ZyXEL P-2608HWL-D1, P-2608HWL-D3 Support Notes

P-2608HWL Series

Support Notes

Version 3.40

August. 2006

P-2608HWL Series Support Notes

Index

Application Notes ................................................... .... .... ..... .... ......... .... .... ..... .9

General Application Notes.....................................................................................9

Internet Connection................ ... ... .......................................... ... .............................9

Set up the Prestige as a DHCP Relay...........................................................13

Configure an Internal Server Behind The Prestige......................................15

Configure a PPTP server Behind SUA........................................................17

Using NAT / Multi-NAT..............................................................................21

Introduction to Filter & Filter Examples .............. .......................................42

Using the Dynamic DNS (DDNS)........................ ... ....................................65

Network Management Using SNMP ...........................................................68

Using syslog.................................. .................................... ...........................74

Using IP Alias .......... .................................... ................................................78

Using Call Scheduling ........................... ... ... .......................................... ... ...80

Using IP Multicast ..................................................................... ... ...............85

Using traffic redirect............................................. ... ....................................87

Using Universal Plug n Play (UPnP)..................................................... ... ...89

Wireless Application Notes..................................................................................95

Infrastructure mode............................................... .................................... ...95

Wireless MAC address filtering.................................................................100

WEP (Wired Equivalent Privacy) ............................ ... ...............................103

Site Survey...................................................... ... ........................................ 111

PSTN Lifeline Application Notes............ ... .......................................................115

Usage of PSTN Lifeline.............................................................................115

Lifeline configuration ................................................................................116

Relay to PSTN ...........................................................................................116

How to connect Lifeline and DSL connection...........................................117

VoIP Application Notes......................................................................................118

SIP Account Setup .....................................................................................118

Peer to Peer call .........................................................................................121

Phone Port Settings....................................................................................126

Configuring Advanced V oice Settings.......................................................130

Speed dial Phone book...............................................................................132

Voice - QoS setup.......................................................................................135

Call Forwarding Setup...............................................................................136

Voice – Common Settings................... ... ... .......................................... ... ....139

P-2608HWL Series Support Notes

Group Ring....................................... ... ... .......................................... ... .......140

FAQ............................................................................................................... 145

ZyNOS FAQ .. ... ...... ... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... .145

What is ZyNOS?............ ... ...... ... ...... ...... ... ...... ... ...... ... ...... ... ...... ...... ... ...... .145

How do I access the embedded web configurator?....................................145

What is the default LAN IP address and Password? And, how do I change

it?................................................................................................................

145

How do I upload the firmware via the web configurator?.........................145

How do I upgrade/back up the firmware using an FTP client program

through the LAN?......................................................................................

146 How do I upload or back up the configuration file (the ROM file) via the

web configurator? ......................................................................................

146 How do I back up/restore configurations using an FTP client program

through the LAN?......................................................................................

147

Why can't I Telnet into the Prestige from the WAN?.................................147

What should I do if I forget the system password?............................. ... ....147

What is SUA? When should I use SUA?...................................................147

What is the difference between NAT and SUA?........................................148

How many network users does SUA/NAT support?..................................148

What are Device and Protocol filters?.......................................................148

Why can't I configure device filters or protocol filters?............................149

Product FAQ ................................... .................................... ...............................149

What is the Prestige Integrated Access Device?........................................149

Will the Prestige work with my Internet connection?................................149

What do I need to use the Prestige?...........................................................149

What is PPPoE?........................................ ...... ...... ...... ...... ...... ...... ... ...... ....149

Does the Prestige support PPPoE?.............................................................150

How do I know I am using PPPoE?...........................................................150

Why does my provider use PPPoE?........................................... ... ... ..........150

Which Internet Applications can I use with the Prestige? .........................150

How can I configure the Prestige?................................................ ... ..........150

What network interface types does the Prestige have?..............................150

What can we do with Prestige? .. .......................................... ... ...................151

Does Prestige support dynamic IP addressing? .........................................151

What is the difference between the internal IP and the real IP from my ISP?

....................................................................................................................

151

How does e-mail work through the Prestige?............. ...............................151

P-2608HWL Series Support Notes

Is it possible to access a server running behind the Prestige with SUA from

the Internet? If possible, how?...................................................................

151

What DHCP capability does the Prestige support?....................................152

How to use the reset button? And which parameter will be reset by the

reset button?...............................................................................................

152

What network interface does the new Prestige series have?......................152

How does the Prestige support TFTP?.......................................................152

Does the Prestige support TFTP over the WAN?.......................................152

How fast is the DSL connection?...............................................................152

What is Multi-NAT? ..................... ...... ...... ...... ...... ... ...... ...... ...... ...... ...... ....153

When do I need Multi-NAT? .....................................................................154

What IP/Port mapping does Multi-NAT support? .................. ... ................154

What is the difference between SUA and Multi-NAT? .............................155

What is BOOTP/DHCP?................................................ ...... ...... ...... ...... ....156

What is DDNS?..........................................................................................156

When do I need the DDNS service?..........................................................156

What DDNS servers does the Prestige support?........................................156

What is DDNS wildcard?...........................................................................157

Does the Prestige support DDNS wildcard?..............................................157

Can VPN tunnels still work on a Prestige using SUA? .............................157

How do I set up my Prestige to route IPsec packets over SUA?...............157

PSTN Lifeline FAQ...........................................................................................157

What is P2608 and what is the meaning of L in the model name (for

example P2608HWL-D1)? ........................................................................

157

What is the Lifeline feature?....................................... ...............................158

Do I need Lifeline? ....................................................................................158

Can I connect more than one phone to the phone port?.............................158

Can I receive incoming PSTN call through P2608HWL?.........................158

Can I make a PSTN call through P2608HWL ? ........................................158

VoIP FAQ...........................................................................................................158

What is Voice over IP?........................... ...... ...... ...... ...... ...... ...... ... ...... ...... .158

How does Voice over IP work?..................................................................159

Why use VoIP?............... ... ..................................................................... .... 159

What is the relationship between codec and VoIP?...................................159

What advantage does Voice over IP provide?............................................159

What is the difference between H.323 and SIP?........................................159

Can H.323 and SIP interoperate with one anot her?...................................160

P-2608HWL Series Support Notes

What is voice quality?................................................................................160

How are voice quality normally rated?......................................................160

What is codec?... ... ...... ... ...... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... ... .160

What is the relation between codec and VoIP?..........................................160

What codec types does the Prestige support?............................................160

Which codec should I choose?........................... ... ... ..................................161

What do I need in order to use SIP? ..........................................................161

I am unable to register to a SIP server. ......................................................161

I can register to the SIP server but cannot establish a call?.......................162

I can receive a call but the voice traffic only goes one way, not both way?162 I have tried all the troubleshooting steps, but still cannot register to the SIP

server. What should I do next?...................................................................

162 What should I do if there may be a hardware problem with my Prestige?162

Firewall FAQ ......................... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ....163

What is a network firewall?.......................................................................163

Why is the Prestige firewall secure?..........................................................163

What are the basic firewall types? .............................................................163

What advantages does the Prestige firewall provide?................................164

Why do you need a firewall when your router has built-in packet filtering

and NAT features?......................................................................................

164

What is a Denial of Service (DoS) attack? ................................................164

What is a Ping of Death attack?.................................................................165

What is a Teardrop attack?.........................................................................165

What is a SYN Flood attack?.....................................................................165

What is a LAND attack?............................................................................165

What is a Brute-force attack?.....................................................................165

What is an IP Spoofing attack?..................................................................166

What are the default ACL firewall rules on the Prestige?..........................166

How can I protect against IP spoofing attacks?.........................................166

Content Filter FAQ ...................... ... .................................... ...............................167

IPSec FAQ .........................................................................................................168

What is VPN? ................ ...... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... ... .168

Why do I need a VPN? ..............................................................................168

What are the most commonly used VPN protocols?.................................169

What is PPTP? .............................. ...... ... ...... ... ...... ... ...... ...... ... ...... ... ...... ... .169

What is L2TP? .............................. ...... ... ...... ... ...... ... ...... ...... ... ...... ... ...... ... .169

What is IPSec?...... ...... ...... ...... ...... ...... ... ...... ...... ...... ...... ...... ...... ...... ... ...... .169

P-2608HWL Series Support Notes

What secure protocols does IPSec support? ..............................................170

What are the differences between the 'Transport mode' and 'Tunnel mode’?170

What is SA? ............................... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ... ...... ....170

What is IKE?......... ...... ... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ... .170

What is a Pre-Shared Key? ........................................................................170

What are the differences between IKE and manual key VPN? .................170

What is the use of a Phase 1 ID?................................................ ... .............171

What are Local ID and Peer ID?................................................................171

When should I use FQDN?........................................................................172

Is my Prestige ready for IPSec VPN?.................................................... ... .172

How do I configure VPN on the Prestige?.................................................172

How many VPN connections does the Prestige support?..........................172

What VPN protocols are supported on the Prestige?.................................172

What VPN encryption types are supported on the Prestige?.....................172

What VPN authentication types does the Prestige support?......................173

I am planning my Prestige-to-Prestige VPN configuration. What do I need

to know?.....................................................................................................

173

Does the Prestige support dynamic secure gateway IP?............................174

Which VPN gateways have been tested to work with the Prestige?..........174

Which VPN client software has been tested to work with the Prestige?...174

Will ZyXEL support Secure Remote Management?..................................175

Does the Prestige VPN support NetBIOS broadcast?.......... ......................175

Are hosts behind NAT allowed to use IPSec? ...........................................175

Why does VPN throughput decrease when my SMT screen stays at menu

24.1?...........................................................................................................

175

Where can I configure Phase 1 ID on the Prestige?...................................175

If I have a NAT router between tw o VPN gateways, and I would like to

use IP type as Phase 1 ID, what information do I need?............................

176

How can I keep a tunnel alive?....................... .......................................... .177

Which IP address types (Single, Range or Subnet ) does the Prestige

VPN/IPSec support ? .................................................................................

177

Does the Prestige support IPSec passthrough?..........................................177

Can the Prestige work as a NAT router with IPSec passthrough and an

IPSec gateway at the same time?...............................................................

177

Wireless FAQ..................................................................................... ................178

What is a Wireless LAN ? . .......................................... ... ............................178

What are the advantages of Wireless LANs ?............................................178

P-2608HWL Series Support Notes

What are the disadvantages of Wireless LANs ?.......................................179

Where can I find wireless 802.11 networks ?............................................179

What is an Access Point ?..........................................................................179

What is IEEE 802.11 ?...............................................................................179

What is IEEE 802.11b ?.............................................................................179

How fast is IEEE 802.11b ?............................ .......................................... .180

What is IEEE 802.11a ?.............................................................................180

What is IEEE 802.11g ?.............................................................................180

Is it possible to use products from a variety of vendors ?..........................180

What is Wi-Fi ?...................................... ... ...... ... ...... ... ...... ...... ... ...... ... ...... .181

What types of devices use the 2.4GHz Band ?..........................................181

Does the IEEE 802.11 interfere with Bluetooth devices ?.........................181

Can radio signals pass through walls ? ......................................................181

What factors may cause interference among WLAN products ?...............181

What's the difference between a WLAN and a WWAN ?.........................182

What is Ad Hoc mode ? ................................................................ ... ..........182

What is Infrastructure mode ?................... ...... ...... ...... ...... ...... ...... ... ...... ....182

How many Access Points are required in a given area ? ...........................182

What is the Direct-Sequence Spread Spectrum (DSSS) Technology ? .....182

What is the Frequency-hopping Spread Spectrum (FHS S) Technolog y?..183

Do I need the same kind of antenna on both sides of a link?.....................183

Why use the 2.4 Ghz Frequency range ? ................................... ... .............183

What is a Server Set ID (SSID) ?...............................................................183

What is an ESSID ?....................................................................................183

How do I secure data transmitted to/from an Access Point over the

wireless connection?..................................................................................

184

What is WEP?............. ...... ... ...... ... ...... ...... ... ...... ... ...... ... ...... ...... ... ...... ... ....184

What is the difference between 40-bit and 64-bit WEP keys?...................184

What is a WEP key ?..................................................................................184

A WEP key is a user-defined string of characters used to encrypt and

decrypt data?.................................................................. ... .........................

184

Can the SSID be encrypted? ......................................................................185

By turning off SSID broadcasting, can someone still sniff the SSID?......185

What are Insertion Attacks?.................................................... ...................185

What is a Wireless Snifter?.. ...... ...... ...... ...... ...... ... ...... ...... ...... ...... ...... ...... .185

What is the difference between Open Syst em and Shared Ke y

Authentication Types ?...............................................................................

185

P-2608HWL Series Support Notes

What is the difference between No authentication required, No access

allowed and Authentication required? .......................................................

186

What is AAA?............................................................................................186

What is RADIUS?.................................................... ...... ... ...... ...... ...... ...... .186

What is WPA?................... ...... ... ...... ...... ... ...... ... ...... ... ...... ... ...... ...... ... ...... .186

What is WPA-PSK?........................................ ...... ...... ...... ...... ...... ...... ...... .186

Troubleshooting.......................................................................................... 187

Using Embedded Packet Trace..........................................................................187

Debugging PPPoE Connection..........................................................................202

CLI Command List............................................................... .... .... ..... .... ......213

P-2608HWL Series Support Notes

Application Notes

General Application Notes

Internet Connection

The following figure shows a typical Internet access application using the Prestige. Before accessing the Internet in an office environment, you must configure the Prestige as outlined below.

• Before you begin

• Setting up the Windows

• Setting up the Prestige router

• Troubleshooting

• Before you begin

The Prestige is shipped with the following factory defaults:

1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits)

2. DHCP server enabled with client IP address pool starting from 192.168.1.33

3. Default SMT login password = 1234

• Setting up your Windows computer(s)

1. Ethernet connection

Your computer(s) must have an Ethernet card installed.

P-2608HWL Series Support Notes

• If you have only one computer, connect the computer to the LAN port on the Prestige using a

crossover Ethernet cable (red).

• If you have more than one computer, you must use a hub or switch to connect the computers to the

LAN port on the Prestige using a straight-though Ethernet cable.

2. TCP/IP Installation

You must first install the TCP/IP software on each computer before you can use it for Internet access. If you have already installed TCP/IP, skip to the next section; otherwise, follow these steps to install the software:

• In the Control Panel/Network window, click the Add button.

• In the Select Network Component Type windows, select Protocol and click Add.

• In the Select Network Protocol windows, select Microsoft from the manufacturers, then select

TCP/IP from the Network Protocols and click OK.

3. TCP/IP Configuration

Follow these steps to configure Windows TCP/IP:

• In the Control Panel/Network window, click the TCP/IP entry to select it and click the

Properties button.

• In the TCP/IP Properties window, select obtain an IP address automatically.

Note: Do not assign an arbitrary IP address and subnet mask to your computers. O otherwise, you will not be able to access the Internet.

• Click the WINS configuration tab and select Disable WINS Resolution.

• Click the Gateway tab. Highlight any installed gateways and click the Remove button until there

are none listed.

• Click the DNS Configuration tab and select Disable DNS.

• Click OK to save and close the TCP/IP properties wind ow

• Click OK to close the Network window. You will be prompted to insert your Windows CD or disk.

When the drivers are updated, you will be asked if you want to restart the computer. Make sure your Prestige is powered on before clicking Yes. Repeat the above steps for each computer on your network.

• Setting up the Prestige router

P-2608HWL Series Support Notes

If you have a Single User Account (SUA), follow the procedure to configure the Prestige. You can use a web browser (such as IE) to access the embedded web server on the Prestige for device management. Before you can log into the web management interface, make sure that there is no one logging into the Prestige through Telnet or the console port.

1. Accessing the Prestige Web Management Interface

Open your web browser (such as IE) and enter the LAN IP address of the Prestige in the Address field. The default LAN IP address is 192.168.1.1.

2. First Login

A login screen displays. Enter the password and press Login. The default password is '1234' which is the same as the one you use to log into the SMT.

3. Use the WIZARD SETUP screens to configure Internet access settings on the Prestige.

P-2608HWL Series Support Notes

The Internet access configuration screen varies depending on the Internet connection type you select. The following figure shows an example screen for PPPoE connection type.

P-2608HWL Series Support Notes

Set up the Prestige as a DHCP Relay

• What is DHCP Relay?

DHCP (Dynamic Host Configuration Protocol) allows a network device to obtain IP settings from a server. You can configure the P-2608 as a DHCP server or DHCP relay.

P-2608HWL Series Support Notes

When the P-2608 is configured as a DHCP server, it assigns IP address to clients on the LAN. When the P-2608 acts as a DHCP relay, it forwards client DHCP requests to the DHCP server and forwards the responds from the DHCP server to the DHCP clients. The following figure shows an example.

• Setup the Prestige as a DHCP Relay

1. In SMT menu 3.2, select Relay in the DHCP field and enter the IP address of the DHCP server in the Relay Server Address field.

Menu 3.2 - TCP/IP and DHCP Setup

DHCP= Relay TCP/IP Setup:

Client IP Pool:

Starting Address= N/A IP Address= 192.168.1.1

Size of Client IP Pool= N/A IP Subnet Mask= 255.255.255.0

First DNS Server= N/A RIP Direction= None

IP Address= N/A Version= N/A

Second DNS Server= N/A Multicast= None

IP Address= N/A IP Policies=

Third DNS Server= N/A Edit IP Alias= No

IP Address= N/A

DHCP Server Address= 192.168.1.2 Press ENTER to Confirm or ESC to Cancel:

P-2608HWL Series Support Notes

Configure an Internal Server behind The Prestige

• Introduction

SUA makes your LAN appear as a single machine to the outside world. However, you can make a server (such as a web server, FTP server or mail server) behind the P-2608 assessable/visible to the outside world. A server behind the P-2608 cannot be set to be a DHCP client. That is, the server must use a fixed IP address so outside users can access the server using the static IP address.

A service is identified by its standard port number. You can allow public access to servers for specified services based on the port number. In addition, you can also set a default server behind SUA. Thus service requests that do not match any of the servers are forwarded to the default server. If you do not set a default SUA server, then the unknown service requests are simply discarded.

• Configuration

To make an inside server visible to the outside world, specify the service port number and the IP address of the server in SMT menu 15.2.1: NAT Server Setup. Users use the WAN IP address of the Prestige to access the inside SUA servers. You can obtain the WAN IP address of the Prestige in SMT menu 24.1.

• The following figure shows a configuration example to allow public access to an internal Web

server

P-2608HWL Series Support Notes

Menu 15.2 - NAT Server Setup

Rule Start Port No. End Port No. IP Address

---------------------------------------------------

1. Default Default 0.0.0.0

2. 80 80 192.168.1.10

3. 0 0 0.0.0.0

4. 0 0 0.0.0.0

5. 0 0 0.0.0.0

6. 0 0 0.0.0.0

7. 0 0 0.0.0.0

8. 0 0 0.0.0.0

9. 0 0 0.0.0.0

10. 0 0 0.0.0.0

11. 0 0 0.0.0.0

12. 0 0 0.0.0.0

Press ENTER to Confirm or ESC to Cancel:

• The following table lists some common service port numbers.

Service Port Number

FTP 21

Telnet 23

SMTP 25

DNS (Domain Name Server) 53

www-http (Web) 80

P-2608HWL Series Support Notes

Configure a PPTP server Behind SUA

• Introduction

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.

In order to run the Windows 9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server.

Windows Dial-Up Networking uses the Internet standard Point-to-Point (PPP) to provide a secure, optimized multiple-protocol network connection over dial-up telephone lines. All data sent over this connection can be encrypted and compressed, and multiple network level protocols (TCP/IP, NetBEUI and IPX) can be run correctly. Windows NT Domain Login level security is preserved even across the Internet.

Window98 PPTP Client / Internet / NT RAS Server Protocol Stack

PPTP appears as new modem type (Virtual Private Networking Adapter) that can be selected when setting up a connection in the Dial-Up Networking folder. The VPN Adapter type does not appear elsewhere in the system. Since PPTP encapsulates its data stream in the PPP protocol, VPN requires a second dial-up adapter. This second dial-up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial-up adapter that provides PPP support for the analog or ISDN modem.

P-2608HWL Series Support Notes

PPTP is already supported in Windows NT and Windows 98. For Windows 95, a software upgrade with Dial-Up Networking 1.2 is required.

• Configuration

This application note explains how to establish a PPTP connection to a remote private network on the Prestige with SUA enabled. In ZyNOS, all PPTP packets are forwarded to the internal PPTP Server (Windows NT server) behind SUA. You must specify the PPTP port number in SMT menu 15 for the Prestige to forward the packets to the intended Windows NT server using the private IP address.

• Example

The following example shows how to dial to an ISP via the Prestige and then establish a tunnel to a private network. You need to configure the settings on the PPTP server (Windows NT server), the PPTP client (Windows 9x) and the Prestige to set up the PPTP application. The following summarizes the setting for the corresponding PPTP device.

o PPTP server setup (Windows NT)

 Create a new VPN service in Control Panel > Network.  Create a new PPTP user account  Enable the RAS port  Select a network protocol (such as IPX or TCP/IP NetBEUI) for the RAS port  Set the Prestige as the Internet gateway

o PPTP client setup (Windows 9x)

P-2608HWL Series Support Notes

 In Dial-up Networking, create a secure VPN connection through the Prestige (using

the WAN IP address) and enter the correct user name and password to log into the Windows NT RAS server.

 Set the Prestige that connects to the ISP as the Internet gateway.

o Prestige Setup

• Before establishing a secure VPN connection from the PPTP client to the PPTP server, you must

first connect the Prestige to the ISP for Internet access.

• Enter the IP address and the port number of the PPTP server to allow public access to the server

behind the Prestige. The following shows a configuration example.

Menu 15.2 - NAT Server Setup

Rule Start Port No. End Port No. IP Address

---------------------------------------------------

1. Default Default 0.0.0.0

2. 80 80 192.168.1.10

3. 0 0 0.0.0.0

4. 0 0 0.0.0.0

5. 0 0 0.0.0.0

6. 0 0 0.0.0.0

7. 0 0 0.0.0.0

8. 0 0 0.0.0.0

9. 0 0 0.0.0.0

10. 0 0 0.0.0.0

11. 0 0 0.0.0.0

12. 0 0 0.0.0.0

Press ENTER to Confirm or ESC to Cancel:

After you have set the settings to allow public access to the PPTP server, test the connection from the PPTP client to the PPTP server. You can use Ping to check that the PPTP client can reach the PPTP

P-2608HWL Series Support Notes

server over the Internet connection. For example, enter “ping 203.66.113.2＂ if the WAN IP address of the Prestige is 203.66.113.2.

Once the connection is up, you can establish a secure VPN connection from the PPTP client to the ISP. The default gateway is then used to route the traffic between the PPTP client and the server.

However, before you can establish a secure VPN connection from the PPTP client to the PPTP server, you need to know the WAN IP address of the Prestige which is set to use the SUA feature. Depending on your Internet account type and ISP, the Prestige WAN IP address is either fixed(static) or dynamic (different each time). You need to enter the WAN IP address of the Prestige in the VPN dial-up connection screen. You can check the WAN IP address of the Prestige in SMT menu 24.1.

The following figure shows an example VPN dial-up screen. The VPN Server field is 140.113.1.225 which is a dynamic IP address assigned to the Prestige by the ISP. Make sure you enter the WAN IP address of the Prestige correctly; otherwise, the VPN connection will fail.

P-2608HWL Series Support Notes

Using NAT / Multi-NAT

• What is Multi-NAT?

NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network. Inside and outside networks are networks relative to the Prestige. The network connected behind the Prestige is the “inside network＂ while the remote network (such as the Internet) is the “outside network＂. When a packet is received from the inside hosts, NAT maps and changes the source IP address of the received packets to one or more IP addresses known to the outside network. When a packet is received from the outside network, NAT unmaps and changes the outside source IP address back to the local IP address known to the inside network. The Prestige WAN IP address for NAT can be static (fixed) or dynamically assigned by the ISP. In addition, you can also make one or more servers on the inside network visible/accessible to the outside network. If no specified inside server is defined, NAT provides an added layer of security to filter traffic to the Prestige and prevent network probing/port scanning.

With SUA (Single User Account) supports, the Prestige maps the private (local) IP addresses to one global (WAN) IP address. This means you can only have one NAT behind the Prestige. To allow more than one NATs behind the Prestige, RFC 1631,

The IP Network Address Translator (NAT)

is implemented in ZyNOS V3.40

for the Prestige. This feature is also known as Multi-NAT. For more information, refer to RFC 1631.

• How NAT works

Internal Local Addresses (ILA) refer to the local or private IP addresses known to the local network and Inside Global Address (IGA) refers to the public or global IP address known to the outside network. The following figure shows a network example. NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks. That means NAT replaces the original source IP address in the packets with the global IP address. To the outside network, this makes the packets look as if they originate from the Prestige and not from the inside computers. The Prestige keeps a record of the ILA-IGA mappings so packets received from the outside network can be forwarded to the intended computer on the inside network.

P-2608HWL Series Support Notes

1. NAT Mapping Types

The following describes the NAT mapping types.

2. One to One

In One-to-One mode, the Prestige maps one ILA to one IGA.

3. Many to One

In Many-to-One mode, the Prestige maps multiple ILAs to one IGA. This is equivalent to SUA (or PAT, Port Address Translation). ZyXEL's Single User Account (SUA) feature is also supported on routers with the previous ZyNOS version. You can select to use SUA or multi-NAT in ZyXEL routers with ZyNOS V3.40.

4. Many to Many Overload

In Many-to-Many Overload mode, the Prestige maps multiple ILAs to a shared IGA.

5. Many to Many No Overload

In Many-to-Many No Overload mode, the Prestige maps each ILA to a unique IGA.

• Server

In Server mode, the Prestige maps multiple inside servers to one global IP address. This allows you to specify multiple servers for various services behind the Prestige for access from the outside. If you want to map each server to one unique IGA, you must use the One-to-One mode.

P-2608HWL Series Support Notes

The following table summarizes the NAT types.

NAT Type IP Mapping

Mapping Direction

One-to-One ILA1<--->IGA1 Both

Many-to-One (SUA/PAT)

ILA1---->IGA1 ILA2---->IGA1 ...

Outgoing

Many-to-Many Overload

ILA1---->IGA1 ILA2---->IGA2 ILA3---->IGA1 ILA4---->IGA2 ...

Outgoing

Many-to-Many No Overload

(Allocate by Connections)

ILA1---->IGA1 ILA2---->IGA3 ILA3---->IGA2 ILA4---->IGA4 ...

Outgoing

Server

Server 1 IP<----IGA1 Server 2 IP<----IGA1

Incoming

• SUA Versus NA T

ZyXEL＇s SUA (Single User Account) implementation in the previous ZyNOS versions is similar to having two NAT modes: Many-to-One and Server. With the Full Feature NAT support in ZyNOS v3.40, the Prestige is able to map global IP addresses to local IP addresses. With multiple global IP addresses, multiple severs of the same type (e.g., FTP servers) are allowed on the LAN for outside access. In previous ZyNOS versions, you can configure multiple SUA inside servers based on the service ports. However, the SUA inside server settings are limited to one set per remote node. On the Prestige, you can configure multiple NAT entries for each remote node (up to eight). In SMT menu 15.1.1, the default SUA inside server (read-only) Many-to-One mapping setting is pre-configured for users who are already familiar with the SUA feature in the previous ZyNOS versions.

• SMT Menus

1. Applying NAT in the SMT Menus

P-2608HWL Series Support Notes

You can apply NAT in SMT menus 4 and 11.3. The following figure shows how you can set the NAT field in SMT menu 4. From the Main Menu, enter 4 to display SMT menu 4-Internet Access Setup.

Menu 4 - Internet Access Setup

ISP's Name= MyISP

Encapsulation= PPPoE

Multiplexing= LLC-based

VPI #= 0

VCI #= 33

ATM QoS Type= UBR

Peak Cell Rate (PCR)= 0

Sustain Cell Rate (SCR)= 0

Maximum Burst Size (MBS)= 0

My Login= cso@zyxel.net

My Password= ********

Idle Timeout (sec)= 0

IP Address Assignment= Dynamic

IP Address= N/A

Network Address Translation= Full Feature

Address Mapping Set= 1

Press ENTER to Confirm or ESC to Cancel:

The following table describes the options for the Network Address Translation field.

Field Options Description

Full Feature

When you select this option, the SMT will use Address Mapping Set 1 (in SMT menu 15.1 see the foll owing section for more information).

Network Address Translation

None

NAT is disabled when you select this option.

P-2608HWL Series Support Notes

SUA Only

When you select this option, the SMT uses Address Mapping Set 255 (in SMT menu 15.1 see the following section for more information). This is equivalen t to the Many-to-One Overload mapping type. The default SUA server setting is set to use IGA 0.0.0.0. SUA only should work for most network environments. If you want to use other mapping types, select Full Feature instead.

Table: Applying NAT in Menu 4 and Menu 11.3

2. Configuring NAT

To configure NAT, enter 15 from the Main Menu to display the following screen.

Menu 15 - NAT Setup

1. Address Mapping Sets

2. NAT Server Sets

3. Address Mapping Sets and NAT Server Sets

Use the Address Mapping Sets menu and submenus to create the mapping table used to replace the source IP address in the packets from inside computers with the global addresses. You must specify a NAT address mapping set to each remote node. Since the P2608HWL Series has eight remote nodes, you need to configure eight NAT address mapping sets. Although there are nine NAT address mapping sets in SMT menu 15.1, you can only configure eight sets (numbered 1 to 8). The ninth set (with the index number of 255) is used for SUA. Thus if you select Full Feature NAT in SMT menu 4 or 11.3, NAT address mapping sets 1 to 8 are used. If you select SUA Only, then the SMT uses mapping set 255 in menu 15.2.

The NAT Server Set is a list of inside servers (on that LAN) that the Prestige maps to external ports. To apply a NAT Server Set on the Prestige, configure a server rule in the server set menu. Refer to

NAT Server Sets for

more information on the related configuration menus.

P-2608HWL Series Support Notes

From SMT menu 15, enter 1 to display menu 15.1-Address Mapping Sets as shown.

Menu 15.1 - Address Mapping Sets

255. SUA (read only)

Enter Set Number to Edit:

The following figure shows the address mapping rules for set 255. NAT address mapping set 255 is used for SUA only and is equivalent to the SUA feature in ZyXEL routers with pre-ZyNOS v3.40 versions. . You cannot changes the fields in this screen.

Menu 15.1.1 - Address Mapping Rules

Set Name= SUA

Idx Local Start IP Local End IP Global Start IP Global End IP Type

--- --------------- --------------- --------------- --------------- ------

1. 0.0.0.0 255.255.255.255 0.0.0.0 M-1

2. 0.0.0.0 Server

10.

P-2608HWL Series Support Notes

Press ENTER to Confirm or ESC to Cancel:

The following table explains the read-only fields in this screen.

Field Description Option/Example

Set Name

This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.

SUA

Idx This is the index or rule number. 1

Local Start IP This is the starting local IP address (ILA).

0.0.0.0 for the Many-to-One type.

Local End IP

This is the starting local IP address (ILA). If the rule is for all local IP addresses, then the Start IP is 0.0.0.0 and the End IP is

255.255.255.255.

255.255.255.255

Global Start IP

This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0.

0.0.0.0

Global End IP This is the ending global IP address (IGA). N/A Type This is the NAT mapping types. Many-to-One and Server

Note that you cannot change the fields in this screen. However, you can change the settings for server set 1 in SMT menu 15.1.1. Enter 1 in SMT menu 15.1 to display the configuration screen as shown.

Menu 15.1.1 - Address Mapping Rules

Set Name= ?

Idx Local Start IP Local End IP Global Start IP Global End IP Type

--- --------------- --------------- --------------- --------------- ------

P-2608HWL Series Support Notes

10.

Action= Edit , Select Rule= 0 Press ENTER to Confirm or ESC to Cancel:

Different from the read-only menu for SUA, you can change the settings in this screen. There are also extra fields in this screen: Action and Select Rule. Note that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The description of the other fields is as described in the following table. The Type, Local and Global Start/End IPs are configured in Menu 15.1.1 (described later) and the values are displayed here.

Field Description Option

Set Name

Enter a name for this set of rules. This is a required field. Note: If this field is left blank, the set will be deleted.

Rule1

Action

You can specify the action on the rules. The default is Edit to modify the rule you select in the Select Rule field below. Insert Before allows you to insert a new rule before the rule selected. The rule after the selected rule will then be moved down by one rule. Delete means to remove the selected rule and then all the rules after the selected one will be advanced one rule. Save Set allows you to save the settings of the address mapping set (note that when you choose this action, the Select Rule field is not applicable).

Edit Insert Before Delete Save Set

Select Rule

When you choose Edit, Insert Before or Save Set in the Action field above, the cursor automatically relocates to this field to allow you to select the number of the rule to which the action is applied.

Note: To save the settings of the address mapping set, select Save Set in the Action field. It is recommended that you save the settings every time you make any changes to the address mapping set (this includes deleting a rule). The changes will not take effect until you save the settings. Ordering of the rules is important as rules are applied from top (smallest index number) to bottom.

To change the settings of a rule, select Edit in the Action field and then enter the rule index number in the Select Rule field. The Menu 15.1.1.1-Address Mapping Rule screen displays in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.

P-2608HWL Series Support Notes

Menu 15.1.1.1 - - Rule 1

Type: One-to-One

Local IP:

Start= 0.0.0.0

End = N/A

Global IP:

Start= 0.0.0.0

End = N/A

Press ENTER to Confirm or ESC to Cancel:

The following table describes the fields in this screen.

Field Description Option/Example

Type

Press [SPACEBAR] to select a mapping type. The various mapping types are discussed in the previous section. The following sections show you some configuration examples.

One-to-One Many-to-One Many-to-Many Overload Many-to-Many No Overload Server

Start This is the starting local IP address (ILA) 0.0.0.0 Local IP

End

This is the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as 0.0.0.0 and the End IP as

255.255.255.255. This field is N/A for One-to-One type.

255.255.255.255

Start

This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP.

0.0.0.0

Global IP

End

This is the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server types.

200.1.1.64

Note: For all Local and Global IPs, the End IP address must begin after the IP Start address. Thus you cannot have an End IP address that begins before the Start IP address.

P-2608HWL Series Support Notes

• NAT Server Sets

A NAT Server Set is a list of LAN server to external port mappings. This is similar to the SUA menu in the pre-ZyNOS v3.40 SMT). Even though NAT makes your network appears as a single machine to the outside world, you can allow public access to the servers behind NAT. These servers (such as web or FTP servers) will be visible to the external users. A server is identified by a service port number. For example, the Web service runs on port 80 and FTP on port 21.

The following figure shows a network example where there is a web server (192.168.1.36) using port 80 and an FTP server (192.168.1.33) using port 21 in the local network behind NAT.

Note that you can have more than one service running on the same server. This means that a server can provide both FTP and mail services while another dedicated server provides on the web service.

The procedure below shows you how to configure an inside server behind NAT.

Step 1. From the main menu, enter 15 to go to SMT Menu 15-NAT Setup. Step 2. Enter 2 to go to Menu 15.2.1-NAT Server Setup. Step 3. Enter a service port number in the Port No. field and the IP address of the server in the IP Address field. Step 4. Press [SPACEBAR] at the 'Press ENTER to confirm...' prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel.

Menu 15.2 - NAT Server Setup (Used for SUA Only)

Rule Start Port No. End Port No. IP Address

---------------------------------------------------

+ 183 hidden pages

ZyXEL P-2608HWL-D1, P-2608HWL-D3 Support Notes

Specifications and Main Features

Frequently Asked Questions

User Manual