ZyXEL 642 User Manual

Prestige 642

ADSL Router

User's Guide

Version 2.50

(May 2000)

ZyXEL

T

OTAL INTERNET ACCESS SOLUTION

Getting Started

Part I:

Getting Started

Chapters 1-3 are structured as a step-by-step guide to help you connect, install and setup your

Prestige to operate on your network and access the Internet.

I

Advanced Applications

Part II:

Advanced Applications

Advanced Applications (Chapters 4-7) describe the advanced applications of your Prestige, such

as Remote Node Setup IP Static routes and NAT.

II

Advanced Management

Part III:

Advanced Management

Chapters 8 - 12 provide information on Prestige Filtering, SNMP, System Maintenance, IP Policy

Routing, Troubleshooting as well as some Appendices and a Glossary.

III

Prestige 642 ADSL Internet Access Router

Chapter 8

Filter Configuration

This chapter shows you how to create and apply filter(s).

8.1 About Filtering

Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There
are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and
protocol filters, which are discussed later.
Data filtering screens the data to determine if the packet should be allowed to pass. Data filters are divided
into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering
can be applied on either the WAN side or the Ethernet side. Call filtering is used to determine if a packet
should be allowed to trigger a call. Remote node call filtering is only applicable when using
encapsulation. Outgoing packets must undergo data filtering before they encounter call filtering as shown in
the following figure.

Call Filtering

PPPoE

Outgoing

Packet

Data
Filtering

Match MatchMatch

Drop

packet

No

match

Call Filters

Drop packet
if line not up

Built-in
default

No

match

Or Or

Send packet

but do not reset

Idle Timer

User-defined

Call Filters

(if applicable)

Drop packet
if line not up

Send packet

but do not reset

Idle Timer

No

match

Active Data

Initiate call

if line not up

Send packet

and reset

Idle Timer

Figure 8-1 Outgoing Packet Filtering Process

For incoming packets, your Prestige applies data filters only. Packets are processed depending upon
whether a match is found. The following sections describe how to configure filter sets.

Filter Configuration 8-1

Prestige 642 ADSL Internet Access Router

8.1.1

A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for
NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve
filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter
rules and protocol filter rules within the same set. You can apply up to four filter sets to a particular port to
block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24
rules active for a single port.
Three sets of factory default filter rules have been configured in Menu 21 to prevent NetBIOS traffic from
triggering calls and to prevent incoming telnetting. A summary of their filter rules is shown in the figures
that follow.
The following diagram illustrates the logic flow when executing a filter rule.

The Filter Structure of the Prestige

8-2 Filter Configuration

Filter Set

Prestige 642 ADSL Internet Access Router

Start

Packet into

filter

Fetch First

Filter Set

Fetch Next

Filter Set

Yes

Next Filter Set

Available?

No

Fetch Next

Filter Rule

Yes

Next filter

Rule

Available?

No

Fetch First

Filter Rule

Active?

Yes

Execute

No

Check

Next
Rule

Figure 8-2 Filter Rule Process

You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter
set having up to six rules, you can have a maximum of 24 rules active for a single port.

Filter Rule

Forward

Drop

Accept PacketDrop Packet

Filter Configuration 8-3

Prestige 642 ADSL Internet Access Router

8.2 Configuring a Filter Set

To configure a filter set, follow the procedure below.

Step 1.

Step 2.
Step 3.

Step 4.

Enter 21 from the Main Menu to open Menu 21.

Menu 21 - Filter Set Configuration

Filter Filter
Set # Comments Set # Comments

------ ----------------- ------ ----------------­ 1 NetBIOS_WAN 7 _______________
2 NetBIOS_LAN 8 _______________
3 TELNET_WAN 9 _______________
4 PPPoE 10 _______________
5 _______________ 11 _______________
6 _______________ 12 _______________

Enter Filter Set Number to Configure= 0

Edit Comments= N/A

Press ENTER to Confirm or ESC to Cancel:

Figure 8-3 Menu 21 – Filter Setup

Enter the index number of the filter set (no. 1-12) you wish to configure and press

Enter a descriptive name or comment in the
Press

[ENTER]

Summary

at the message: [Press ENTER to confirm] to open

.

Edit Comments

field and press [

ENTER

Menu 21.1.1 - Filter Rules

[ENTER]

].

.

8-4 Filter Configuration

Prestige 642 ADSL Internet Access Router

Menu 21.1 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- -------------------------------------------- --------- - - ­ 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N
2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N
3 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D N
4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N
5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N
6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D F

Enter Filter Rule Number (1-6) to Configure:

Press ENTER to Confirm or ESC to Cancel:

Figure 8-4 NetBIOS_WAN Filter Rules Summary

Menu 21.2 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- -------------------------------------------- --------- - - ­ 1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=53 N D F
2 Y
3 Y
4 Y
5 Y
6 Y

Enter Filter Rule Number (1-6) to Configure:

Figure 8-5 NetBIOS _LAN Filter Rules Summary

Menu 21.3 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - ­ 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F
2 N
3 N
4 N
5 N
6 N

Enter Filter Rule Number (1-6) to Configure:

Figure 8-6 Telnet_WAN Filter Rules Summary

Filter Configuration 8-5

Prestige 642 ADSL Internet Access Router

Menu 21.4 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - ­ 1 Y Gen Off=12, Len=2, Mask=ffff, Value=8863 N F N
2 Y Gen Off=12, Len=2, Mask=ffff, Value=8864 N F D
3 N
4 N
5 N
6 N

Enter Filter Rule Number (1-6) to Configure:

Figure 8-7 PPPoE Filter Rules Summary

8.2.1 Filter Rules Summary Menu

This screen shows the summary of the existing rules in the filter set. The following tables contain a brief
description of the abbreviations used in the previous menus.

Table 8-1 Abbreviations Used in the Filter Rules Summary Menu

Abbreviations Description Display

# Refers to the filter rule number (1-6).

A Shows whether the rule is active or not. [Y] means the filter rule is active.

[N] means the filter rule is inactive.

Type Refers to the type of filter rule.

This shows GEN for generic, IP for
TCP/IP

Filter Rules

The filter rule parameters will be
displayed here (see below).

M

Refers to

More

More in a set behaves

.

like a logical AND i.e., the set is only
matched if ALL rules in it are matched.

[Y] means an action can not yet be taken
as there are more rules to check, which
are concatenated with the present rule
to form a rule chain. When the rule chain
is complete an action can be taken.

[GEN] for Generic

[IP] for TCP/IP

[Y] means there are more rules to check.

[N] means there are no more rules to check.

8-6 Filter Configuration

Prestige 642 ADSL Internet Access Router

[N] means you can now specify an action
to be taken i.e., forward the packet, drop
the packet or check the next rule. For the
latter, the next rule is independent of the
rule just checked.

If More is

Action Not Matched

m

n

Refers to

[F] means to forward the packet
immediately and skip checking the
remaining rules.

Refers to

[F] means to forward the packet
immediately and skip checking the
remaining rules.

Yes

Action Matched

Action Not Matched.

Action Matched

, then

will be

and

N/A

.

[F] means to forward the packet.

[D] means to drop the packet.

[N] means check the next rule.

[F] means to forward the packet.

[D] means to drop the packet.

[N] means check the next rule.

The protocol dependent filter rules abbreviation are listed as follows:

If the filter type is IP, the following abbreviations listed in the following table will be used.

z

Table 8-2 Abbreviations Used If Filter Type Is IP

Abbreviation Description

Pr Protocol

SA Source Address

SP Source Port number

DA Destination Address

DP Destination Port number

Abbreviations Used If Filter Type Is IPX

•

Table 8-3 Abbreviations Used If Filter Type Is IPX

Abbreviation Description

PT IPX Packet Type

SS Source Socket

DS Destination Socket

If the filter type is GEN (generic), the following abbreviations listed in the following table will be

z

used.

Filter Configuration 8-7

Prestige 642 ADSL Internet Access Router

Table 8-4 Abbreviations Used If Filter Type Is GEN

Abbreviation Description

Off Offset

Len Length

Refer to the next section for information on configuring the filter rules.

8.2.2 Configuring a Filter Rule

To configure a filter rule, type its number in
open

Menu 21.1.1

There are three types of filter rules:
parameters below the type will be different. Use the space bar to select the type of rule that you wish to
create in the
To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters.
The class of a filter set is determined by the first rule that you create. When applying the filter sets to a
port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set
in a device filters field or vice versa, the Prestige will warn you and will not allow you to save.

for the rule.

Filter Type

TCP/IP, IPX

field and press ENTER to open the respective menu.

Menu 21.1 - Filter Rules Summary

and

Generic

. Depending on the type of rule, the

and press [

ENTER]

to

8.2.3 TCP/IP Filter Rule

This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on
the fields in the IP and the upper layer protocol, e.g., UDP and TCP, headers.
To configure a TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press ENTER to open

Menu 21.1.1 - TCP/IP Filter Rule

, as shown below.

8-8 Filter Configuration

Prestige 642 ADSL Internet Access Router

Menu 21.1.1 - TCP/IP Filter Rule

Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0

Source: IP Addr= 0.0.0.0

TCP Estab= No
More= No Log= None
Action Matched= Drop

Action Not Matched= Check Next Rule

Press Space Bar to Toggle.

Press ENTER to Confirm or ESC to Cancel:

IP Mask= 0.0.0.0
Port #= 137
Port # Comp= Equal

IP Mask= 0.0.0.0
Port #=
Port # Comp= None

Figure 8-8 Menu 21.1.1.1 - TCP/IP Filter Rule

The following table describes how to configure your TCP/IP filter rule.

Table 8-5 TCP/IP Filter Rule Menu Fields

Field Description Option

Active This field activates/deactivates the filter rule.

IP Protocol Protocol refers to the upper layer protocol, e.g., TCP is 6,

UDP is 17 and ICMP is 1. This value must be between 0
and 255

IP Source Route If Yes, the rule applies to packet with IP source route

option; else the packet must not have source route option.
The majority of IP packets do not have source route.

Destination: IP
Address

Destination: IP
Mask

Destination: Port # Enter the destination port of the packets that you wish to

Enter the destination IP Address of the packet you wish to
filter. This field is a don’t-care if it is 0.0.0.0.

Enter the IP mask to apply to the Destination: IP Addr. IP mask

filter. The range of this field is 0 to 65535. This field is a
don’t-care if it is 0.

Yes/No

0-255

Yes/No

IP address

0-65535

Filter Configuration 8-9

Prestige 642 ADSL Internet Access Router

Field Description Option

Destination: Port #
Comp

Source: IP Address Enter the source IP Address of the packet you wish to

Source: IP Mask Enter the IP mask to apply to the Source: IP Addr. IP Mask

Source: Port # Enter the source port of the packets that you wish to filter.

Source: Port #
Comp

TCP Estab This field is applicable only when IP Protocol field is 6,

More If yes, a matching packet is passed to the next filter rule

Log Select the logging option from the following:

Action Matched Select the action for a matching packet.

Action Not Matched Select the action for a packet not matching the rule.

Select the comparison to apply to the destination port in
the packet against the value given in Destination: Port #.

filter. This field is a don’t-care if it is 0.0.0.0.

The range of this field is 0 to 65535. This field is a don’t­care if it is 0.

Select the comparison to apply to the source port in the
packet against the value given in Source: Port #.

TCP. If yes, the rule matches only established TCP
connections; else the rule matches all TCP packets.

before an action is taken; else the packet is disposed of
according to the action fields.

If More is
Matched will be

z

z

z

z

Yes

, then Action Matched and Action Not

N/A

.

None

– No packets will be logged.

Action Matched

parameters will be logged.

Action Not Matched

match the rule parameters will be logged.

Both

– All packets will be logged.

- Only packets that match the rule

- Only packets that do not

None/Less/Greater/

Equal/Not Equal]

IP Address

0-65535

None/Less/Greater/

Equal/Not Equal

Yes/No

Yes / No

None

Action Matched

Action Not Matched

Both

Check Next Rule

Forward

Drop

Check Next Rule

Forward

Drop

8-10 Filter Configuration

Prestige 642 ADSL Internet Access Router

Field Description Option

Once you have completed filling in
[Press ENTER to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be
displayed on

Menu 21.1 - Filter Rules Summary

Menu 21.1.1 - TCP/IP Filter Rule

.

, press [ENTER] at the message

The following diagram illustrates the logic flow of an IP filter.

Filter Configuration 8-11

Prestige 642 ADSL Internet Access Router

Packet

into IP Filter

Filter Active?

Yes

Apply SrcAddrMask

to Src Addr

Check Src

IP Addr

Matched

Apply DestAddrMask

to Dest Addr

Check Dest

IP Addr

Matched

Check

IP Protocol

Matched

Check Src &

Dest Port

Matched

More?

No

Not Matched

Not Matched

Not Matched

Not Matched

Yes

No

Action Matched

Drop

Drop Packet Accept Packet

Check Next Rule

Forward

Check Next Rule

Check Next Rule

Action Not Matched

Drop Forward

Figure 8-9 Executing an IP Filter

8-12 Filter Configuration

Prestige 642 ADSL Internet Access Router

8.2.4 Generic Filter Rule

This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you
to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet. You
specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The
Prestige applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the
Value to determine a match. The Mask and Value are specified in hexadecimal numbers. Note that it takes
two hexadecimal digits to represent a byte, so if the length is 4, the value in either field will take 8 digits,
e.g.,

FFFFFFFF

To configure a generic rule, select Generic Filter Rule in the Filter Type field in the
[

ENTER]

.

to open Generic Filter Rule, as shown below.

Menu 21.6.1 - Generic Filter Rule

Filter #: 6,1
Filter Type= Generic Filter Rule
Active= No
Offset= 0
Length= 0
Mask= N/A
Value= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule

Menu 21.6.1

and press

Press Space Bar to Toggle.

Press ENTER to Confirm or ESC to Cancel:

Figure 8-10 Generic Filter Rule

The following table describes the fields in the Generic Filter Rule Menu.

Table 8-6 Generic Filter Rule Menu Fields

Field Description Option

Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second

filter set and the third rule of that set.

Filter Type Use the [SPACE BAR] to toggle between both types of rules. Parameters

displayed below each type will be different.

Generic Filter
Rule/

TCP/IP

Filter Rule

Active

Select

Yes

to turn on the filter rule.

Yes/No

Filter Configuration 8-13

Prestige 642 ADSL Internet Access Router

Field Description Option

Offset Enter the starting byte of the data portion in the packet that you wish to

compare. The range for this field is from 0 to 255.

Length Enter the byte count of the data portion in the packet that you wish to

compare. The range for this field is 0 to 8.

Mask Enter the mask (in Hexadecimal) to apply to the data portion before

comparison.

Value Enter the value (in Hexadecimal) to compare with the data portion.

More If yes, a matching packet is passed to the next filter rule before an action is

taken; else the packet is disposed of according to the action fields.

If More is

Log Select the logging option from the following:

z

z

z

z

Action
Matched

Action Not
Matched

Once you have completed filling in
[Press ENTER to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be
displayed on

Select the action for a matching packet.

Select the action for a packet not matching the rule.

Menu 21.1.1 - Filter Rules Summary

Yes

, then Action Matched and Action Not Matched will be No.

None

– No packets will be logged.

Action Matched

be logged.

Action Not Matched

parameters will be logged.

Both

– All packets will be logged.

- Only packets that match the rule parameters will

- Only packets that do not match the rule

Menu 21.4.1.1 - Generic Filter Rule

, press [ENTER] at the message

.

Default = 0

Default = 0

Yes / No

None

Action

Matched

Action Not

Matched

Both

Check Next

Rule

Forward

Drop

Check Next

Rule

Forward

Drop

8.2.5 Novell IPX Filter Rule

This section shows you how to configure an IPX filter rule. IPX filters allow you to base the rules on the
fields in the IPX headers.

8-14 Filter Configuration

Prestige 642 ADSL Internet Access Router

To configure an IPX rules, select

Menu 21.1.5 IPX Filter Rule

Press Space Bar to Toggle.

, as shown in the figure below.

IPX Filter Rule

Menu 21.1.5 - IPX Filter Rule

Filter #: 5,1
Filter Type= IPX Filter Rule
Active= No
IPX Packet Type=
Destination: Network #=

Source: Network #=

Operation= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

from the

Node #=
Socket #=
Socket # Comp= None

Node #=
Socket #=
Socket # Comp= None

Filter Type

field and press [ENTER} to open

Figure 8-11 IPX Filter Rule

Filter Configuration 8-15

Prestige 642 ADSL Internet Access Router

The table below describes the IPX Filter Rule.

Table 8-7 IPX Filter Rule Menu Fields

Field Description

IPX Packet Type Enter the IPX packet type (1-byte in hexadecimal) you wish to

filter.

The popular types are (in hexadecimal):

01 - RIP

04 - SAP

05 - SPX (Sequenced Packet eXchange)

11 - NCP (NetWare Core Protocol)

14 - Novell NetBIOS

Destination/Source
Network #

Destination/Source Node#Enter in the destination/source node number (6-byte in

Destination/Source
Socket #

Destination/Source
Socket # Comp

Operation This field is applicable only if one of the Socket # fields is 0452

Once you have completed filling in
message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This
data will now be displayed on

Enter the destination/source network numbers (4-byte in
hexadecimal) of the packet that you wish to filter.

hexadecimal) of the packet you wish to filter.

Enter the destination/source socket number (2-byte in
hexadecimal) of the packets that you wish to filter.

Select the comparison you wish to apply to the
destination/source socket in the packet against that specified
above.

or 0453 indicating SAP and RIP packets. There are seven
options for this field that specify the type of the packet.

z None.

z RIP Request.

z RIP Response.

z SAP Request.

z SAP Response.

z SAP Get Nearest Server Request.

z SAP Get Nearest Server Response

Menu 21.1.3 - IPX Filter Rule

Menu 21.1 - Filter Rules Summary

, press [Enter] at the

.

8-16 Filter Configuration

Prestige 642 ADSL Internet Access Router

8.3 Example Filter

Let’s look at the third default ZyXEL filter, TELNET_WAN (
PNC Disk for more example filters. This filter is designed to block outside users telnetting into the Prestige.

see Figure

8-6) as an example. Please see our

Figure 8-12 Telnet Filter Example

Step 1.
Step 2.

Step 3.

Step 4.

Step 5.

Filter Configuration 8-17

Enter
Enter the index of the filter set you wish to configure (in this case, 3) and press

Enter a descriptive name or comment in the
and press
Press

Summary

Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this
menu as shown in the following figure.

from the Main Menu to open

21

[ENTER].

[ENTER]

at the message: [Press ENTER to confirm] to open

.

Menu 21 - Filter Set Configuration

Edit Comments

field (in this case TELNET_WAN)

Menu 21.3 - Filter Rules

.

[ENTER]

.

Prestige 642 ADSL Internet Access Router

p

Press S

ace Bar to Toggle.

There are no
more rules to
check.

Select

Drop

here so that
the packet will be
dropped if its destination
is the telnet port.

Menu 21.3.1 - TCP/IP Filter Rule

Filter #: 3,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0

Source: IP Addr= 0.0.0.0

TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

IP Mask= 0.0.0.0
Port #= 23
Port # Comp= Equal

IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None

Select
here as we are
looking for
packets going to
port 23 only.

Select
the packet will be forwarded
if its destination is not the
telnet port.

Equal

Forward

Press the [SPACEBAR] to
choose this filter rule type. The
first filter rule type determines
all subsequent filter types
within a set.

Select

to make the rule

Yes

active.

is the TCP protocol.

6

The port number for the telnet
service (TCP protocol) is 23.
See RFC 1060 for port numbers
of well-known services.

here so that

Figure 8-13 Example Filter – Menu 21.3.1

When you press

[ENTER]

to confirm, you will see the following screen. Note that there is only one filter

rule in this set.

8-18 Filter Configuration

Prestige 642 ADSL Internet Access Router

Menu 21.3 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - ­ 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F
2 N
3 N
4 N
5 N
6 N

Enter Filter Rule Number (1-6) to Configure: 1

This shows you that you have
configured and activated (

) a TCP/IP filter rule (

Y
IP, Pr = 6

telnet ports (

) for destination

DP = 23

A =

Type =

).

means an action can be taken

M = N

immediately. The action is to drop the
packet (
to forward the packet immediately (

) if the action is matched and

m = D

n = F

) if
the action is not matched no matter whether
there are more rules to be checked (there
aren’t in this example).

Figure 8-14 Example Filter Rules Summary – Menu 21.3

After you’ve created the filter set, you must apply it.

Step 1.
Step 2.

Step 3.

Step 4.

Enter 11 from the main menu to go to Menu 11.
Go to the

[ENTER]

Edit Filter Sets

.

field, press the

[SPACEBAR]

to toggle

Yes

to No and press

This brings you to Menu 11.5. Apply the TELNET_WAN filter set (filter set 3) as shown in

Figure 8-17

Press

.

[ENTER

] to confirm after you enter the set numbers and to leave Menu 11.5.

8.4 Filter Types and SUA

There are two types of filter rules,
rules.

Device Filter

rules act on the raw data from/to LAN and WAN.

Device Filter

and IPX packets. When NAT/SUA (Network Address Translation/Single User Account) is enabled, the
inside IP address and port number are replaced on a connection-by-connection basis, which makes it
impossible to know the exact address and port on the wire. Therefore, the Prestige applies the

to the “native” IP address and port number before NAT/SUA for outgoing packets and after

filters

(Generic) rules and

Protocol Filter

Protocol Filter

(TCP/IP and IPX)

rules act on the IP

protocol

Filter Configuration 8-19

Prestige 642 ADSL Internet Access Router

NAT/SUA for incoming packets. On the other hand, the generic, or

device filters

are applied to the raw
packets that appear on the wire. They are applied at the point when the Prestige is receiving and sending the
packets; i.e. the interface. The interface can be an Ethernet, or any other hardware port. The following
diagram illustrates this.

Figure 8-15 Protocol and Device Filter Sets

8.5 Applying a Filter and Factory Defaults

This section shows you where to apply the filter(s) after you design it (them). Sets of factory default filter
rules have been configured in Menu 21 (but have not been applied) to prevent NetBIOS traffic from
triggering calls, incoming telnet and sessions. The PPPoE filter filters out all packets
going out from the Prestige to the ISP or remote node.

8.5.1 LAN traffic

LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.
Go to

Menu 3.1

appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by
commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the Prestige and Output filter sets filter
outgoing traffic from the Prestige. The factory default set, NetBIOS_LAN, can be inserted in

filters –

field under

(shown next) and enter the number(s) of the filter set(s) that you want to apply as

Input Filter Sets

in

Menu 3.1

to block NetBIOS traffic to the Prestige from the LAN.

PPPoE packets

except

protocol

Menu 3.1 – LAN Port Filter Setup

Input Filter Sets:
protocol filters= 2
device filters=
Output Filter Sets:
Protocol filters=
device filters=

Press ENTER to Confirm or ESC to Cancel:

Apply
Default Filter
2 here.

Figure 8-16 Filtering LAN Traffic

8-20 Filter Configuration

Prestige 642 ADSL Internet Access Router

8.5.2 Remote Node Filters

Go to Menu 11.5 (shown below – note that call filter sets are only present for PPPoE encapsulation) and
enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their
numbers separated by commas. The factory default filter set, NetBIOS_WAN, can be applied in Menu 11.5
to block local NetBIOS traffic from triggering calls to the ISP (when you are using
only). Enter “1” in the

protocol filters

under

protocol filters
Output Filter Sets – protocol filters

field under

Call Filter Sets

when using Ethernet encapsulation. Filter set

when using PPPoE encapsulation and in

“3”, Telnet_WAN, blocks telnet connections from the WAN Port to help prevent security breaches. Filter
set “4”, PPPoE, blocks PPP connections from the WAN Port. Apply them as shown in the following figure.

PPPoE

encapsulation

Menu 11.5 - Remote Node Filter

Input Filter Sets:
protocol filters= 3
device filters=
Output Filter Sets:
protocol filters= 4
device filters=
Call Filter Sets:
protocol filters= 1
device filters

Enter here to CONFIRM or ESC to CANCEL:

=

Figure 8-17 Filtering Remote Node Traffic (PPPoE Encapsulation)

Apply Default
Filters 1, 3 and 4
here. Enter 1 in

protocol filters

Output

under

Filter Sets

when
using Ethernet
encapsulation

.

Filter Configuration 8-21

Prestige 642 ADSL Internet Access Router

Chapter 9

SNMP Configuration

This chapter discusses SNMP (Simple Network Management Protocol) for network management

and monitoring.

9.1 About SNMP

Your Prestige 642 supports SNMP agent functionality, which allows a manager station to manage and
monitor the Prestige through the network. Keep in mind that SNMP is only available if TCP/IP is
configured on your Prestige.

9.2 Configuring SNMP

To configure SNMP, select

SNMP Configuration

simply SNMP’s terminology for password.

SNMP Configuration

, as shown in the figure below. The “community” for Get, Set and Trap fields is

Menu 22 - SNMP Configuration

SNMP:

Get Community= public
Set Community= public
Trusted Host= 0.0.0.0
Trap:
Community= public

Destination= 0.0.0.0

(enter 22) from the Main Menu to open

Menu 22 -

Press ENTER to Confirm or ESC to Cancel:

Figure 9-1 Menu 22 - SNMP Configuration

SNMP Configuration 9-1

Prestige 642 ADSL Internet Access Router

The following table describes the SNMP configuration parameters.

Table 9-1 SNMP Configuration Menu Fields

Field Description Default

Get
Community

Set
Community

Trusted Host If you enter a trusted host, your Prestige will only respond to

Trap:
Community

Trap:
Destination

Once you have completed filling in
message [Press ENTER to Confirm] to save your configuration, or press [Esc] to cancel.

Enter the get community, which is the password for the incoming
Get- and GetNext- requests from the management station.

Enter the set community, which is the password for incoming Set­requests from the management station.

SNMP messages from this address. If you leave the field blank
(default), your Prestige will respond to all SNMP messages it
receives, regardless of source.

Enter the trap community, which is the password sent with each
trap to the SNMP manager.

Enter the IP address of the station to send your SNMP traps to. blank

Menu 22 - SNMP Configuration

, press [ENTER] at the

public

public

blank

public

9-2 SNMP Configuration

Prestige 642 ADSL Internet Access Router

Chapter 10

System Maintenance

This chapter covers the diagnostic tools that help you to maintain your Prestige.

The diagnostic tools include updates on system status, port status, log and trace capabilities and upgrades
for the system software. This chapter describes how to use these tools in detail.
Select menu 24 in the main menu to open

Figure 10-1 Menu 24 - System Maintenance

Menu 24 - System Maintenance

Menu 24 - System Maintenance

1. System Status

2. System Information and Console Port Speed

3. Log and Trace

4. Diagnostic

5. Backup Configuration

6. Restore Configuration

7. Upload Firmware

8. Command Interpreter Mode

Enter Menu Selection Number:

, as shown below.

System Maintenance 10-1