ZyXEL NBG5615 Users Manual
14.1 Overview
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to
obtain TCP/IP configuration at start-up from a server. You can configure the NBG5615’s LAN as a
DHCP server or disable it. When configured as a server, the NBG5615 provides the TCP/IP
configuration for the clients. If DHCP service is disabled, you must have another DHCP server on
your LAN, or else the computer must be manually configured.
14.1.1 What You Can Do
•Use the General screen to enable the DHCP server (Section 14.2 on page 133).
•Use the Advanced screen to assign IP addresses on the LAN to specific individual computers
based on their MAC Addresses (Section 14.3 on page 134).
•Use the Client List screen to view the current DHCP client information (Section 14.4 on page
136).
CHAPTER 14
DHCP Server
14.1.2 What You Need To Know
The following terms and concepts may help as you read through this chapter.
MAC Addresses
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is
assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02. Find out the MAC addresses of your network devices if you intend to add them
to the DHCP Client List screen.
14.2 DHCP Server General Screen
Use this screen to enable the DHCP server. Click Netw o rk > DHCP Server. The following screen
displays.
NBG5615 User’s Guide 133
Chapter 14 DHCP Server
Figure 78 Network > DHCP Server > General
The following table describes the labels in this screen.
Table 52 Network > DHCP Server > General
LABEL DESCRIPTION
DHCP Server Select Enable to activate DHCP for LAN.
IP Pool Starting
Address
Pool Size This field specifies the size, or count of the IP address pool for LAN.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
individual clients (computers) to obtain TCP/IP configuration at startup from a server.
Enable the DHCP server unless your ISP instructs you to do otherwise. Select Disable
to stop the NBG5615 acting as a DHCP server. When configured as a server, the
NBG5615 provides TCP/IP configuration for the clients. If not, DHCP service is
disabled and you must have another DHCP server on your LAN, or else the computers
must be manually configured. When set as a server, fill in the following four fields.
This field specifies the first of the contiguous addresses in the IP address pool for LAN.
14.3 DHCP Server Advanced Screen
This screen allows you to assign IP addresses on the LAN to specific individual computers based on
their MAC addresses. You can also use this screen to configure the DNS server information that the
NBG5615 sends to the DHCP clients.
To change your NBG5615’s static DHCP settings, click Netw ork > DHCP Server > Advanced. The
following screen displays.
134
NBG5615 User’s Guide
Figure 79 Network > DHCP Server > Advanced
Chapter 14 DHCP Server
The following table describes the labels in this screen.
Table 53 Network > DHCP Server > Advanced
LABEL DESCRIPTION
Static DHCP Table
# This is the index number of the static IP table entry (row).
MAC Address Type the MAC address (with colons) of a computer on your LAN.
IP Address Type the LAN IP address of a computer on your LAN.
DNS Server
DNS Servers
Assigned by DHCP
Server
The NBG5615 passes a DNS (Domain Name System) server IP address (in the order you
specify here) to the DHCP clients. The NBG5615 only passes this information to the LAN
DHCP clients when you enable DHCP Server. When you disable DHCP Server, DHCP
service is disabled and you must have another DHCP sever on your LAN, or else the
computers must have their DNS server addresses manually configured.
NBG5615 User’s Guide
135
Chapter 14 DHCP Server
Table 53 Network > DHCP Server > Advanced (continued)
LABEL DESCRIPTION
First DNS Server
Second DNS Server
Third DNS Server
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
Select Obtained From I SP if your ISP dynamically assigns DNS server information
(and the NBG5615's WAN IP address). The field to the right displays the (read-only)
DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's
IP address in the field to the right. If you chose User-Defined, but leave the IP address
set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a
second choice to User-Defined, and enter the same IP address, the second User-
Defined changes to None after you click Apply.
Select DNS Relay to have the NBG5615 act as a DNS proxy. The NBG5615's LAN IP
address displays in the field to the right (read-only). The NBG5615 tells the DHCP
clients on the LAN that the NBG5615 itself is the DNS server. When a computer on the
LAN sends a DNS query to the NBG5615, the NBG5615 forwards the query to the
NBG5615's system DNS server (configured in the WAN > I nternet Co nnection
screen) and relays the response back to the computer. You can only select DNS Relay
for one of the three servers; if you select DNS Relay for a second or third DNS server,
that choice changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure a DNS
server, you must know the IP address of a computer in order to access it.
14.4 DHCP Client List Screen
The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC
Address) of network clients using the NBG5615’s DHCP servers.
Configure this screen to always assign an IP address to a MAC address (and host name). Click
Netw ork > DHCP Server > Client List.
Note: You can also view a read-only client list by clicking Monitor > DHCP Server.
Figure 80 Network > DHCP Server > Client List
The following table describes the labels in this screen.
Table 54 Network > DHCP Server > Client List
LABEL DESCRIPTION
# This is the index number of the host computer.
Status This field displays whether the connection to the host computer is up (a yellow bulb) or
down (a gray bulb).
136
NBG5615 User’s Guide
Chapter 14 DHCP Server
Table 54 Network > DHCP Server > Client List (continued)
LABEL DESCRIPTION
Host Name This field displays the computer host name.
IP Address This field displays the IP address relative to the # field listed above.
MAC Address This field shows the MAC address of the computer with the name in the Host Nam e field.
Every Ethernet device has a unique MAC (Media Access Control) address which uniquely
identifies a device. The MAC address is assigned at the factory and consists of six pairs of
hexadecimal characters, for example, 00:A0:C5:00:00:02.
Reserve Select this if you want to reserve the IP address for this specific MAC address.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to reload the previous configuration for this screen.
NBG5615 User’s Guide
137
Chapter 14 DHCP Server
138
NBG5615 User’s Guide
15.1 Overview
A: 192.168.1.33
B: 192.168.1.34
C: 192.168.1.35
IP address
192.168.1.1
WANLAN
assigned by ISP
FTP, Telnet, SNMP
Port 80
Ports 21 to 25
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in
a packet. For example, the source address of an outgoing packet, used within one network is
changed to a different IP address known within another network.
The figure below is a simple illustration of a NAT network. You want to assign ports 21-25 to one
FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign
a default server IP address of 192.168.1.35 to a third (C in the example).
You assign the LAN IP addresses to the devices (A to D) connected to your NBG5615. The ISP
assigns the WAN IP address. The NAT network appears as a single host on the Internet. All traffic
coming from A to D going out to the Internet use the IP address of the NBG5615, which is
192.168.1.1.
CHAPTER 15
NAT
Figure 81 NAT Example
This chapter discusses how to configure NAT on the NBG5615.
Note: You must create a firewall rule in addition to setting up NAT, to allow traffic from
the WAN to be forwarded through the NBG5615.
15.1.1 What You Can Do
NBG5615 User’s Guide 139
•Use the General screen to enable NAT (
Section 15.2 on page 141).
Chapter 15 NAT
•Use the Port Forw arding screen to set a default server and change your NBG5615’s port
forwarding settings to forward incoming service requests to the server(s) on your local network
(
Section 15.3 on page 142).
•Use the Port Trigger screen to change your NBG5615’s trigger port settings (
page 147
).
15.1.2 What You Need To Know
The following terms and concepts may help as you read through this chapter.
Inside/Outside
This denotes where a host is located relative to the NBG5615, for example, the computers of your
subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Global/Local
This denotes the IP address of a host in a packet as the packet traverses a router, for example, the
local address refers to the IP address of a host when the packet is in the local network, while the
global address refers to the IP address of the host when the same packet is traveling in the WAN
side.
Section 15.5.3 on
Note: Inside/outside refers to the location of a host, while global/local refers to the IP
address of a host used in a packet.
An inside local address (ILA) is the IP address of an inside host in a packet when the packet is still
in the local network, while an inside global address (IGA) is the IP address of the same inside host
when the packet is on the WAN side. The following table summarizes this information.
Table 55 NAT Definitions
ITEM DESCRIPTION
Inside This refers to the host on the LAN.
Outside This refers to the host on the WAN.
Local This refers to the packet address (source or destination) as the packet travels on the LAN.
Global This refers to the packet address (source or destination) as the packet travels on the WAN.
Note: NAT never changes the IP address (either local or global) of an outside host.
What NAT Does
In the simplest form, NAT changes the source IP address in a packet received from a subscriber
(the inside local address) to another (the inside global address) before forwarding the packet to the
WAN side. When the response comes back, NAT translates the destination address (the inside
global address) back to the inside local address before forwarding it to the original inside host. Note
that the IP address (either local or global) of an outside host is never changed.
140
The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP.
In addition, you can designate servers, for example, a web server and a telnet server, on your local
NBG5615 User’s Guide
Chapter 15 NAT
network and make them accessible to the outside world. If you do not define any servers , NAT
offers the additional benefit of firewall protection. With no servers defined, your NBG5615 filters out
all incoming inquiries, thus preventing intruders from probing your network. For more information
on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).
How NAT Works
Each packet has two addresses – a source address and a destination address. For outgoing packets,
the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global
Address) is the source address on the WAN. For incoming packets, the ILA is the destination
address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local)
IP addresses to globally unique ones required for communication with hosts on other networks. It
replaces the original IP source address in each packet and then forwards it to the Internet. The
NBG5615 keeps track of the original addresses and port numbers so incoming reply packets can
have their original values restored. The following figure illustrates this.
Figure 82 How NAT Works
15.2 General
Use this screen to enable NAT and set a default server. Click Netw ork > NAT to open the General
screen.
Figure 83 Network > NAT > General
NBG5615 User’s Guide
141
Chapter 15 NAT
The following table describes the labels in this screen.
Table 56 Network > NAT > General
LABEL DESCRIPTION
Network Address
Tra n s la tion (NAT)
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a public
IP address used on the Internet).
Select Enable to activate NAT. Select Disable to turn it off.
15.3 Port Forwarding Screen
Use this screen to forward incoming service requests to the server(s) on your local network and set
a default server. You may enter a single port number or a range of port numbers to be forwarded,
and the local IP address of the desired server. The port number identifies a service; for example,
web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or
where one server can support more than one service (for example both FTP and web service), it
might be better to specify a range of port numbers.
In addition to the servers for specified services, NAT supports a default server. A service request
that does not have a server explicitly designated for it is forwarded to the default server. If the
default is not defined, the service request is simply discarded.
Note: Many residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may
periodically check for servers and may suspend your account if it discovers any
active services at your location. If you are unsure, refer to your ISP.
Port forwarding allows you to define the local servers to which the incoming services will be
forwarded. To change your NBG5615’s port forwarding settings, click Netw ork > NAT > Port
Forwarding. The screen appears as shown.
Note: If you do not assign a Default Server, the NBG5615 discards all packets received
for ports that are not specified in this screen or remote management.
Refer to
Appendix C on page 249 for port numbers commonly used for particular services.
142
NBG5615 User’s Guide
Figure 84 Network > NAT > Port Forwarding
The following table describes the labels in this screen.
Chapter 15 NAT
Table 57 Network > NAT > Port Forwarding
LABEL DESCRIPTION
Default Server Setup
Default Server In addition to the servers for specified services, NAT supports a default server. A default
server receives packets from ports that are not specified in the Port Forw arding
screen. You can decide whether you want to use the default server or specify a server
manually.
Select this to use the default server.
Change to Server Select this and manually enter the server’s IP address.
Service Name Select a pre-defined service from the drop-down list box. The pre-defined service port
Service Protocol Select the transport layer protocol supported by this virtual server. Choices are TCP,
Server IP Address Enter the inside IP address of the virtual server here and click Add to add it in the port
# This is the number of an individual port forwarding server entry.
Status This icon is turned on when the rule is enabled.
Name This field displays a name to identify this rule.
Protocol This is the transport layer protocol used for the service.
Port This field displays the port number(s).
Server IP Address This field displays the inside IP address of the server.
Modify Click the Edit icon to open the edit screen where you can modify an existing rule.
number(s) and protocol will be displayed in the port forwarding summary table.
Otherwise, select User define to manually enter the port number(s) and select the IP
protocol.
UDP, or TCP_ UDP.
If you have chosen a pre-defined service in the Service Nam e field, the protocol will be
configured automatically.
forwarding summary table.
Click the Delete icon to remove a rule.
NBG5615 User’s Guide
143
Chapter 15 NAT
Table 57 Network > NAT > Port Forwarding (continued)
LABEL DESCRIPTION
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
15.3.1 Port Forwarding Edit Screen
This screen lets you edit a port forwarding rule. Click a rule’s Edit icon in the Port Forwarding
screen to open the following screen.
Figure 85 Network > NAT > Port Forwarding Edit
The following table describes the labels in this screen.
Table 58 Network > NAT > Port Forwarding Edit
LABEL DESCRIPTION
Port Forwarding Select Enable to turn on this rule and the requested service can be forwarded to the host
with a specified internal IP address.
Select Disable to disallow forwarding of these ports to an inside server without having to
delete the entry.
Service Name Type a name (of up to 31 printable characters) to identify this rule in the first field next to
Protocol Select the transport layer protocol supported by this virtual server. Choices are TCP, UDP,
Port Type a port number(s) to define the service to be forwarded to the specified server.
Server IP
Address
Back Click Back to return to the previous screen.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
Service Name. Otherwise, select a predefined service in the second field next to Service
Nam e. The predefined service name and port number(s) will display in the Service Name
and Port fields.
or T CP_ UDP.
If you have chosen a pre-defined service in the Service Nam e field, the protocol will be
configured automatically.
To specify a range of ports, enter a hyphen (-) between the first port and the last port,
such as 10-.
Type the IP address of the server on your LAN that receives packets from the port(s)
specified in the Port field.
144
NBG5615 User’s Guide
15.4 Port Trigger Screen
To change your NBG5615’s trigger port settings, click Netw ork > NAT > Port Trigger. The screen
appears as shown.
Note: Only one LAN computer can use a trigger port (range) at a time.
Figure 86 Network > NAT > Port Trigger
Chapter 15 NAT
The following table describes the labels in this screen.
Table 59 Network > NAT > Port Trigger
LABEL DESCRIPTION
# This is the rule index number (read-only).
Name Type a unique name (up to 15 characters) for identification purposes. All characters are
Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out
Port Type a port number or the starting port number in a range of port numbers.
End Port Type a port number or the ending port number in a range of port numbers.
Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the NBG5615 to
Port Type a port number or the starting port number in a range of port numbers.
End Port Type a port number or the ending port number in a range of port numbers.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
NBG5615 User’s Guide
permitted - including spaces.
a particular service. The NBG5615 forwards the traffic with this port (or range of ports) to
the client computer on the LAN that requested the service.
record the IP address of the LAN computer that sent the traffic to a server on the WAN.
145
Chapter 15 NAT
15.5 Technical Reference
The following section contains additional technical information about the NBG5615 features
described in this chapter.
15.5.1 NATPort Forwarding: Services and Port Numbers
A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP,
that you can make accessible to the outside world even though NAT makes your whole inside
network appear as a single machine to the outside world.
Use the Port Forw arding screen to forward incoming service requests to the server(s) on your
local network. You may enter a single port number or a range of port numbers to be forwarded, and
the local IP address of the desired server. The port number identifies a service; for example, web
service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one
server can support more than one service (for example both FTP and web service), it might be
better to specify a range of port numbers.
In addition to the servers for specified services, NAT supports a default server. A service request
that does not have a server explicitly designated for it is forwarded to the default server. If the
default is not defined, the service request is simply discarded.
Note: Many residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may
periodically check for servers and may suspend your account if it discovers any
active services at your location. If you are unsure, refer to your ISP.
15.5.2 NAT Port Forwarding Example
Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example),
port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a
third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address.
The NAT network appears as a single host on the Internet.
Figure 87 Multiple Servers Behind NAT Example
146
NBG5615 User’s Guide
15.5.3 Trigger Port Forwarding
Jane’s com puter
Real Audio Server
Port 7 0 7 0
Some services use a dedicated range of ports on the client side and a dedicated range of ports on
the server side. With regular port forwarding you set a forwarding port in NAT to forward a service
(coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
The problem is that port forwarding only forwards a service to a single LAN IP address. In order to
use the same service on a different LAN computer, you have to manually replace the LAN
computer's IP address in the forwarding port with another LAN computer's IP address.
Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take
turns using the service. The NBG5615 records the IP address of a LAN computer that sends traffic
to the WAN to request a service with a specific port number and protocol (a "trigger" port). When
the NBG5615's WAN port receives a response with a specific port number and protocol ("incoming"
port), the NBG5615 forwards the traffic to the LAN IP address of the computer that sent the
request. After that computer’s connection for that service closes, another computer on the LAN can
use the service in the same manner. This way you do not need to configure a new IP address each
time you want a different LAN computer to use the application.
15.5.4 Trigger Port Forwarding Example
The following is an example of trigger port forwarding.
Chapter 15 NAT
Figure 88 Trigger Port Forwarding Process: Example
1 Jane requests a file from the Real Audio server (port 7070).
2 Port 7070 is a “trigger” port and causes the NBG5615 to record Jane’s computer IP address. The
NBG5615 associates Jane's computer IP address with the "incoming" port range of 6970-7170.
3 The Real Audio server responds using a port number ranging between 6970-7170.
4 The NBG5615 forwards the traffic to Jane’s computer IP address.
5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The
NBG5615 times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP
(Transfer Control Protocol/Internet Protocol).
NBG5615 User’s Guide
147
Chapter 15 NAT
15.5.5 Two Points To Remember About Trigger Ports
1 Trigger events only happen on data that is coming from inside the NBG5615 and going to the
outside.
2 If an application needs a continuous data stream, that port (range) will be tied up so that another
computer on the LAN can’t trigger it.
148
NBG5615 User’s Guide
16.1 Overview
DDNS services let you use a domain name with a dynamic IP address.
16.1.1 What You Need To Know
The following terms and concepts may help as you read through this chapter.
What is DDNS?
Dynamic Domain Name Service (DDNS) services let you use a fixed domain name with a dynamic
IP address. Users can always use the same domain name instead of a different dynamic IP address
that changes each time to connect to the NBG5615 or a server in your network.
CHAPTER 16
DDNS
Note: The NBG5615 must have a public global IP address and you should have your
registered DDNS account information on hand.
16.2 General
To change your NBG5615’s DDNS, click Netw ork > DDNS. The screen appears as shown.
Figure 89 Dynamic DNS
NBG5615 User’s Guide 149
Chapter 16 DDNS
The following table describes the labels in this screen.
Table 60 Dynamic DNS
LABEL DESCRIPTION
Dynamic DNS Select Enabl e to use dynamic DNS. Select Disable to turn this feature off.
Service Provider Select the name of your Dynamic DNS service provider.
Host Name Enter a host names in the field provided. You can specify up to two host names in the
Usename Enter your user name.
Password Enter the password assigned to you.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
field separated by a comma (",").
150
NBG5615 User’s Guide
17.1 Overview
WAN
R1
R2
A
R3
LAN
This chapter shows you how to configure static routes for your NBG5615.
The NBG5615 usually uses the default gateway to route outbound traffic from computers on the
LAN to the Internet. To have the NBG5615 send data to devices not reachable through the default
gateway, use static routes.
For example, the next figure shows a computer (A) connected to the NBG5615’s LAN interface. The
NBG5615 routes most traffic from A to the Internet through the NBG5615’s default gateway (R1).
You create one static route to connect to services offered by your ISP behind router R2 . You create
another static route to communicate with a separate network behind a router R3 connected to the
LAN.
Figure 90 Example of Static Routing Topology
CHAPTER 17
Static Route
17.2 IP Static Route Screen
Click Netw ork > Static Route to open the Static Route screen.
NBG5615 User’s Guide 151
Chapter 17 Static Route
Figure 91 Network > Static Route
The following table describes the labels in this screen.
Table 61 Network > Static Route
LABEL DESCRIPTION
Add Static Route Click this to create a new rule.
# This is the number of an individual static route.
Status This field indicates whether the rule is active (yellow bulb) or not (gray bulb).
Name This field displays a name to identify this rule.
Destination This parameter specifies the IP network address of the final destination. Routing is always
Gateway This is the IP address of the gateway. The gateway is a router or switch on the same
Subent Mask This parameter specifies the IP network subnet mask of the final destination.
Modify Click the Edit icon to open a screen where you can modify an existing rule.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to begin configuring this screen afresh.
based on network number.
network segment as the device's LAN or WAN port. The gateway helps forward packets to
their destinations.
Click the Delete icon to remove a rule from the NBG5615.
17.2.1 Add/Edit Static Route
Click the Add Static Route button or a rule’s Edit icon in the Static Route screen. Use this screen
to configure the required information for a static route.
Figure 92 Network > Static Route: Add/Edit
152
NBG5615 User’s Guide
Chapter 17 Static Route
The following table describes the labels in this screen.
Table 62 Network > Static Route: Add/Edit
LABEL DESCRIPTION
Static Route Select to enable or disable this rule.
Route Name Type a name to identify this rule. You can use up to printable English keyboard
Destination IP
Address
IP Subnet Mask Enter the IP subnet mask here.
Gateway IP
Address
Back Click Back to return to the previous screen without saving.
Apply Click Apply to save your changes back to the NBG5615.
Cancel Click Cancel to set every field in this screen to its last-saved value.
characters, including spaces.
This parameter specifies the IP network address of the final destination. Routing is
always based on network number. If you need to specify a route to a single host, use a
subnet mask of 255.255.255.255 in the subnet mask field to force the network number to
be identical to the host ID.
Enter the IP address of the next-hop gateway. The gateway is a router or switch on the
same segment as your NBG5615's interface(s). The gateway helps forward packets to
their destinations.
NBG5615 User’s Guide
153
Chapter 17 Static Route
154
NBG5615 User’s Guide
18.1 Overview
WAN
LAN
3
4
1
2
A
Use these screens to enable and configure the firewall that protects your NBG5615 and your LAN
from unwanted or malicious traffic.
Enable the firewall to protect your LAN computers from attacks by hackers on the Internet and
control access between the LAN and WAN. By default the firewall:
• allows traffic that originates from your LAN computers to go to all of the networks.
• blocks traffic that originates on the other networks from going to the LAN.
The following figure illustrates the default firewall action. User A can initiate an IM (Instant
Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2).
However other traffic initiated from the WAN is blocked (3 and 4).
CHAPTER 18
Firewall
Figure 93 Default Firewall Action
18.1.1 What You Can Do
•Use the General screen to enable or disable the NBG5615’s firewall (
18.1.2 What You Need To Know
•Use the Services screen enable service blocking, enter/delete/modify the services you want to
block and the date/time you want to block them (Section 18.3 on page 157).
Section 18.2 on page 157).
The following terms and concepts may help as you read through this chapter.
NBG5615 User’s Guide 155
Chapter 18 Firewall
What is a Firewall?
Originally, the term “firewall” referred to a construction technique designed to prevent the spread of
fire from one room to another. The networking term "firewall" is a system or group of systems that
enforces an access-control policy between two networks. It may also be defined as a mechanism
used to protect a trusted network from a network that is not trusted. Of course, firewalls cannot
solve every security problem. A firewall is one of the mechanisms used to establish a network
security perimeter in support of a network security policy. It should never be the only mechanism or
method employed. For a firewall to guard effectively, you must design and deploy it appropriately.
This requires integrating the firewall into a broad information-security policy. In addition, specific
policies must be implemented within the firewall itself.
Stateful Inspection Firewall
Stateful inspection firewalls restrict access by screening data packets against defined access rules.
They make access control decisions based on IP address and protocol. They also "inspect" the
session data to assure the integrity of the connection and to adapt to dynamic protocols. These
firewalls generally provide the best speed and transparency; however, they may lack the granular
application level access control or caching that some proxies support. Firewalls, of one type or
another, have become an integral part of standard security solutions for enterprises.
About the NBG5615 Firewall
The NBG5615’s firewall feature physically separates the LAN and the WAN and acts as a secure
gateway for all data passing between the networks.
It is a stateful inspection firewall and is designed to protect against Denial of Service attacks when
activated (click the General tab under Firew all and then click the Enable Firew all check box).
The NBG5615's purpose is to allow a private Local Area Network (LAN) to be securely connected to
the Internet. The NBG5615 can be used to prevent theft, destruction and modification of data, as
well as log events, which may be important to the security of your network.
The NBG5615 is installed between the LAN and a broadband modem connecting to the Internet.
This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
The NBG5615 has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically
separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband
(cable or DSL) modem to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which needs security from
the outside world. These computers will have access to Internet services such as e-mail, FTP and
the World Wide Web. However, "inbound access" is not allowed (by default) unless the remote host
is authorized to use a specific service.
Guidelines For Enhancing Security With Your Firewall
1 Change the default password via Web Configurator.
2 Think about access control before you connect to the network in any way, including attaching a
modem to the port.
3 Limit who can access your router.
156
NBG5615 User’s Guide
4 Don't enable any local service (such as NTP) that you don't use. Any enabled service could present
a potential security risk. A determined hacker might be able to find creative ways to misuse the
enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the
services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
18.2 General Screen
Use this screen to enable or disable the NBG5615’s firewall, and set up firewall logs. Click Security
> Firew all to open the General screen.
Figure 94 Security > Firewall > General l
Chapter 18 Firewall
The following table describes the labels in this screen.
Table 63 Security > Firewall > General
LABEL DESCRIPTION
Enable Firewall Select this check box to activate the firewall. The NBG5615 performs access control and
protects against Denial of Service (DoS) attacks when the firewall is activated.
Apply Click Apply to save the settings.
Cancel Click Cancel to start configuring this screen again.
18.3 Services Screen
If an outside user attempts to probe an unsupported port on your NBG5615, an ICMP response
packet is automatically returned. This allows the outside user to know the NBG5615 exists. Use this
screen to prevent the ICMP response packet from being sent. This keeps outsiders from discovering
your NBG5615 when unsupported ports are probed.
You can also use this screen to enable service blocking, enter/delete/modify the services you want
to block and the date/time you want to block them.
Click Security > Firew all > Services. The screen appears as shown next.
NBG5615 User’s Guide
157
Chapter 18 Firewall
Figure 95 Security > Firewall > Services l
The following table describes the labels in this screen.
Table 64 Security > Firewall > Services
LABEL DESCRIPTION
LABEL DESCRIPTION
ICMP Internet Control Message Protocol is a message control and error-reporting protocol
Respond to Ping onThe NBG5615 will not respond to any incoming Ping requests when Disable is selected.
Apply Click Apply to save the settings.
Enable Firewall Rule
Enable Firewall
Rule
Apply Click Apply to save the settings.
Add Firewall Rule
Service Name Enter a name that identifies or describes the firewall rule.
MAC Address Enter the MAC address of the computer for which the firewall rule applies.
Dest IP Address Enter the IP address of the computer to which traffic for the application or service is
between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP)
datagrams, but the messages are processed by the TCP/IP software and directly apparent
to the application user.
Select LAN to reply to incoming LAN Ping requests. Select W AN to reply to incoming WAN
Ping requests. Otherwise select LAN &W AN to reply to all incoming LAN and WAN Ping
requests.
Select this check box to activate the firewall rules that you define (see Add Firew all Rule
below).
entering.
The NBG5615 applies the firewall rule to traffic initiating from this computer.
158
NBG5615 User’s Guide
Chapter 18 Firewall
Table 64 Security > Firewall > Services (continued)
LABEL DESCRIPTION
Source IP Address Enter the IP address of the computer that initializes traffic for the application or service.
The NBG5615 applies the firewall rule to traffic initiating from this computer.
Protocol Select the protocol (TCP, UDP or I CMP) used to transport the packets for which you want
Dest Port Range Enter the port number/range of the destination that define the traffic type, for example
Source Port
Range
Add Rule Click Add to save the firewall rule.
Firewall Rule
# This is your firewall rule number. The ordering of your rules is important as rules are
Service Name This is a name that identifies or describes the firewall rule.
MAC address This is the MAC address of the computer for which the firewall rule applies.
Dest IP This is the IP address of the computer to which traffic for the application or service is
Source IP This is the IP address of the computer from which traffic for the application or service is
Protocol This is the protocol (TCP, UDP or I CMP) used to transport the packets for which you want
Dest Port Range This is the port number/range of the destination that define the traffic type, for example
Source Port
Range
Action DROP - Traffic matching the conditions of the firewall rule are stopped.
Delete Click Delete to remove the firewall rule.
Cancel Click Cancel to start configuring this screen again.
to apply the firewall rule.
TCP port 80 defines web traffic.
Enter the port number/range of the source that define the traffic type, for example TCP
port 80 defines web traffic.
applied in turn.
entering.
initialized.
to apply the firewall rule.
TCP port 80 defines web traffic.
This is the port number/range of the source that define the traffic type, for example TCP
port 80 defines web traffic.
See
Appendix C on page 249 for commonly used services and port numbers.
NBG5615 User’s Guide
159
Chapter 18 Firewall
160
NBG5615 User’s Guide
19.1 Overview
This chapter provides a brief overview of content filtering using the embedded web GUI.
Internet content filtering allows you to create and enforce Internet access policies tailored to your
needs. Content filtering is the ability to block certain web features or specific URL keywords.
19.1.1 What You Need To Know
The following terms and concepts may help as you read through this chapter.
Content Filtering Profiles
CHAPTER 19
Content Filtering
Content filtering allows you to block certain web features, such as cookies, and/or block access to
specific web sites. For example, you can configure one policy that blocks John Doe’s access to arts
and entertainment web pages.
A content filtering profile conveniently stores your custom settings for the following features.
Keyword Blocking URL Checking
The NBG5615 checks the URL’s domain name (or IP address) and file path separately when
performing keyword blocking.
The URL’s domain name or IP address is the characters that come before the first slash in the URL.
For example, with the URL www.zyxel.com.tw/news/pressroom.php
www.zyxel.com.tw
The file path is the characters that come after the first slash in the URL. For example, with the URL
www.zyxel.com.tw/news/pressroom.php
Since the NBG5615 checks the URL’s domain name (or IP address) and file path separately, it will
not find items that go across the two. For example, with the URL
pressroom.php, the NBG5615 would find “tw” in the domain name (www.zyxel.com.tw). It would
also find “news” in the file path (
.
, the file path is news/pressroom.php.
news/pressroom.php
) but it would not find “tw/news”.
, the domain name is
www.zyxel.com.tw/news/
19.2 Content Filter
Use this screen to restrict web features, add keywords for blocking and designate a trusted
computer. Click Security > Content Filter to open the Content Filter screen.
NBG5615 User’s Guide 161
Chapter 19 Content Filtering
Figure 96 Security > Content Filter
The following table describes the labels in this screen.
Table 65 Security > Content Filter
LABEL DESCRIPTION
Trusted IP Setup To enable this feature, type an IP address of any one of the computers in your network
Restrict Web
Features
ActiveX A tool for building dynamic and active Web pages and distributed object applications.
Java A programming language and development environment for building downloadable Web
Cookies Used by Web servers to track usage and provide service based on ID.
Web Proxy A server that acts as an intermediary between a user and the Internet to provide
Enable URL
Keyword Blocking
that you want to have as a trusted computer. This allows the trusted computer to have
full access to all features that are configured to be blocked by content filtering.
Leave this field blank to have no trusted computers.
Select the box(es) to restrict a feature. When you download a page containing a
restricted feature, that part of the web page will appear blank or grayed out.
When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser,
where they remain in case you visit the site again.
components or Internet and intranet business applications of all kinds.
security, administrative control, and caching service. When a proxy server is located on
the WAN it is possible for LAN users to circumvent content filtering by pointing to this
proxy server.
The NBG5615 can block Web sites with URLs that contain certain keywords in the domain
name or IP address. For example, if the keyword "bad" was enabled, all sites containing
this keyword in the domain name or IP address will be blocked, e.g., URL http://
www.website.com/bad.html would be blocked.
162
Select this check box to enable this feature.
Keyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards
are not allowed. You can also enter a numerical IP address.
Add Click Add after you have typed a keyword.
Repeat this procedure to add other keywords. Up to 64 keywords are allowed.
When you try to access a web page containing a keyword, you will get a message telling
you that the content filter is blocking this request.
NBG5615 User’s Guide
Loading...