89
Table 19 VPN Wizard : IKE Tunnel Setting ........................................................................ 90
Table 20 VPN Wizard : IPSec Setting ................................................................................ 92
Table 21 VPN Wizard : VPN Status .................................................................................... 93
Table 22 LAN ...................................................................................................................... 100
Table 23 Static DHCP ......................................................................................................... 102
Table 24 IP Alias ................................................................................................................ 104
Table 25 STP Path Costs ................................................................................................... 108
Table 26 STP Port States ................................................................................................... 109
Table 27 Bridge .................................................................................................................. 110
Table 28 Wireless Security Relational Matrix ..................................................................... 116
Table 29 Wireless: No Security .......................................................................................... 122
Table 30 Wireless: Static WEP ........................................................................................... 123
Table 31 Wireless: WPA-PSK ............................................................................................ 124
Table 32 Wireless: WPA ..................................................................................................... 125
Table 33 Wireless: 802.1x + Dynamic WEP ....................................................................... 127
Table 34 Wireless: 802.1x + Static WEP ............................................................................ 128
Table 35 Wireless: 802.1x + No WEP ................................................................................ 129
Table 36 Wireless: No Access 802.1x + Static WEP .......................................................... 130
37
Page 40
ZyWALL 35 User’s Guide
Table 37 MAC Address Filter ............................................................................................. 132
Table 38 Local User Database ........................................................................................... 137
Table 39 RADIUS ...............................................................................................................138
Table 40 Least Load First: Example 1 ................................................................................ 141
Table 41 Least Load First: Example 2 ................................................................................ 141
Table 42 General ................................................................................................................ 145
Table 43 Load Balancing: Least Load First ........................................................................ 147
Table 44 Load Balancing: Weighted Round Robin ............................................................. 148
Table 45 Load Balancing: Spillover .................................................................................... 149
Table 46 WAN: Ethernet Encapsulation ............................................................................. 150
Table 47 WAN: PPPoE Encapsulation ............................................................................... 154
Table 48 WAN: PPTP Encapsulation ................................................................................. 156
Table 49 Traffic Redirect .................................................................................................... 158
Table 50 Dial Backup Setup ............................................................................................... 160
Table 51 Advanced Setup .................................................................................................. 163
Table 52 DMZ ..................................................................................................................... 166
Table 53 IP Alias ................................................................................................................ 168
Table 54 Common IP Ports ................................................................................................ 175
Table 55 ICMP Commands That Trigger Alerts .................................................................. 178
Table 56 Legal NetBIOS Commands ................................................................................. 178
Table 57 Legal SMTP Commands ..................................................................................... 179
Table 58 Default Rule (Router Mode) ................................................................................. 190
Table 59 Default Rule (Bridge Mode) ................................................................................. 191
Table 60 Rule Summary ..................................................................................................... 192
Table 61 Creating/Editing A Firewall Rule .......................................................................... 195
Table 62 Creating/Editing A Custom Service ..................................................................... 196
Table 63 Predefined Services ............................................................................................ 200
Table 64 Anti-Probing .........................................................................................................203
Table 65 Firewall Threshold ............................................................................................... 205
Table 66 Content Filter : General ....................................................................................... 208
Table 67 Content Filter : Categories ................................................................................... 211
Table 68 Content Filter : Customization ............................................................................. 218
Table 69 myZyXEL.com Numbers ...................................................................................... 222
Table 70 VPN and NAT ...................................................................................................... 237
Table 71 ESP and AH ........................................................................................................ 240
Table 72 VPN Rules ........................................................................................................... 242
Table 73 Local ID Type and Content Fields ....................................................................... 246
Table 74 Peer ID Type and Content Fields ........................................................................ 246
Table 75 Matching ID Type and Content Configuration Example ....................................... 247
Table 76 Mismatching ID Type and Content Configuration Example ................................. 247
Table 77 Edit VPN Rule ...................................................................................................... 249
Table 78 Edit VPN Rule: Advanced .................................................................................... 257
Table 79 VPN Manual Setup .............................................................................................. 259
38
Page 41
ZyWALL 35 User’s Guide
Table 80 SA Monitor ...........................................................................................................262
Table 81 Global Setting ...................................................................................................... 263
Table 82 Telecommuters Sharing One VPN Rule Example ............................................... 264
Table 83 Telecommuters Using Unique VPN Rules Example ............................................ 265
Table 84 My Certificates ..................................................................................................... 269
Table 85 My Certificate Import ........................................................................................... 272
Table 86 My Certificate Create ........................................................................................... 273
Table 87 My Certificate Details ........................................................................................... 276
Table 88 Trusted CAs ......................................................................................................... 278
Table 89 Trusted CA Import ............................................................................................... 280
Table 90 Trusted CA Details ............................................................................................... 281
Table 91 Trusted Remote Hosts ......................................................................................... 284
Table 92 Trusted Remote Host Import ............................................................................... 287
Table 93 Trusted Remote Host Details ............................................................................... 288
Table 94 Directory Servers ................................................................................................. 291
Table 95 Directory Server Add ........................................................................................... 292
Table 96 NAT Definitions .................................................................................................... 293
Table 97 NAT Mapping Types ............................................................................................ 296
Table 98 NAT Overview ...................................................................................................... 298
Table 99 Address Mapping ................................................................................................. 300
Table 100 Address Mapping Edit ....................................................................................... 302
Table 101 Services and Port Numbers ............................................................................... 303
Table 102 Port Forwarding ................................................................................................. 306
Table 103 Port Triggering ................................................................................................... 308
Table 104 IP Static Route ................................................................................................... 312
Table 105 Edit IP Static Route ............................................................................................ 313
Table 106 Policy Route Setup ............................................................................................ 317
Table 107 Edit IP Policy Route ........................................................................................... 318
Table 108 Application and Subnet-based Bandwidth Management Example .................... 323
Table 109 Bandwidth Manager: Summary ......................................................................... 328
Table 110 Bandwidth Manager: Class Setup ..................................................................... 330
Table 111 Bandwidth Manager: Edit Class ......................................................................... 331
Table 112 Services and Port Numbers ............................................................................... 333
Table 113 Bandwidth Management Statistics ..................................................................... 333
Table 114 Bandwidth Manager Monitor .............................................................................. 334
Table 115 System ............................................................................................................... 340
Table 116 System: Add ...................................................................................................... 341
Table 117 System: Insert .................................................................................................... 343
Table 118 Cache ................................................................................................................ 344
Table 119 LAN .................................................................................................................... 346
Table 120 DDNS ................................................................................................................348
Table 121 WWW ................................................................................................................ 354
Table 122 SSH ................................................................................................................... 362
39
Page 42
ZyWALL 35 User’s Guide
Table 123 Telnet ................................................................................................................. 366
Table 124 FTP .................................................................................................................... 367
Table 125 SNMP Traps ...................................................................................................... 369
Table 126 SNMP ................................................................................................................370
Table 127 DNS ................................................................................................................... 371
Table 128 CNM .................................................................................................................. 372
Table 129 Configuring UPnP .............................................................................................. 376
Table 130 UPnP Ports ........................................................................................................ 378
Table 131 View Log ............................................................................................................386
Table 132 Example Log Description ................................................................................... 387
Table 133 Log Settings ....................................................................................................... 389
Table 134 Reports .............................................................................................................. 391
Table 135 Web Site Hits Report ......................................................................................... 392
Table 136 Protocol/ Port Report ......................................................................................... 393
Table 137 LAN IP Address Report ..................................................................................... 394
Table 138 Report Specifications ......................................................................................... 394
Table 139 General Setup ................................................................................................... 396
Table 140 Password Setup ................................................................................................ 397
Table 141 Default Time Servers ......................................................................................... 397
Table 142 Time and Date ................................................................................................... 399
Table 143 Device Mode (Router Mode) ............................................................................. 402
Table 144 Device Mode (Bridge Mode) .............................................................................. 403
Table 145 Firmware Upload ............................................................................................... 404
Table 146 Restore Configuration ........................................................................................ 407
Table 147 Main Menu Commands ..................................................................................... 412
Table 148 Main Menu Summary ........................................................................................ 414
Table 149 Menu 1: General Setup (Router Mode) ............................................................. 419
Table 150 Menu 1: General Setup (Bridge Mode) .............................................................. 420
Table 151 Menu 1.1: Configure Dynamic DNS .................................................................. 421
Table 152 Menu 1.1.1: DDNS Host Summary .................................................................... 422
Table 153 Menu 1.1.1: DDNS Edit Host ............................................................................. 423
Table 154 MAC Address Cloning in WAN Setup ................................................................ 426
Table 155 Menu 2: Dial Backup Setup ............................................................................... 427
Table 156 Advanced WAN Port Setup: AT Commands Fields ........................................... 428
Table 157 Advanced WAN Port Setup: Call Control Parameters ....................................... 429
Table 158 Menu 11.3: Remote Node Profile (Backup ISP) ................................................ 430
Table 159 Menu 11.3.1: Remote Node PPP Options ......................................................... 431
Table 160 Menu 11.3.2: Remote Node Network Layer Options ......................................... 432
Table 161 Menu 11.3.3: Remote Node Script .................................................................... 435
Table 162 Menu 3.2: DHCP Ethernet Setup Fields ............................................................ 439
Table 163 Menu 3.2: LAN TCP/IP Setup Fields ................................................................. 439
Table 164 Menu 3.2.1: IP Alias Setup ................................................................................ 441
Table 165 Menu 3.5: Wireless LAN Setup ......................................................................... 443
40
Page 43
ZyWALL 35 User’s Guide
Table 166 Menu 3.5.1: WLAN MAC Address Filter ............................................................ 444
Table 167 Menu 4: Internet Access Setup (Ethernet) ....................................................... 446
Table 168 New Fields in Menu 4 (PPTP) Screen ............................................................... 447
Table 169 New Fields in Menu 4 (PPPoE) screen ............................................................. 448
Table 170 Menu 6.1: Route Assessment ........................................................................... 454
Table 171 Menu 6.2: Traffic Redirect ................................................................................. 454
Table 172 Menu 6.3: Route Failover .................................................................................. 455
Table 173 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ........................... 458
Table 174 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ....................................... 461
Table 175 Menu 11.1: Remote Node Profile for PPTP Encapsulation ............................... 462
Table 176 Remote Node Network Layer Options Menu Fields .......................................... 463
Table 177 Menu 12. 1: Edit IP Static Route ........................................................................ 468
Table 178 Applying NAT in Menus 4 & 11.1.2 .................................................................... 471
Table 179 SUA Address Mapping Rules ............................................................................ 473
Table 180 Fields in Menu 15.1.1 ........................................................................................ 474
Table 181 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set ........................ 475
Table 182 15.2.1.2: NAT Server Configuration ................................................................... 477
Table 183 Menu 15.3: Trigger Port Setup .......................................................................... 487
Table 184 Abbreviations Used in the Filter Rules Summary Menu .................................... 495
Table 185 Rule Abbreviations Used ................................................................................... 495
Table 186 Menu 21.1.1.1: TCP/IP Filter Rule ..................................................................... 496
Table 187 Generic Filter Rule Menu Fields ........................................................................ 499
Table 188 SNMP Configuration Menu Fields ..................................................................... 505
Table 189 SNMP Traps ...................................................................................................... 506
Table 190 System Maintenance: Status Menu Fields ........................................................ 508
Table 191 Fields in System Maintenance: Information ....................................................... 510
Table 192 System Maintenance Menu Syslog Parameters ................................................ 512
Table 193 System Maintenance Menu Diagnostic ............................................................. 517
Table 194 Filename Conventions ....................................................................................... 520
Table 195 General Commands for GUI-based FTP Clients ............................................... 522
Table 196 General Commands for GUI-based TFTP Clients ............................................. 524
Table 197 Valid Commands ............................................................................................... 536
Table 198 Budget Management ......................................................................................... 538
Table 199 Call History ........................................................................................................539
Table 200 Menu 24.10 System Maintenance: Time and Date Setting ............................... 541
Table 201 Menu 24.11 – Remote Management Control ..................................................... 544
Table 202 Menu 25: Sample IP Routing Policy Summary .................................................. 547
Table 203 IP Routing Policy Setup ..................................................................................... 548
Table 204 Menu 25.1: IP Routing Policy Setup .................................................................. 549
Table 205 Menu 25.1.1: IP Routing Policy Setup ............................................................... 551
Table 206 Schedule Set Setup ........................................................................................... 556
Table 207 Menu 27.1: IPSec Summary .............................................................................. 561
Table 208 Menu 27.1.1: IPSec Setup ................................................................................. 563
41
Page 44
ZyWALL 35 User’s Guide
Table 209 Menu 27.1.1.1: IKE Setup ................................................................................. 568
Table 210 Active Protocol: Encapsulation and Security Protocol ....................................... 569
Table 211 Menu 27.1.1.2: Manual Setup ............................................................................ 570
Table 212 Menu 27.2: SA Monitor ...................................................................................... 574
Table 213 Troubleshooting the Start-Up of Your ZyWALL .................................................. 577
Table 214 Troubleshooting the LAN Interface .................................................................... 577
Table 215 Troubleshooting the DMZ Interface ................................................................... 578
Table 216 Troubleshooting the WAN Interface ................................................................... 578
Table 217 Troubleshooting Internet Access ....................................................................... 579
Table 218 Troubleshooting the Password .......................................................................... 579
Table 219 Troubleshooting Telnet ...................................................................................... 579
Table 220 General Specifications ....................................................................................... 581
Table 221 Console/Dial Backup Port Pin Assignments ...................................................... 582
Table 222 North American AC Power Adaptor Specifications ............................................ 582
Table 223 European Union AC Power Adaptor Specifications ........................................... 583
Table 224 UK AC Power Adaptor Specifications ................................................................ 583
Table 225 Japan AC Power Adaptor Specifications ........................................................... 584
Table 226 Australia and New Zealand AC Power Adaptor Specification ........................... 584
Table 227 Classes of IP Addresses ................................................................................... 597
Table 228 Allowed IP Address Range By Class ................................................................. 598
Table 229 “Natural” Masks ................................................................................................ 598
Table 230 Alternative Subnet Mask Notation ..................................................................... 599
Table 231 Two Subnets Example ....................................................................................... 599
Table 232 Subnet 1 ............................................................................................................600
Table 233 Subnet 2 ............................................................................................................600
Table 234 Subnet 1 ............................................................................................................601
Table 235 Subnet 2 ............................................................................................................601
Table 236 Subnet 3 ............................................................................................................601
Table 237 Subnet 4 ............................................................................................................601
Table 238 Eight Subnets .................................................................................................... 602
Table 239 Class C Subnet Planning ................................................................................... 602
Table 240 Class B Subnet Planning ................................................................................... 603
Table 241 Comparison of EAP Authentication Types ......................................................... 618
Table 242 SIP Call Progression ......................................................................................... 623
Table 243 Firewall Commands ........................................................................................... 655
Table 244 NetBIOS Filter Default Settings ......................................................................... 662
Table 245 Certificates Commands ..................................................................................... 665
Table 246 Brute-Force Password Guessing Protection Commands .................................. 669
Table 247 System Maintenance Logs ................................................................................ 673
Table 248 System Error Logs ............................................................................................. 674
Table 249 Access Control Logs .......................................................................................... 674
Table 250 TCP Reset Logs ................................................................................................ 675
Table 251 Packet Filter Logs .............................................................................................. 675
42
Page 45
ZyWALL 35 User’s Guide
Table 252 ICMP Logs ......................................................................................................... 675
Table 253 CDR Logs .......................................................................................................... 676
Table 254 PPP Logs ........................................................................................................... 676
Table 255 UPnP Logs ........................................................................................................ 677
Table 256 Content Filtering Logs ....................................................................................... 677
Table 257 Attack Logs ........................................................................................................ 678
Table 258 IPSec Logs ........................................................................................................ 679
Table 259 IKE Logs ............................................................................................................679
Table 260 PKI Logs ............................................................................................................682
Table 261 Certificate Path Verification Failure Reason Codes ........................................... 683
Table 262 802.1X Logs ...................................................................................................... 684
Table 263 ACL Setting Notes ............................................................................................. 685
Table 264 ICMP Notes ....................................................................................................... 685
Table 265 Syslog Logs ....................................................................................................... 686
Table 266 RFC-2408 ISAKMP Payload Types ................................................................... 686
43
Page 46
ZyWALL 35 User’s Guide
44
Page 47
ZyWALL 35 User’s Guide
Preface
Congratulations on your purchase of the ZyWALL 35.
Note: Register your product online to receive e-mail notices of firmware
upgrades and information at www.zyxel.com
www.us.zyxel.com
Your ZyWALL is easy to install and configure.
for North American products.
About This User's Guide
This manual is designed to guide you through the configuration of your ZyWALL for its
various applications. The web configurator parts of this guide contain background information
on features configurable by web configurator. The SMT parts of this guide contain
background information solely on features not configurable by web configurator.
for global products, or at
Note: Use the web configurator, System Management Terminal (SMT) or
command interpreter interface to configure your ZyWALL. Not all features
can be configured through all interfaces.
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. It contains
a detailed easy-to-follow connection diagram, default settings, handy checklists and
information on setting up your network and configuring for Internet access.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary
information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional
support documentation.
User Guide Feedback
Help us help you! E-mail all User Guide-related comments, questions or suggestions for
improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing
Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,
Hsinchu, 300, Taiwan. Thank you!
Preface 45
Page 48
ZyWALL 35 User’s Guide
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for
you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field
choices are in Bold Arial font. Command and arrow keys are enclosed in square
brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key
and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon,
Control Panels and then Modem” means first click the Apple icon, then point your
mouse pointer to Control Panels and then click Modem.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for
“that is” or “in other words” throughout this manual.
Graphics Icons Key
ZyWALL Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
Wireless Signal
Note: The following section offers some background information on DSL.
Skip to Chapter 1 if you wish to begin working with your router right away.
46 Preface
Page 49
CHAPTER 1
Getting to Know Your ZyWALL
This chapter introduces the main features and applications of the ZyWALL.
1.1 ZyWALL 35 Internet Security Appliance Overview
The ZyWALL 35 is the ideal secure gateway for all data passing between the Internet and the
LAN.
By integrating NAT, firewall, content filtering, certificates and VPN capability, ZyXEL’s
ZyWALL is a complete security solution that protects your Intranet and efficiently manages
data traffic on your network. Dual WAN ports, dial backup and traffic redirect enhance
reliability. You can deploy the ZyWALL as a transparent firewall in an existing network with
minimal configuration.
ZyWALL 35 User’s Guide
The ZyWALL allows you to manage the bandwidth usage of your network's traffic. It also has
two WAN interfaces and can balance the traffic load between them. You can control which IP
addresses and applications get how much bandwidth. You can set priority for different types of
traffic and/or IP addresses. You can also allot bandwidth to specific traffic types to guarantee
delivery.
The PCMCIA/CardBus slot allows you to add a 802.11b/g-compliant wireless LAN. The
ZyWALL offers highly secured wireless connectivity to your wired network with IEEE
802.1x, WEP data encryption, WPA (Wi-Fi Protected Access) and MAC address filtering. The
ZyWALL increases network security by adding the option to change port roles from LAN to
DMZ (De-Militarized Zone) for use with publicly accessible servers.
The embedded web configurator is easy to operate.
1.2 ZyWALL Features
The following sections describe ZyWALL features.
Table 1 Feature Specifications
FEATURE SPECIFICATION
Number of Static Routes 50
Number of Policy Routes 48
Number of NAT Sessions 10,000
Number of Port Forwarding Rules 50
Chapter 1 Getting to Know Your ZyWALL 47
Page 50
ZyWALL 35 User’s Guide
Table 1 Feature Specifications
FEATURE SPECIFICATION
Number of Address Mapping Rules 50
Number of IPSec VPN Tunnels/Security Associations 35
1.2.1 Physical Features
1.2.1.1 Auto-negotiating 10/100 Mbps Ethernet LAN
The LAN interface automatically detects if it’s on a 10 or a 100 Mbps Ethernet.
1.2.1.2 Auto-crossover 10/100 Mbps Ethernet LAN
The LAN interface automatically adjusts to either a crossover or straight-through Ethernet
cable.
1.2.1.3 Auto-negotiating 10/100 Mbps Ethernet DMZ
Public servers (Web, FTP, etc.) attached to a DeMilitarized Zone (DMZ) port are visible to the
outside world (while still being protected from DoS (Denial of Service) attacks such as SYN
flooding and Ping of Death) and can also be accessed from the secure LAN.
1.2.1.4 Auto-crossover 10/100 Mbps Ethernet DMZ
The DMZ interface automatically adjusts to either a crossover or straight-through Ethernet
cable.
1.2.1.5 LAN/DMZ Interface
The ZyWALL provides four LAN ports that can also function as virtual DMZ ports. You can
configure the ports as LAN or DMZ ports by changing the port role settings in the LAN or
DMZ screen through the Web configurator.
1.2.1.6 Dual Auto-negotiating 10/100 Mbps Ethernet WAN
The 10/100 Mbps Ethernet WAN ports attach to the Internet via broadband modem or router.
You can use a second connection for load sharing to increase overall network throughput or as
a backup to enhance network reliability.
1.2.1.7 Dual Auto-crossover 10/100 Mbps Ethernet WAN
The WAN interface automatically adjusts to either a crossover or straight-through Ethernet
cable.
48 Chapter 1 Getting to Know Your ZyWALL
Page 51
1.2.1.8 Dial Backup WAN
The dial backup port can be used in reserve as a traditional dial-up connection when/if ever the
WAN 1, 2 and traffic redirect connections fail.
1.2.1.9 Time and Date
The ZyWALL allows you to get the current time and date from an external server when you
turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps
track of the time and date.
1.2.1.10 Reset Button
Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1,
subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses
starting at 192.168.1.33.
1.2.1.11 Dual PCMCIA and CardBus Slot
ZyWALL 35 User’s Guide
The dual PCMCIA and Card Bus slot provides the option of a wireless LAN.
1.2.1.12 IEEE 802.11 b/g Wireless LAN
The optional wireless LAN card provides mobility and a fast network environment for small
and home offices. Users can connect to the local area network without any wiring efforts and
enjoy reliable high-speed connectivity.
1.2.2 Non-Physical Features
1.2.2.1 Load Balancing
The ZyWALL improves quality of service and maximizes bandwidth utilization by dividing
traffic loads between the two WAN interfaces (or ports).
1.2.2.2 SIP Passthrough
The ZyWALL includes a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass
through NAT by examining and translating IP addresses embedded in the data stream.
1.2.2.3 Transparent Firewall
Transparent firewall is also known as a bridge firewall. The ZyWALL can act as a bridge and
still have the capability of filtering and inspecting the packets between a router and the LAN,
or two routers. You do not need to do any other changes to your existing network. By
deploying a ZyWALL in each segment, you can prevent the virus from spreading to the whole
company network.
Chapter 1 Getting to Know Your ZyWALL 49
Page 52
ZyWALL 35 User’s Guide
1.2.2.4 STP (Spanning Tree Protocol) / RSTP (Rapid STP)
When the ZyWALL is set to bridge mode, (R)STP detects and breaks network loops and
provides backup links between switches, bridges or routers. It allows a bridge to interact with
other (R)STP -compliant bridges in your network to ensure that only one path exists between
any two stations on the network.
1.2.2.5 Bandwidth Management
Bandwidth management allows you to allocate network resources according to defined
policies. This policy-based bandwidth allocation helps your network to better handle real-time
applications such as Voice-over-IP (VoIP).
1.2.2.6 IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect with business partners and branch
offices using data encryption and the Internet to provide secure communications without the
expense of leased site-to-site lines. The ZyWALL VPN is based on the IPSec standard and is
fully interoperable with other IPSec-based VPN products.
1.2.2.7 X-Auth (Extended Authentication)
X-Auth provides added security for VPN by requiring each VPN client to use a username and
password.
1.2.2.8 Certificates
The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates
are based on public-private key pairs. Certificates provide a way to exchange public keys for
use in authentication.
1.2.2.9 SSH
The ZyWALL uses the SSH (Secure Shell) secure communication protocol to provide secure
encrypted communication between two hosts over an unsecured network.
1.2.2.10 HTTPS
HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol
that encrypts and decrypts web sessions. Use HTTPS for secure web configurator access to the
ZyWALL
1.2.2.11 Firewall
The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By
default, when the firewall is activated, all incoming traffic from the WAN to the LAN is
blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP
inspection, DoS detection and prevention, real time alerts, reports and logs.
50 Chapter 1 Getting to Know Your ZyWALL
Page 53
1.2.2.12 Content Filtering
The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as
well as disable web proxies. The ZyWALL can block or allow access to web sites that you
specify. The ZyWALL can also block access to web sites containing keywords that you
specify. You can define time periods and days during which content filtering is enabled and
include or exclude a range of users on the LAN from content filtering.
You can also subscribe to category-based content filtering that allows your ZyWALL to check
web sites against an external database of dynamically updated ratings of millions of web sites.
1.2.2.13 Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyWALL and other UPnP-enabled devices can
dynamically join a network, obtain an IP address and convey its capabilities to other devices
on the network.
1.2.2.14 RADIUS (RFC2138, 2139)
RADIUS (Remote Authentication Dial In User Service) server enables authentication,
authorization and accounting for your wireless network.
ZyWALL 35 User’s Guide
1.2.2.15 IEEE 802.1x for Network Security
The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance
user authentication. With the local user profile, the ZyWALL allows you to configure up 32
user profiles without a network authentication server. In addition, centralized user and
accounting management is possible on an optional network authentication server.
1.2.2.16 Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Key differences between WPA and WEP are user authentication and improved data
encryption.
1.2.2.17 Wireless LAN MAC Address Filtering
Your ZyWALL can check the MAC addresses of wireless stations against a list of allowed or
denied MAC addresses.
1.2.2.18 WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless
network to help keep network communications private.
1.2.2.19 Packet Filtering
The packet filtering mechanism blocks unwanted traffic from entering/leaving your network.
Chapter 1 Getting to Know Your ZyWALL 51
Page 54
ZyWALL 35 User’s Guide
1.2.2.20 Call Scheduling
Configure call time periods to restrict and allow access for users on remote nodes.
1.2.2.21 PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve access to highspeed data networks via a familiar "dial-up networking" user interface.
1.2.2.22 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using a
TCP/IP-based network.
PPTP supports on-demand, multi-protocol and virtual private networking over public
networks, such as the Internet. The ZyWALL supports one PPTP server connection at any
given time.
1.2.2.23 Dynamic DNS Support
With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for
a dynamic IP address, allowing the host to be more easily accessible from various locations on
the Internet. You must register for this service with a Dynamic DNS service provider.
1.2.2.24 IP Multicast
Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group
Management Protocol) is the protocol used to support multicast groups. The latest version is
version 2 (see RFC 2236); the ZyWALL supports both versions 1 and 2.
1.2.2.25 IP Alias
IP Alias allows you to partition a physical network into logical networks over the same
Ethernet interface. The ZyWALL supports three logical LAN and/or DMZ interfaces via its
single physical Ethernet LAN and/or DMZ interface with the ZyWALL itself as the gateway
for each network.
1.2.2.26 IP Policy Routing
IP Policy Routing provides a mechanism to override the default routing behavior and alter
packet forwarding based on the policies defined by the network administrator.
52 Chapter 1 Getting to Know Your ZyWALL
Page 55
1.2.2.27 Central Network Management
Central Network Management (CNM) allows an enterprise or service provider network
administrator to manage your ZyWALL. The enterprise or service provider network
administrator can configure your ZyWALL, perform firmware upgrades and do
troubleshooting for you.
1.2.2.28 SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager
station to manage and monitor the ZyWALL through the network. The ZyWALL supports
SNMP version one (SNMPv1).
1.2.2.29 Network Address Translation (NAT)
Network Address Translation (NAT) allows the translation of an Internet protocol address
used within one network (for example a private IP address used in a local network) to a
different IP address known within another network (for example a public IP address used on
the Internet).
ZyWALL 35 User’s Guide
1.2.2.30 Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL
cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN
connection fails.
1.2.2.31 Port Forwarding
Use this feature to forward incoming service requests to a server on your local network. You
may enter a single port number or a range of port numbers to be forwarded, and the local IP
address of the desired server.
1.2.2.32 DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to
obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL
has built-in DHCP server capability, enabled by default, which means it can assign IP
addresses, an IP default gateway and DNS servers to all systems that support the DHCP client.
The ZyWALL can also act as a surrogate DHCP server (DHCP Relay) where it relays IP
address assignment from the actual real DHCP server to the clients.
Chapter 1 Getting to Know Your ZyWALL 53
Page 56
ZyWALL 35 User’s Guide
1.2.2.33 Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily
access the ZyWALL’s management interface. Most functions of the ZyWALL are also
software configurable via the SMT (System Management Terminal) interface. The SMT is a
menu-driven interface that you can access from a terminal emulator through the console port
or over a telnet connection.
1.2.2.34 RoadRunner Support
In addition to standard cable modem services, the ZyWALL supports Time Warner’s
RoadRunner Service.
1.2.2.35 Logging and Tracing
Built-in message logging and packet tracing.
Unix syslog facility support.
Firewall logs.
Content filtering logs.
1.2.2.36 Upgrade ZyWALL Firmware via LAN
The firmware of the ZyWALL can be upgraded via the LAN.
1.2.2.37 Embedded FTP and TFTP Servers
The ZyWALL’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as
configuration file backups and restoration.
1.3 Applications for the ZyWALL
Here are some examples of what you can do with your ZyWALL.
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem
You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband
Internet access via Ethernet or wireless port on the modem. The ZyWALL guarantees not only
high speed Internet access, but secure internal network protection and traffic management as
well.
54 Chapter 1 Getting to Know Your ZyWALL
Page 57
Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem
1.3.2 VPN Application
ZyWALL VPN is an ideal cost-effective way to connect branch offices and business partners
over the Internet without the need (and expense) for leased lines between sites.
ZyWALL 35 User’s Guide
Chapter 1 Getting to Know Your ZyWALL 55
Page 58
ZyWALL 35 User’s Guide
Figure 2 VPN Application
56 Chapter 1 Getting to Know Your ZyWALL
Page 59
Introducing the Web
This chapter describes how to access the ZyWALL web configurator and provides an
overview of its screens.
2.1 Web Configurator Overview
The embedded web configurator allows you to manage the ZyWALL from anywhere through
a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer
6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled. It is
recommended that you set your screen resolution to 1024 by 768 pixels. The screens you see
in the web configurator may vary somewhat from the ones shown in this document due to
differences between individual firmware versions.
ZyWALL 35 User’s Guide
CHAPTER 2
Configurator
2.2 Accessing the ZyWALL Web Configurator
1 Make sure your ZyWALL hardware is properly connected and prepare your computer/
computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser.
3 Type "192.168.1.1" as the URL.
4 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore.
Note: If you do not change the password, the following screen
appears every time you log in.
Chapter 2 Introducing the Web Configurator 57
Page 60
ZyWALL 35 User’s Guide
Figure 3 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your
ZyWALL’s MAC address that will be specific to this device.
Figure 4 Replace Certificate Screen
Note: If you do not replace the default certificate here or in the
CERTIFICATES screen, this screen displays every time you
access the web configurator.
7 You should now see the HOME screen (see Figure 6).
Note: The management session automatically times out when
the time period set in the Administrator Inactivity Timer field
expires (default five minutes). Simply log back into the ZyWALL
if this happens to you.
58 Chapter 2 Introducing the Web Configurator
Page 61
2.3 Resetting the ZyWALL
If you forget your password or cannot access the web configurator, you will need to reload the
factory-default configuration file or use the RESET button on the back of the ZyWALL.
Uploading this configuration file replaces the current configuration file with the factorydefault configuration file. This means that you will lose all configurations that you had
previously and the speed of the console port will be reset to the default of 9600bps with 8 data
bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234,
also.
2.3.1 Procedure To Use The Reset Button
Make sure the SYS LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to
blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2.
2 Turn the ZyWALL off.
3 While pressing the RESET button, turn the ZyWALL on.
ZyWALL 35 User’s Guide
4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the
ZyWALL is now restarting.
5 Release the RESET button and wait for the ZyWALL to finish restarting.
2.3.2 Uploading a Configuration File Via Console Port
1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in
a folder.
2 Turn off the ZyWALL, begin a terminal emulation software session and turn on the
ZyWALL again. When you see the message "Press Any key to enter Debug Mode within
3 seconds", press any key to enter debug mode.
3 Enter "y" at the prompt below to go into debug mode.
4 Enter "atlc" after "Enter Debug Mode" message.
5 Wait for "Starting XMODEM upload" message before activating Xmodem upload on
your terminal. This is an example Xmodem configuration upload using HyperTerminal.
Chapter 2 Introducing the Web Configurator 59
Page 62
ZyWALL 35 User’s Guide
Figure 5 Example Xmodem Upload
Type the configuration file’s location, or click Browse to search for it.
Choose the Xmodem protocol.
Then click Send.
6 After successful firmware upload, enter "atgo" to restart the router.
2.4 Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the HOME screen.
The screen varies according to the device mode you select in the MAINTENANCE Device
Mode screen.
2.4.1 Router Mode
The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set
to router mode by default.
Note: Follow the instructions you see in the HOME screen or
click the
screens) to view online help.
icon (located in the top right corner of most
60 Chapter 2 Introducing the Web Configurator
Page 63
Figure 6 Web Configurator HOME Screen in Router Mode
ZyWALL 35 User’s Guide
Use submenus to configure ZyWALL features.
Click LOGOUT at any time to exit the web configurator.
Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/
firmware files. Maintenance includes General, Password, Time and Date, Device Mode, F/
W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart.
The following table describes the labels in this screen.
Table 2 Web Configurator HOME Screen in Router Mode
LABEL DESCRIPTION
Wizards for
WAN1 Quick
Setup
Internet Access Click Internet Access to use the initial configuration wizard. This configures WAN1.
VPN Wizard Click VPN Wizard to create VPN policies.
Device
Information
Chapter 2 Introducing the Web Configurator 61
Page 64
ZyWALL 35 User’s Guide
Table 2 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
System Name This is the System Name you enter in the MAINTENANCE General screen. It is for
Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's
Routing Protocol This shows the routing protocol - IP for which the ZyWALL is configured. This field is
Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
Firewall This displays whether or not the ZyWALL’s firewall is activated.
System Time This field displays your ZyWALL’s present date and time.
Memory The first number shows how many kilobytes of the heap memory the ZyWALL is
Sessions The first number shows how many sessions are currently open on the ZyWALL.
Policy Routes The first number shows how many policy routes you have configured.
Network Status
Interface This is the port type. Port types are: WAN1, WAN2, Dial, LAN, WLAN and DMZ.
Status For the LAN and DMZ ports, this displays the port speed and duplex setting. For the
IP Address This shows the port’s IP address.
Subnet Mask This shows the port’s subnet mask.
DHCP This shows the WAN port’s DHCP role - Client or None.
Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP
identification purposes.
proprietary Network Operating System design.
not configurable.
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in kilobytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently:
• Traversing the ZyWALL
• Terminating at the ZyWALL
• Initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one
time.
The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.
The second number shows the maximum number of policy routes that you can
configure on the ZyWALL.
The bar displays what percent of the ZyWALL's possible policy routes are
configured. The bar turns from green to red when the maximum is being
approached.
Click "+" to expand or "-" to collapse the LAN and DMZ IP alias drop-down lists.
WAN and Dial Backup port, it displays the port speed and duplex setting if you’re
using Ethernet encapsulation and Down (line is down or not connected), Idle (line
(ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using
PPPoE encapsulation. For the WLAN port, it displays Active when WLAN is
enabled or Inactive when WLAN is disabled.
This shows the LAN port’s DHCP role - Server, Relay or None.
address automatically from the ISP, click Renew to release the WAN port’s
dynamically assigned IP address and get the IP address afresh. Click Dial to dial up
the PPTP, PPPoE or dial backup connection.
62 Chapter 2 Introducing the Web Configurator
Page 65
Table 2 Web Configurator HOME Screen in Router Mode (continued)
LABEL DESCRIPTION
Show Statistics Click Show Statistics to see router performance statistics such as the number of
Show DHCP
Table
VPN Status Click VPN Status to display the active VPN connections.
2.4.2 Bridge Mode
The following screen displays when the ZyWALL is set to bridge mode. While in bridge
mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ
and WLAN interfaces all have the same (static) IP address and subnet mask. You can
configure the ZyWALL's IP address in order to access the ZyWALL for management. If you
connect your computer directly to the ZyWALL, you also need to assign your computer a
static IP address in the same subnet as the ZyWALL's IP address in order to access the
ZyWALL.
ZyWALL 35 User’s Guide
packets sent and number of packets received for each port, including WAN1,
WAN2, Dial Backup, LAN, WLAN and DMZ.
Click Show DHCP Table to show current DHCP client information.
The ZyWALL bridges traffic traveling between the ZyWALL's interfaces.
You can use the firewall in bridge mode (refer to the firewall chapters for details on
configuring the firewall).
Chapter 2 Introducing the Web Configurator 63
Page 66
ZyWALL 35 User’s Guide
Figure 7 Web Configurator HOME Screen in Bridge Mode
The following table describes the labels not previously discussed (see Table 2).
Table 3 Web Configurator HOME Screen in Bridge Mode
LABEL DESCRIPTION
Network Status
IP Address This is the IP address of your ZyWALL in dotted decimal notation.
Subnet Mask This is the IP subnet mask of the ZyWALL.
Gateway IP
Address
Rapid Spanning
Tree Protocol
Bridge Priority This is the bridge priority of the ZyWALL.
Bridge Hello Time This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge.
Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU)
Forward Delay This is the forward delay interval.
64 Chapter 2 Introducing the Web Configurator
This is the gateway IP address.
This shows whether RSTP (Rapid Spanning Tree Protocol) is active or not. The
following labels or values relative to RSTP do not apply when RSTP is disabled.
from the root bridge.
Page 67
Table 3 Web Configurator HOME Screen in Bridge Mode (continued)
LABEL DESCRIPTION
Bridge Port This is the port type. Port types are: WAN1, WAN2, LAN, WLAN and DMZ.
Port Status For the WAN, LAN, and DMZ ports, this displays the port speed and duplex setting.
For the WAN port, it displays Down when the link is not ready or has failed. For the
WLAN port, it displays Active when WLAN is enabled or Inactive when WLAN is
disabled.
RSTP Status This is the RSTP status of the corresponding port.
RSTP Active This shows whether or not RSTP is active on the corresponding port.
RSTP Priority This is the RSTP priority of the corresponding port.
RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding
port.
Show Statistics Click Show Statistics to see bridge performance statistics such as the number of
packets sent and number of packets received for each port, including WAN1,
WAN2, LAN, DMZ and WLAN.
2.4.3 Navigation Panel
ZyWALL 35 User’s Guide
After you enter the password, use the sub-menus on the navigation panel to configure
ZyWALL features.
The following table lists the features available for each mode.
Table 4 Feature Comparison
FEATURE BRIDGE MODE ROUTER MODE
Internet Access Wizard O
VPN Wizard O
DHCP Table O
System Statistics O O
LAN O
Bridge O
Wireless LAN O O
WAN O
DMZ O
Firewall O O
Content Filter O O
VPN O
Certificates O O
Authentication Server O O
NAT O
Static Route O
Bandwidth Management O O
DNS O
Chapter 2 Introducing the Web Configurator 65
Page 68
ZyWALL 35 User’s Guide
Table 4 Feature Comparison
FEATURE BRIDGE MODE ROUTER MODE
Remote Management O O
UPnP O
Logs O O
Maintenance O O
Table Key: An O in a mode’s column shows that the device mode has the specified feature.
The information in this table was correct at the time of writing, although it may be subject to
change.
The following table describes the sub-menus.
Table 5 Screens Summary
LINK TAB FUNCTION
HOME This screen shows the ZyWALL’s general device and network
LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.
BRIDGE Bridge Use this screen to change the bridge settings on the ZyWALL.
WIRELESS LAN Wireless Use this screen to configure the wireless LAN settings and WLAN
WAN General This screen allows you to configure load balancing, route priority
DMZ DMZ Use this screen to configure your DMZ connection.
FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction
CONTENT
FILTER
status information. Use this screen to access the wizards, statistics
and DHCP table.
Static DHCP Use this screen to assign fixed IP addresses on the LAN.
IP Alias Use this screen to partition your LAN interface into subnets.
Port Roles Use this screen to change the LAN/DMZ port roles
authentication/security settings.
MAC Filter Use this screen to change MAC filter settings on the ZyWALL
and traffic redirect properties.
WAN1 Use this screen to configure ZyWALL WAN1 port for internet
access.
WAN2 Use this screen to change your WAN2 port settings.
Traffic Redirect Use this screen to configure your traffic redirect properties and
parameters.
Dial Backup Use this screen to configure the backup WAN dial-up connection
IP Alias Use this screen to partition your DMZ interface into subnets
of network traffic to which to apply the rule
Rule Summary This screen shows a summary of the firewall rules, and allows you
to edit/add a firewall rule.
Anti-Probing Use this screen to change your anti-probing settings.
Threshold Use this screen to configure the threshold for DoS attacks.
General This screen allows you to enable content filtering and block certain
web features.
66 Chapter 2 Introducing the Web Configurator
Page 69
ZyWALL 35 User’s Guide
Table 5 Screens Summary (continued)
LINK TAB FUNCTION
Categories Use this screen to select which categories of web pages to filter
out, as well as to register for external database content filtering and
view reports.
Customization Use this screen to customize the content filter list.
VPN VPN Rules Use this screen to configure VPN connections and view the rule
summary.
SA Monitor Use this screen to display and manage active VPN connections.
Global Setting Use this screen to allow NetBIOS packets through the VPN
connections.
CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage
certificates and certification requests.
Trusted CAs Use this screen to view and manage the list of the trusted CAs.
Trusted
Remote Hosts
Directory
Servers
AUTH SERVER Local User
Database
RADIUS Configure this screen to use an external server to authenticate
NAT NAT Overview Use this screen to enable NAT.
Address
Mapping
Port
Forwarding
Port Triggering Use this screen to change your ZyWALL’s port triggering settings.
STATIC ROUTE IP Static Route Use this screen to configure IP static routes.
POLICY ROUTE Policy Rout
Summary
BW MGMT Summary Use this screen to enable bandwidth management on an interface.
Class Setup Use this screen to set up the bandwidth classes.
Monitor Use this screen to view the ZyWALL’s bandwidth usage and
DNS System Use this screen to configure the address and name server records.
Cache Use this screen to configure the DNS resolution cache.
LAN Use this screen to configure LAN DNS information.
DDNS Use this screen to set up dynamic DNS.
REMOTE MGMT WWW Use this screen to configure through which interface(s) and from
SSH Use this screen to configure through which interface(s) and from
Use this screen to view and manage the certificates belonging to
the trusted remote hosts.
Use this screen to view and manage the list of the directory
servers.
Use this screen to configure the local user account(s) on the
ZyWALL.
wireless and/or VPN users.
Use this screen to configure network address translation mapping
rules.
Use this screen to configure servers behind the ZyWALL.
Use this screen to view a summary list of all the policies and
configure policies for use in IP policy routing.
allotments.
which IP address(es) users can use HTTPS or HTTP to manage
the ZyWALL.
which IP address(es) users can use Secure Shell to manage the
ZyWALL.
Chapter 2 Introducing the Web Configurator 67
Page 70
ZyWALL 35 User’s Guide
Table 5 Screens Summary (continued)
LINK TAB FUNCTION
UPnP UPnP Use this screen to enable UPnP on the ZyWALL.
LOGS View Log Use this screen to view the logs for the categories that you
MAINTENANCE General This screen contains administrative.
LOGOUT Click this label to exit the web configurator.
TELNET Use this screen to configure through which interface(s) and from
which IP address(es) users can use Telnet to manage the
ZyWALL.
FTP Use this screen to configure through which interface(s) and from
which IP address(es) users can use FTP to access the ZyWALL.
SNMP Use this screen to configure your ZyWALL’s settings for Simple
Network Management Protocol management.
DNS Use this screen to configure through which interface(s) and from
which IP address(es) users can send DNS queries to the ZyWALL.
Ports Use this screen to view the NAT port mapping rules that UPnP
creates on the ZyWALL.
selected.
Log Settings Use this screen to change your ZyWALL’s log settings.
Reports Use this screen to have the ZyWALL record and display the
network usage reports.
Password Use this screen to change your password.
Time and Date Use this screen to change your ZyWALL’s time and date.
Device Mode Use this screen to configure and have your ZyWALL work as a
router or a bridge.
F/W Upload Use this screen to upload firmware to your ZyWALL
Configuration Use this screen to backup and restore the configuration or reset
the factory defaults to your ZyWALL.
Restart This screen allows you to reboot the ZyWALL without turning the
power off.
2.4.4 System Statistics
Click Show Statistics in the HOME screen. Read-only information here includes port status
and packet specific statistics. Also provided is "Up Time" and "poll interval(s)". The Poll
Interval(s) field is configurable.
68 Chapter 2 Introducing the Web Configurator
Page 71
Figure 8 Home : Show Statistics
The following table describes the labels in this screen.
Table 6 Home : Show Statistics
ZyWALL 35 User’s Guide
LABEL DESCRIPTION
Click the icon to display the chart of throughput statistics.
Port This is the WAN1, WAN2, Dial Backup, LAN, DMZ or WLAN port.
Status This displays the port speed and duplex setting if you’re using Ethernet
encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger
a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
TxPkts This is the number of transmitted packets on this port.
RxPkts This is the number of received packets on this port.
Tx B/s This displays the transmission speed in bytes per second on this port.
Rx B/s This displays the reception speed in bytes per second on this port.
Up Time This is the total amount of time the line has been up.
System Up Time This is the total time the ZyWALL has been on.
Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop Click Stop to stop refreshing statistics.
2.4.4.1 Show Statistics: Line Chart
Click the icon in the Show Statistics screen. The screen shows you the line chart of each
port’s throughput statistics.
Chapter 2 Introducing the Web Configurator 69
Page 72
ZyWALL 35 User’s Guide
Figure 9 Home : Show Statistics: Line Chart
The following table describes the labels in this screen.
Table 7 Home : Show Statistics: Line Chart
LABEL DESCRIPTION
Click the icon to go back to the Show Statistics screen.
Port Select the check box(es) to display the throughput statistics of the corresponding
B/s Specify the direction of the traffic for which you want to show throughput statistics in
Time Range Set the range of time (in minute) over which to display the throughput.
Throughput
Range
Apply Click Apply to save these settings back to the ZyWALL temporarily.
port(s).
this table.
Select Tx to display transmitted traffic throughput statistics and the amount of traffic
(in bytes). Select Rx to display received traffic throughput statistics and the amount
of traffic (in bytes).
Set the range of the throughput (in B/s, KB/s or MB/s) to display.
2.4.5 DHCP Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another
DHCP server on your LAN, or else the computer must be manually configured.
Click Show DHCP Table in the HOME screen when the ZyWALL is set to router mode.
Read-only information here relates to your DHCP status. The DHCP table shows current
DHCP client information (including IP Address, Host Name and MAC Address) of all
network clients using the ZyWALL’s DHCP server.
70 Chapter 2 Introducing the Web Configurator
Page 73
ZyWALL 35 User’s Guide
Figure 10 Home : DHCP Table
The following table describes the labels in this screen.
Table 8 Home : DHCP Table
LABEL DESCRIPTION
# This is the index number of the host computer.
IP Address This field displays the IP address relative to the # field listed above.
Host Name This field displays the computer host name.
MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network)
Reserve Select this check box to have the ZyWALL always assign this IP address to this MAC
Refresh Click Refresh to reload the DHCP table.
is unique to your computer (six pairs of hexadecimal notation).
A network interface card such as an Ethernet adapter has a hardwired address that is
assigned at the factory. This address follows an industry standard that ensures no
other adapter has a similar address.
address (and host name). You can select up to 8 entries in this table. After you click
Apply, the MAC address and IP address also display in the LAN Static DHCP screen
(where you can edit them).
2.4.6 VPN Status
Click VPN Status in the HOME screen when the ZyWALL is set to router mode. Read-only
information here includes encapsulation mode and security protocol. The Poll Interval(s)
field is configurable.
Chapter 2 Introducing the Web Configurator 71
Page 74
ZyWALL 35 User’s Guide
Figure 11 Home : VPN Status
The following table describes the labels in this screen.
Table 9 Home : VPN Status
LABEL DESCRIPTION
# This is the security association index number.
Name This field displays the identification name for this VPN policy.
Encapsulation This field displays Tunnel or Transport mode.
IPSec Algorithm This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications
latency (delay).
Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop Click Stop to stop refreshing statistics.
72 Chapter 2 Introducing the Web Configurator
Page 75
This chapter provides information on the Wizard Setup screens in the web configurator. This
chapter is only applicable when the ZyWALL is in router mode.
3.1 Wizard Setup Overview
The web configurator's setup wizards help you configure WAN1 on the ZyWALL to access
the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel.
3.2 Internet Access
ZyWALL 35 User’s Guide
CHAPTER 3
Wizard Setup
The first Internet access wizard screen has three variations depending on what encapsulation
type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in
each field. Leave a field blank if you don’t have that information.
3.2.1 ISP Parameters
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
3.2.1.1 Ethernet
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still
online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your
ISP to find the correct port number.
Choose Ethernet when the WAN port is used as a regular Ethernet.
Chapter 3 Wizard Setup 73
Page 76
ZyWALL 35 User’s Guide
Figure 12 ISP Parameters : Ethernet Encapsulation
The following table describes the labels in this screen.
Table 10 ISP Parameters : Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR-
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype Password Type your password again for confirmation.
Login Server IP
Address
Login Server
(Telia Login only)
Relogin Every
(min) (Telia Login
only)
Next Click Next to continue.
Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner
Toshiba authentication method) or Telia Login.
The following fields are not applicable (N/A) for the Standard service type.
Type the authentication server IP address here if your ISP gave you one.
This field is not available for Telia Login.
Type the domain name of the Telia login server, for example login1.telia.com.
Alternatively, click the right mouse button to copy and/or paste the IP address.
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait
between logins.
74 Chapter 3 Wizard Setup
Page 77
3.2.1.2 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an
IETF (Internet Engineering Task Force) draft standard specifying how a host personal
computer interacts with a broadband modem (for example xDSL, cable, wireless, etc.) to
achieve access to high-speed data networks. It preserves the existing Microsoft Dial-Up
Networking experience and requires no new learning or procedures.
For the service provider, PPPoE offers an access and authentication method that works with
existing access control systems (for instance, Radius). For the user, PPPoE provides a login
and authentication method that the existing Microsoft Dial-Up Networking software can
activate, and therefore requires no new learning or procedures for Windows users.
One of the benefits of PPPoE is the ability to let end users access one of multiple network
services, a function known as dynamic service selection. This enables the service provider to
easily create and offer new IP services for specific users.
Operationally, PPPoE saves significant effort for both the subscriber and the ISP/carrier, as it
requires no specific configuration of the broadband modem at the subscriber’s site.
ZyWALL 35 User’s Guide
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the
computers on the LAN do not need PPPoE software installed, since the ZyWALL does that
part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Refer to Appendix D PPPoE for more information on PPPoE.
Chapter 3 Wizard Setup 75
Page 78
ZyWALL 35 User’s Guide
Figure 13 ISP Parameters : PPPoE Encapsulation
The following table describes the labels in this screen.
Table 11 ISP Parameters : PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for
Internet Access
Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet
forms a dial-up connection.
Service Name Type the name of your service provider.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype Password Type your password again for confirmation.
Nailed-Up
Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
Next Click Next to continue.
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPPoE server. The default time is 100 seconds.
3.2.1.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data
from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/
IP-based networks.
76 Chapter 3 Wizard Setup
Page 79
ZyWALL 35 User’s Guide
PPTP supports on-demand, multi-protocol, and virtual private networking over public
networks, such as the Internet.
Refer to Appendix E PPTP for more information on PPTP.
Note: The ZYWALL supports one PPTP server connection at
any given time.
Figure 14 ISP Parameters : PPTP Encapsulation
The following table describes the labels in this screen.
Table 12 ISP Parameters : PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for
Internet Access
Encapsulation Select PPTP from the drop-down list box.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the User Name above.
Retype Password Type your password again for confirmation.
Nailed-Up
Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
PPTP Configuration
Chapter 3 Wizard Setup 77
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPTP server.
Page 80
ZyWALL 35 User’s Guide
Table 12 ISP Parameters : PPTP Encapsulation
LABEL DESCRIPTION
My IP Address Type the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address Type the IP address of the PPTP server.
Connection ID/
Name
Next Click Next to continue.
Enter the connection ID or connection name in this field. It must follow the "c:id"
and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your xDSL modem.
3.2.2 WAN and DNS
The second wizard screen allows you to configure WAN IP address assignment, DNS server
address assignment and the WAN MAC address.
3.2.2.1 WAN IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated
from the Internet, for instance, only between your two branch offices, you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks.
Table 13 Private IP Address Ranges
10.0.0.0
172.16.0.0
192.168.0.0
- 10.255.255.255
- 172.31.255.255
- 192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private
network. If you belong to a small organization and your Internet access is through an ISP, the
ISP can provide you with the Internet addresses for your local networks. On the other hand, if
you are part of a much larger organization, you should consult your network administrator for
the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an
arbitrary IP address; always follow the guidelines above. For
more information on address assignment, please refer to RFC
1597, Address Allocation for Private Internets and RFC 1466,
Guidelines for Management of IP Address Space.
3.2.2.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a
LAN share one common network number.
78 Chapter 3 Wizard Setup
Page 81
ZyWALL 35 User’s Guide
Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. If this is the case, it is recommended that you select a network number from
192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT)
feature of the ZyWALL. The Internet Assigned Number Authority (IANA) reserved this block
of addresses specifically for private use; please do not use any other number unless you are
told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254
individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other
words, the first three numbers specify the network number while the last number identifies an
individual computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember,
for instance, 192.168.1.1, for your ZyWALL, but make sure that no other device on your
network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyWALL will
compute the subnet mask automatically based on the IP address that you entered. You don't
need to change the subnet mask computed by the ZyWALL unless you are instructed to do
otherwise.
3.2.2.3 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is
extremely important because without it, you must know the IP address of a computer before
you can access it.
The ZyWALL can get the DNS server addresses in the following ways.
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, manually enter them in
the DNS server fields.
2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s
WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
3 You can manually enter the IP addresses of other DNS servers. These servers can be
public or private. A DNS server could even be behind a remote IPSec router (see the
Private DNS Server section in Chapter 20 DNS).
3.2.2.4 WAN MAC Address
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
Chapter 3 Wizard Setup 79
Page 82
ZyWALL 35 User’s Guide
You can configure the WAN port's MAC address by either using the factory default or cloning
the MAC address from a computer on your LAN. Once it is successfully configured, the
address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless
you change the setting or upload a different "rom" file.
Table 14 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask 255.255.255.0
Gateway (or default route) 192.168.1.1(ZyWALL LAN IP)
The second wizard screen varies according to the type of encapsulation that you select in the
second wizard screen.
Figure 15 WAN and DNS
Note: ZyXEL recommends you clone the MAC address from a
computer on your LAN even if your ISP does not require MAC
address authentication.
80 Chapter 3 Wizard Setup
Page 83
ZyWALL 35 User’s Guide
The following table describes the labels in this screen.
Table 15 WAN and DNS
LABEL DESCRIPTION
WAN IP Address
Assignment
Get automatically from
ISP
Use fixed IP address Select this option If the ISP assigned a fixed IP address.
My WAN IP Address Enter your WAN IP address in this field if you selected Use fixed IP
My WAN IP Subnet Mask Enter the IP subnet mask in this field if you selected Use fixed IP address.
Remote IP Subnet Mask Enter the gateway IP subnet mask (if your ISP gave you one) in this field if
Remote/Gateway IP
Address
System DNS Servers DNS (Domain Name System) is for mapping a domain name to its
First DNS Server
Second DNS Server
Third DNS Server
WAN MAC Address The MAC address field allows you to configure the WAN port's MAC
Factory Default Select this option to use the factory assigned default MAC Address.
Spoof this Computer's
MAC Address - IP
Address
Back Click Back to return to the previous screen.
Finish Click Finish to complete and save the wizard setup.
Select this option If your ISP did not assign you a fixed IP address. This is
the default selection.
address.
This field is available when you select Ethernet encapsulation in the
previous wizard screen.
you selected Use fixed IP address. This field is not available when you
select Ethernet encapsulation in the previous wizard screen.
Enter the gateway IP address in this field if you selected Use fixed IP
address.
corresponding IP address and vice versa, e.g., the IP address of
www.zyxel.com is 204.217.0.2. The DNS server is extremely important
because without it, you must know the IP address of a computer before you
can access it.
Select From ISP if your ISP dynamically assigns DNS server information
(and the ZyWALL's WAN IP address). The field to the right displays the
(read-only) DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the
DNS server's IP address in the field to the right.
Select None if you do not want to configure DNS servers. If you do not
configure a system DNS server, you must use IP addresses when
configuring VPN, DDNS and the time server.
Address by either using the factory default or cloning the MAC address from
a computer on your LAN.
Select this option and enter the IP address of the computer on the LAN
whose MAC you are cloning. Once it is successfully configured, the address
will be copied to the rom file (ZyNOS configuration file). It will not change
unless you change the setting or upload a different rom file. It is advisable to
clone the MAC address from a computer on your LAN even if your ISP does
not presently require MAC address authentication.
3.2.3 Internet Access Wizard Setup Complete
Well done! You have successfully set up your ZyWALL to operate on your network and
access the Internet.
Chapter 3 Wizard Setup 81
Page 84
ZyWALL 35 User’s Guide
Figure 16 Internet Access Wizard Setup Complete
3.3 VPN Overview
A VPN (Virtual Private Network) provides secure communications between sites without the
expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption,
authentication, access control and auditing technologies/services used to transport traffic over
the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
3.3.1 IPSec
Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for
secure data communications across a public network like the Internet. IPSec is built around a
number of standardized cryptographic techniques to provide confidentiality, data integrity and
authentication at the IP layer.
3.3.2 Security Association
A Security Association (SA) is a contract between two parties indicating what security
parameters, such as keys and algorithms they will use.
3.4 VPN Wizard
Use the VPN wizard screens to configure a VPN rule that use a pre-shared key. If you want to
set the rule to use a certificate, please go to the VPN screens for configuration.
82 Chapter 3 Wizard Setup
Page 85
3.4.1 My IP Address
My IP Address identifies the WAN IP address of the ZyWALL. You can enter the
ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0. The
ZyWALL has to rebuild the VPN tunnel if the My IP Address changes after setup.
3.4.2 Secure Gateway Address
Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router
(secure gateway).
If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway
Address field. You may alternatively enter the remote secure gateway’s domain name (if it
has one) in the Secure Gateway Address field.
You can also enter a remote secure gateway’s domain name in the Secure Gateway Address
field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The
ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP
address changes (there may be a delay until the DDNS servers are updated with the remote
gateway’s new WAN IP address).
ZyWALL 35 User’s Guide
3.4.2.1 Dynamic Secure Gateway Address
If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter
0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can
initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company
network.
The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key
management and not Manual key management.
Click VPN Wizard in the HOME screen to open the screen as shown and have the quick and
initial VPN configuration.
Chapter 3 Wizard Setup 83
Page 86
ZyWALL 35 User’s Guide
Figure 17 VPN Wizard : Gateway Setting
The following table describes the labels in this screen.
Table 16 VPN Wizard : Gateway Setting
LABEL DESCRIPTION
My IP Address Enter the WAN IP address of your ZyWALL or leave the field set to 0.0.0.0.
The following applies if the My IP Address field is configured as 0.0.0.0:
• When the WAN port operation mode is set to Active/Passive, the ZyWALL uses
the IP address (static or dynamic) of the WAN port that is in use.
• When the WAN port operation mode is set to Active/Active, the ZyWALL uses the
IP address (static or dynamic) of the primary (highest priority) WAN port to set up
the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up. If
the corresponding WAN1 or WAN2 connection goes down, the ZyWALL uses the
IP address of the other WAN port.
• If both WAN connections go down, the ZyWALL uses the dial backup IP address
for the VPN tunnel when using dial backup or the LAN IP address when using
traffic redirect. See the chapter on WAN for details on dial backup and traffic
redirect.
The VPN tunnel has to be rebuilt if this IP address changes.
Secure
Gateway
Address
IP Address Select IP Address and enter the WAN IP address of the remote IPSec router (secure
gateway) in the field below to identify the remote IPSec router by its IP address.
Domain Name Select Domain Name and enter the domain name of the remote IPSec router (secure
gateway) in the field below to identify the remote IPSec router by a domain name.
Next Click Next to continue.
84 Chapter 3 Wizard Setup
Page 87
3.4.3 Network Setting
Two active SAs cannot have the local and remote IP address(es) both the same. Two active
SAs can have the same local or remote IP address, but not both. You can configure multiple
SAs between the same local and remote IP addresses, as long as only one is active at any time.
Figure 18 VPN Wizard : Network Setting
ZyWALL 35 User’s Guide
The following table describes the labels in this screen.
Table 17 VPN Wizard : Network Setting
LABEL DESCRIPTION
Local Network Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Starting IP
Address
Ending IP
Address/
Subnet Mask
Remote
Network
When the Local Network field is configured to Single, enter a (static) IP address on
the LAN behind your ZyWALL. When the Local Network field is configured to Range
IP, enter the beginning (static) IP address, in a range of computers on the LAN behind
your ZyWALL. When the Local Network field is configured to Subnet, this is a (static)
IP address on the LAN behind your ZyWALL.
When the Local Network field is configured to Single, this field is N/A. When the
Local Network field is configured to Range IP, enter the end (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the Local Network field
is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Chapter 3 Wizard Setup 85
Page 88
ZyWALL 35 User’s Guide
Table 17 VPN Wizard : Network Setting
LABEL DESCRIPTION
Starting IP
Address
Ending IP
Address/
Subnet Mask
Back Click Back to return to the previous screen.
Next Click Next to continue.
3.4.4 IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and
the second one uses that SA to negotiate SAs for IPSec.
Figure 19 Two Phases to Set Up the IPSec SA
When the Remote Network field is configured to Single, enter a (static) IP address
on the network behind the remote IPSec router. When the Remote Network field is
configured to Range IP, enter the beginning (static) IP address, in a range of
computers on the network behind the remote IPSec router. When the Remote
Network field is configured to Subnet, enter a (static) IP address on the network
behind the remote IPSec router
When the Remote Network field is configured to Single, this field is N/A. When the
Remote Network field is configured to Range IP, enter the end (static) IP address, in
a range of computers on the network behind the remote IPSec router. When the
Remote Network field is configured to Subnet, enter a subnet mask on the network
behind the remote IPSec router.
In phase 1 you must:
• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
• Choose an authentication algorithm.
• Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
86 Chapter 3 Wizard Setup
Page 89
ZyWALL 35 User’s Guide
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should
stay up before it times out. An IKE SA times out when the IKE SA lifetime period
expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA
stays connected.
In phase 2 you must:
• Choose which protocol to use (ESP or AH) for the IKE key exchange.
• Choose an encryption algorithm.
• Choose an authentication algorithm
• Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman publickey cryptography – see the IKE Phases section. Select None (the default) to disable PFS.
• Choose Tunnel mode or Transport mode.
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA
should stay up before it times out. The ZyWALL automatically renegotiates the IPSec SA
if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also
automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled,
even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate
the SA the next time someone attempts to send traffic.
3.4.4.1 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will
be established for each connection through IKE negotiations.
• Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA
negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random
number). This mode features identity protection (your identity is not revealed in the
negotiation).
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when
the communicating parties are negotiating authentication (phase 1). However the tradeoff is that faster speed limits its negotiating power and it also does not provide identity
protection. It is useful in remote access situations where the address of the initiator is not
know by the responder and both parties want to use pre-shared key authentication.
3.4.4.2 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is
called pre-shared because you have to share it with another party before you can communicate
with them over a secure connection.
Chapter 3 Wizard Setup 87
Page 90
ZyWALL 35 User’s Guide
3.4.4.3 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish
a shared secret over an unsecured communications channel. Diffie-Hellman is used within
IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 –
DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman
exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For
authentication, use pre-shared keys.
3.4.4.4 Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) DiffieHellman exchange is the trade-off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled
(None) by default in the ZyWALL. Disabling PFS means new authentication and encryption
keys are derived from the same root secret (which may have security implications in the long
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
3.5 IPSec Algorithms
The ESP and AH protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and
ESP protocols. The primary function of key management is to establish and maintain the SA
between systems. Once the SA is established, the transport of data may commence.
3.5.1 AH (Authentication Header) Protocol
AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.
In applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an AH can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow for
verification of the integrity of the information and authentication of the originator.
3.5.2 ESP (Encapsulating Security Payload) Protocol
The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by
AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of
the IP header information during the authentication process. However, ESP is sufficient if
only the upper layer protocols need to be authenticated.
88 Chapter 3 Wizard Setup
Page 91
ZyWALL 35 User’s Guide
An added feature of the ESP is payload padding, which further protects communications by
concealing the size of the packet being transmitted.
Table 18 ESP and AH
ESP AH
Encryption DES (default)
Data Encryption Standard (DES) is a
widely used method of data encryption
using a secret key. DES applies a 56-bit
key to each 64-bit block of data.
3DES
Triple DES (3DES) is a variant of DES,
which iterates three times with three
separate keys (3 x 56 = 168 bits),
effectively doubling the strength of DES.
AES
Advanced Encryption Standard is a
newer method of data encryption that
also uses a secret key. This
implementation of AES applies a 128-bit
key to 128-bit blocks of data. AES is
faster than 3DES.
Select NULL to set up a phase 2 tunnel
without encryption.
Authentication MD5 (default)
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
Select MD5 for minimal security and SHA-1 for maximum security.
MD5 (default)
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
Chapter 3 Wizard Setup 89
Page 92
ZyWALL 35 User’s Guide
3.5.3 IKE Tunnel Setting (IKE Phase 1)
Figure 20 VPN Wizard : IKE Tunnel Setting
The following table describes the labels in this screen.
Table 19 VPN Wizard : IKE Tunnel Setting
LABEL DESCRIPTION
Negotiation Mode Use the radio buttons to select Main Mode or Aggressive Mode. Multiple SAs
Encryption Algorithm When DES is used for data communications, both sender and receiver must
Authentication
Algorithm
Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
SA Life Time
(Seconds)
connecting through a secure gateway must have the same negotiation mode.
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
90 Chapter 3 Wizard Setup
Page 93
Table 19 VPN Wizard : IKE Tunnel Setting (continued)
LABEL DESCRIPTION
Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a PYLD_MALFORMED (payload malformed) packet if the same preshared key is not used on both ends.
Back Click Back to return to the previous screen.
Next Click Next to continue.
3.5.4 IPSec Setting (IKE Phase 2)
Figure 21 VPN Wizard : IPSec Setting
ZyWALL 35 User’s Guide
Chapter 3 Wizard Setup 91
Page 94
ZyWALL 35 User’s Guide
The following table describes the labels in this screen.
Table 20 VPN Wizard : IPSec Setting
LABEL DESCRIPTION
Encapsulation Mode Select Tunn el mode or Transport mode.
IPSec Protocol Select the security protocols used for an SA.
Encryption Algorithm When DES is used for data communications, both sender and receiver must
Authentication
Algorithm
SA Life Time
(Seconds)
Perfect Forward
Secret (PFS)
Back Click Back to return to the previous screen.
Next Click Next to continue.
Both AH and ESP increase ZyWALL processing requirements and
communications latency (delay).
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select
NULL, you do not enter an encryption key.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)
random number (more secure, yet slower).
3.5.5 VPN Status Summary
This read-only screen shows the status of the current VPN setting. Use the summary table to
check whether what you have configured is correct.
92 Chapter 3 Wizard Setup
Page 95
Figure 22 VPN Wizard : VPN Status
ZyWALL 35 User’s Guide
The following table describes the labels in this screen.
Table 21 VPN Wizard : VPN Status
LABEL DESCRIPTION
Gateway Setting
My IP Address This is the WAN IP address of your ZyWALL.
Secure Gateway
Address
Network Setting
Local Network
Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/
Subnet Mask
Remote Network
Chapter 3 Wizard Setup 93
This is the IP address or domain name used to identify the remote IPSec router.
When the local network is configured for a single IP address, this field is N/A.
When the local network is configured for a range IP address, this is the end
(static) IP address, in a range of computers on the LAN behind your ZyWALL.
When the local network is configured for a subnet, this is a subnet mask on the
LAN behind your ZyWALL.
Page 96
ZyWALL 35 User’s Guide
Table 21 VPN Wizard : VPN Status (continued)
LABEL DESCRIPTION
Starting IP Address This is a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/
Subnet Mask
IKE Tunnel Setting
(IKE Phase 1)
Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through
Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES or AES.
Authentication
Algorithm
Key Group This is the key group you chose for phase 1 IKE setup.
SA Life Time
(Seconds)
Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE
IPSec Setting (IKE
Phase 2)
Encapsulation Mode This shows Tunne l mode or Transport mode.
IPSec Protocol ESP or AH are the security protocols used for an SA.
Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES, AES or
Authentication
Algorithm
SA Life Time
(Seconds)
Perfect Forward
Secret (PFS)
Back Click Back to return to the previous screen.
Finish Click Finish to complete and save the wizard setup.
When the remote network is configured for a single IP address, this field is N/A.
When the remote network is configured for a range IP address, this is the end
(static) IP address, in a range of computers on the network behind the remote
IPSec router. When the remote network is configured for a subnet, this is a
subnet mask on the network behind the remote IPSec router.
a secure gateway must have the same negotiation mode.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
negotiation.
NULL.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA
setup. Otherwise, DH1 or DH2 are selected to enable PFS.
3.5.6 VPN Wizard Setup Complete
Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your
ZyWALL.
94 Chapter 3 Wizard Setup
Page 97
Figure 23 VPN Wizard Setup Complete
ZyWALL 35 User’s Guide
Chapter 3 Wizard Setup 95
Page 98
ZyWALL 35 User’s Guide
96 Chapter 3 Wizard Setup
Page 99
This chapter describes how to configure LAN settings. This chapter is only applicable when
the ZyWALL is in router mode.
4.1 LAN Overview
Local Area Network (LAN) is a shared communication system to which many computers are
attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses,
and partition your physical network into logical networks.
4.2 DHCP Setup
ZyWALL 35 User’s Guide
CHAPTER 4
LAN Screens
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another
DHCP server on your LAN, or else the computer must be manually configured.
4.2.1 IP Pool Setup
The ZyWALL is pre-configured with a pool of 128 IP addresses starting from 192.168.1.33 to
192.168.1.160. This configuration leaves 127 IP addresses (excluding the ZyWALL itself) in
the lower range for other server computers, for instance, servers for mail, FTP, TFTP, web,
etc., that you may have.
4.2.2 DNS Servers
Use the DNS screens to configure the DNS server information that the ZyWALL sends to the
DHCP client devices on the LAN.
There are three places where you can configure DNS setup on the ZyWALL.
1 Use the DNS System screen to configure the ZyWALL to use a DNS server to resolve
domain names for ZyWALL system features like VPN, DDNS and the time server.
2 Use the DNS LAN screen to configure the DNS server information that the ZyWALL
sends to the DHCP client devices on the LAN.
3 Use the REMOTE MGMT DNS screen to configure the ZyWALL (in router mode) to
accept or discard DNS queries.
Chapter 4 LAN Screens 97
Page 100
ZyWALL 35 User’s Guide
4.3 LAN TCP/IP
The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers
to systems that support DHCP client capability.
4.3.1 Factory LAN Defaults
The LAN parameters of the ZyWALL are preset in the factory with the following values:
• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
• DHCP server enabled with 128 client IP addresses starting from 192.168.1.33.
These parameters should work for the majority of installations. If your ISP gives you explicit
DNS server address(es), read the embedded web configurator help regarding what fields need
to be configured.
4.3.2 IP Address and Subnet Mask
See the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.
4.3.3 RIP Setup
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange
routing information with other routers. RIP Direction controls the sending and receiving of
RIP packets. When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically. When set to Both or In Only, it will incorporate the RIP information that it
receives; when set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version controls the format and the broadcasting method of the RIP packets that the
ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported;
but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you
have an unusual network topology.
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-
2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the
load on non-router machines since they generally do not listen to the RIP multicast address
and so will not receive the RIP packets. However, if one router uses multicasting, then all
routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.
98 Chapter 4 LAN Screens
Loading...