ZyXEL X550NH Users Manual

PART VI

Appendices and

Index

Product Specifications and Wall-Mounting Instructions (273)

Pop-up Windows, JavaScripts and Java Permissions (279)

IP Addresses and Subnetting (285)

Setting up Your Computer’s IP Address (293)

Wireless LANs (309)

Services (321)

Legal Information (325)

Customer Support (329)

Index (335)

271

272

APPENDIX A

Product Specifications and Wall-

Mounting Instructions

The following tables summarize the NBG460N’s hardware and firmware features.

Table 113 Hardware Features

Dimensions (W x D x H) 190 x 150 x 33 mm

Weight 362g

Power Specification Input: 120~240 AC, 50~60 Hz

Output: 18 V DC 1A

Ethernet ports Auto-negotiating: 10 Mbps, 100 Mbps or 1000Mbps in either half-duplex or

4-5 Gigabit Port Switch A combination of switch and router makes your NBG460N a cost-effective

LEDs PWR, LAN1-4, WAN, WLAN, WPS

Reset Button The reset button is built into the rear panel. Use this button to restore the

WPS button Press the WPS on two WPS enabled devices within 120 seconds for a

Antenna The NBG460N is equipped with three 2dBi (2.4GHz) detachable antennas

Operation Environment Temperature: 0º C ~ 40º C

Storage Environment Temperature: -20º C ~ 60º C

Distance between the
centers of the holes on
the device’s back.

Screw size for wall­mounting

full-duplex mode.
Auto-crossover: Use either crossover or straight-through Ethernet cables.

and viable network solution. You can add up to four computers to the
NBG460N without the cost of a hub when connecting to the Internet through
the WAN port. You can add up to five computers to the NBG460N when you
connect to the Internet in AP mode. Add more than four computers to your
LAN by using a hub.

NBG460N to its factory default settings. Press for 1 second to restart the
device. Press for 5 seconds to restore to factory default settings.

security-enabled wireless connection.

to provide clear radio transmission and reception on the wireless network.

Humidity: 20% ~ 85% RH (Non-condensing)

Humidity: 20% ~ 90% RH (Non-condensing)

137 mm

M4 Tap Screw

NBG460N User’s Guide

273

Appendix A Product Specifications and Wall-Mounting Instructions

Table 114 Firmware Features

FEATURE DESCRIPTION

Default IP Address 192.168.1.1

Default Subnet Mask 255.255.255.0 (24 bits)

Default Password 1234

DHCP Pool 192.168.1.33 to 192.168.1.64

Wireless Interface Wireless LAN

Default Wireless SSID Wireless LAN: ZyXEL

Wireless LAN when WPS enabled: ZyXEL WPS

Default Wireless IP Address Wireless LAN: Same as LAN (192.168.1.1)

Default Wireless Subnet
Mask

Default Wireless DHCP
Pool Size

Device Management Use the web configurator to easily configure the rich range of features on

Wireless Functionality Allows IEEE 802.11b and/or IEEE 802.11g and/or IEEE 802.11n wireless

Wireless LAN: Same as LAN (255.255.255.0)

Wireless LAN: Same as LAN (32 from 192.168.1.33 to 192.168.1.64)

the NBG460N.

clients to connect to the NBG460N wirelessly. Enable wireless security
(WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your
wireless network.

Note: The NBG460N may be prone to RF (Radio

Frequency) interference from other 2.4 GHz devices
such as microwave ovens, wireless phones,
Bluetooth enabled devices, and other wireless LANs.

Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and

use the web configurator, an FTP or a TFTP tool to put it on the
NBG460N.

Note: Only upload firmware for your specific model!

Configuration Backup &
Restoration

Network Address
Translation (NAT)

Firewall You can configure firewall on the NBG460N for secure Internet access.

Content Filter The NBG460N blocks or allows access to web sites that you specify and

Make a copy of the NBG460N’s configuration and put it back on the
NBG460N later if you decide you want to revert back to an earlier
configuration.

Each computer on your network must have its own unique IP address.
Use NAT to convert a single public IP address to multiple private IP
addresses for the computers on your network.

When the firewall is on, by default, all incoming traffic from the Internet to
your network is blocked unless it is initiated from your network. This
means that probes from the outside to your network are not allowed, but
you can safely browse the Internet and download files for example.

blocks access to web sites with URLs that contain keywords that you
specify. You can define time periods and days during which content
filtering is enabled. You can also include or exclude particular computers
on your network from content filtering.

You can also subscribe to category-based content filtering that allows
your NBG460N to check web sites against an external database.

274

NBG460N User’s Guide

Appendix A Product Specifications and Wall-Mounting Instructions

Table 114 Firmware Features

FEATURE DESCRIPTION

IPSec VPN This allows you to establish a secure Virtual Private Network (VPN)

Bandwidth Management You can efficiently manage traffic on your network by reserving

Wireless LAN Scheduler You can schedule the times the Wireless LAN is enabled/disabled.

Time and Date Get the current time and date from an external server when you turn on

Port Forwarding If you have a server (mail or web server for example) on your network,

DHCP (Dynamic Host
Configuration Protocol)

Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can use a

IP Multicast IP Multicast is used to send traffic to a specific group of computers. The

IP Alias IP Alias allows you to subdivide a physical network into logical networks

Logging and Tracing Use packet tracing and logs for troubleshooting. You can send logs from

PPPoE PPPoE mimics a dial-up Internet access connection.

PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) enables secure transfer of

Universal Plug and Play
(UPnP)

tunnel to connect with business partners and branch offices using data
encryption and the Internet without the expense of leased site-to-site
lines. The NBG460N VPN is based on the IPSec standard and is fully
interoperable with other IPSec-based VPN products.

bandwidth and giving priority to certain types of traffic and/or to particular
computers.

your NBG460N. You can also set the time manually. These dates and
times are then used in logs.

then use this feature to let people access it from the Internet.

Use this feature to have the NBG460N assign IP addresses, an IP
default gateway and DNS servers to computers on your network.

fixed URL, www.zyxel.com for example, with a dynamic IP address. You
must register for this service with a Dynamic DNS service provider.

NBG460N supports versions 1 and 2 of IGMP (Internet Group
Management Protocol) used to join multicast groups (see RFC 2236).

over the same Ethernet interface with the NBG460N itself as the
gateway for each subnet.

the NBG460N to an external syslog server.

data through a Virtual Private Network (VPN). The NBG460N supports
one PPTP connection at a time.

The NBG460N can communicate with other UPnP enabled devices in a
network.

Table 115 Feature Specifications

FEATURE SPECIFICATION

Number of Static Routes 8

Number of Port Forwarding Rules 10

Number of NAT Sessions 16000

Number of Address Mapping Rules 10

Number of VPN Tunnels 2

Number of Bandwidth Management
Classes

Number of DNS Name Server Record
Entries

NBG460N User’s Guide

3

3

275

Appendix A Product Specifications and Wall-Mounting Instructions

"

The following list, which is not exhaustive, illustrates the standards supported in the
NBG460N.

Table 116 Standards Supported

STANDARD DESCRIPTION

RFC 867 Daytime Protocol

RFC 868 Time Protocol.

RFC 1058 RIP-1 (Routing Information Protocol)

RFC 1112 IGMP v1

RFC 1305 Network Time Protocol (NTP version 3)

RFC 1631 IP Network Address Translator (NAT)

RFC 1723 RIP-2 (Routing Information Protocol)

RFC 2236 Internet Group Management Protocol, Version 2.

RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE)

RFC 2766 Network Address Translation - Protocol

IEEE 802.11 Also known by the brand Wi-Fi, denotes a set of Wireless LAN/WLAN

IEEE 802.11b Uses the 2.4 gigahertz (GHz) band

IEEE 802.11g Uses the 2.4 gigahertz (GHz) band

IEEE 802.11n

IEEE 802.11d Standard for Local and Metropolitan Area Networks: Media Access

IEEE 802.11x Port Based Network Access Control.

IEEE 802.11e QoS IEEE 802.11 e Wireless LAN for Quality of Service

Microsoft PPTP MS PPTP (Microsoft's implementation of Point to Point Tunneling

MBM v2 Media Bandwidth Management v2

standards developed by working group 11 of the IEEE LAN/MAN
Standards Committee (IEEE 802).

Control (MAC) Bridges

Protocol)

Wall-mounting Instructions

Do the following to hang your NBG460N on a wall.

See the Figure 167 on page 278 for the size of screws to use and how far
apart to place them.

1 Locate a high position on a wall that is free of obstructions. Use a sturdy wall.
2 Drill two holes for the screws. Make sure the distance between the centers of the holes

matches what is listed in the product specifications appendix.

276

NBG460N User’s Guide

1

Appendix A Product Specifications and Wall-Mounting Instructions

Be careful to avoid damaging pipes or cables located inside the wall when
drilling holes for the screws.

3 Do not screw the screws all the way into the wall. Leave a small gap of about 0.5 cm

between the heads of the screws and the wall.

4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of

the NBG460N with the connection cables.

5 Align the holes on the back of the NBG460N with the screws on the wall. Hang the

NBG460N on the screws.

Figure 166 Wall-mounting Example

The following are dimensions of an M4 tap screw and masonry plug used for wall mounting.
All measurements are in millimeters (mm).

NBG460N User’s Guide

277

Appendix A Product Specifications and Wall-Mounting Instructions

Figure 167 Masonry Plug and M4 Tap Screw

278

NBG460N User’s Guide

APPENDIX B

"

Pop-up Windows, JavaScripts

and Java Permissions

In order to use the web configurator you need to allow:

• Web browser pop-up windows from your device.

• JavaScripts (enabled by default).

• Java permissions (enabled by default).

Internet Explorer 6 screens are used here. Screens for other Internet Explorer
versions may vary.

Internet Explorer Pop-up Blockers

You may have to disable pop-up blocking to log into your device.

Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or
allow pop-up blocking and create an exception for your device’s IP address.

Disable pop-up Blockers

1 In Internet Explorer, select Too ls , Pop-up Blocker and then select Turn Off Pop-up

Blocker.

Figure 168 Pop-up Blocker

You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the
Privacy tab.

1 In Internet Explorer, select Too ls , Internet Options, Privacy.

NBG460N User’s Guide

279

Appendix B Pop-up Windows, JavaScripts and Java Permissions

2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This

disables any web pop-up blockers you may have enabled.

Figure 169 Internet Options: Privacy

3 Click Apply to save this setting.

Enable pop-up Blockers with Exceptions

Alternatively, if you only want to allow pop-up windows from your device, see the following
steps.

1 In Internet Explorer, select Too ls , Internet Options and then the Privacy tab.
2 Select Settings…to open the Pop-up Blocker Settings screen.

280

NBG460N User’s Guide

Appendix B Pop-up Windows, JavaScripts and Java Permissions

Figure 170 Internet Options: Privacy

3 Type the IP address of your device (the web page that you do not want to have blocked)

with the prefix “http://”. For example, http://192.168.167.1.

4 Click Add to move the IP address to the list of Allowed sites.

Figure 171 Pop-up Blocker Settings

NBG460N User’s Guide

281

Appendix B Pop-up Windows, JavaScripts and Java Permissions

5 Click Close to return to the Privacy screen.
6 Click Apply to save this setting.

JavaScripts

If pages of the web configurator do not display properly in Internet Explorer, check that
JavaScripts are allowed.

1 In Internet Explorer, click Tools, Internet Options and then the Security tab.

Figure 172 Internet Options: Security

282

2 Click the Custom Level... button.
3 Scroll down to Scripting.
4 Under Active scripting make sure that Enable is selected (the default).
5 Under Scripting of Java applets make sure that Enable is selected (the default).
6 Click OK to close the window.

NBG460N User’s Guide

Appendix B Pop-up Windows, JavaScripts and Java Permissions

Figure 173 Security Settings - Java Scripting

Java Permissions

1 From Internet Explorer, click Too ls , Internet Options and then the Security tab.
2 Click the Custom Level... button.
3 Scroll down to Microsoft VM.
4 Under Java permissions make sure that a safety level is selected.
5 Click OK to close the window.

Figure 174 Security Settings - Java

NBG460N User’s Guide

283

Appendix B Pop-up Windows, JavaScripts and Java Permissions

JAVA (Sun)

1 From Internet Explorer, click Too ls , Internet Options and then the Advanced tab.
2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected.
3 Click OK to close the window.

Figure 175 Java (Sun)

284

NBG460N User’s Guide

APPENDIX C

IP Addresses and Subnetting

This appendix introduces IP addresses and subnet masks.

IP addresses identify individual devices on a network. Every networking device (including
computers, servers, routers, printers, etc.) needs an IP address to communicate across the
network. These networking devices are also known as hosts.

Subnet masks determine the maximum number of possible hosts on a network. You can also
use subnet masks to divide one network into multiple sub-networks.

Introduction to IP Addresses

One part of the IP address is the network number, and the other part is the host ID. In the same
way that houses on a street share a common street name, the hosts on a network share a
common network number. Similarly, as each house has its own house number, each host on the
network has its own unique identifying number - the host ID. Routers use the network number
to send packets to the correct network, while the host ID determines to which host on the
network the packets are delivered.

Structure

An IP address is made up of four parts, written in dotted decimal notation (for example,

192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary
number (for example 11000000, which is 192 in decimal notation).

Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in
decimal.

The following figure shows an example IP address in which the first three octets (192.168.1)
are the network number, and the fourth octet (16) is the host ID.

NBG460N User’s Guide

285

Appendix C IP Addresses and Subnetting

Figure 176 Network Number and Host ID

How much of the IP address is the network number and how much is the host ID varies
according to the subnet mask.

Subnet Masks

A subnet mask is used to determine which bits are part of the network number, and which bits
are part of the host ID (using a logical AND operation). The term “subnet” is short for “sub­network”.

A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the
IP address is part of the network number. If a bit in the subnet mask is “0” then the
corresponding bit in the IP address is part of the host ID.

The following example shows a subnet mask identifying the network number (in bold text)
and host ID of an IP address (192.168.1.2 in decimal).

Table 117 Subnet Mask - Identifying Network Number

IP Address (Binary) 11000000 10101000 00000001 00000010

Subnet Mask (Binary) 11111111 11111111 11111111 00000000

Network Number 11000000 10101000 00000001

Host ID 00000010

By convention, subnet masks always consist of a continuous sequence of ones beginning from
the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of
32 bits.

1ST OCTET:
(192)

2ND
OCTET:
(168)

3RD
OCTET:
(1)

4TH OCTET
(2)

286

Subnet masks can be referred to by the size of the network number part (the bits with a “1”
value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the
remaining 24 bits are zeroes.

NBG460N User’s Guide

Subnet masks are expressed in dotted decimal notation just like IP addresses. The following
examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet
masks.

Table 118 Subnet Masks

8-bit mask 11111111 00000000 00000000 00000000 255.0.0.0

16-bit mask 11111111 11111111 00000000 00000000 255.255.0.0

24-bit mask 11111111 11111111 11111111 00000000 255.255.255.0

29-bit mask 11111111 11111111 11111111 11111000 255.255.255.248

Network Size

The size of the network number determines the maximum number of possible hosts you can
have on your network. The larger the number of network number bits, the smaller the number
of remaining host ID bits.

An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a
24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast
address for that network (192.168.1.255 with a 24-bit subnet mask, for example).

BINARY

1ST
OCTET

2ND
OCTET

3RD
OCTET

Appendix C IP Addresses and Subnetting

DECIMAL

4TH OCTET

As these two IP addresses cannot be used for individual hosts, calculate the maximum number
of possible hosts in a network as follows:

Table 119 Maximum Host Numbers

Notation

Since the mask is always a continuous number of ones beginning from the left, followed by a
continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the
number of ones instead of writing the value of each octet. This is usually specified by writing
a “/” followed by the number of bits in the mask after the address.

For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask

255.255.255.128.

The following table shows some possible subnet masks using both notations.

Table 120 Alternative Subnet Mask Notation

SUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS

8 bits 255.0.0.0 24 bits 2

16 bits 255.255.0.0 16 bits 2

24 bits 255.255.255.0 8 bits 2

29 bits 255.255.255.248 3 bits 2

SUBNET MASK

255.255.255.0 /24 0000 0000 0

255.255.255.128 /25 1000 0000 128

ALTERNATIVE
NOTATION

LAST OCTET
(BINARY)

24

– 2 16777214

16

– 2 65534

8

– 2 254

3

– 2 6

LAST OCTET
(DECIMAL)

NBG460N User’s Guide

287

Appendix C IP Addresses and Subnetting

Table 120 Alternative Subnet Mask Notation (continued)

SUBNET MASK

255.255.255.192 /26 1100 0000 192

255.255.255.224 /27 1110 0000 224

255.255.255.240 /28 1111 0000 240

255.255.255.248 /29 1111 1000 248

255.255.255.252 /30 1111 11 00 252

ALTERNATIVE
NOTATION

Subnetting

You can use subnetting to divide one network into multiple sub-networks. In the following
example a network administrator creates two sub-networks to isolate a group of servers from
the rest of the company network for security reasons.

In this example, the company network address is 192.168.1.0. The first three octets of the
address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a
maximum of 2

8

– 2 or 254 possible hosts.

LAST OCTET
(BINARY)

LAST OCTET
(DECIMAL)

The following figure shows the company network before subnetting.

Figure 177 Subnetting Example: Before Subnetting

You can “borrow” one of the host ID bits to divide the network 192.168.1.0 into two separate
sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25).

The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets;

192.168.1.0 /25 and 192.168.1.128 /25.

288

The following figure shows the company network after subnetting. There are now two sub­networks, A and B.

NBG460N User’s Guide

Appendix C IP Addresses and Subnetting

Figure 178 Subnetting Example: After Subnetting

In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 – 2 or 126
possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s
broadcast address).

192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask

255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned
to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126.

Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254.

Example: Four Subnets

The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two
subnets. Similarly, to divide a 24-bit address into four subnets, you need to “borrow” two host
ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits
(11111111.11111111.11111111.11000000) or 255.255.255.192.

Each subnet contains 6 host ID bits, giving 2
zeroes is the subnet itself, all ones is the subnet’s broadcast address).

Table 121 Subnet 1

IP/SUBNET MASK NETWORK NUMBER

IP Address (Decimal) 192.168.1. 0

IP Address (Binary) 11000000.10101000.00000001. 00000000

Subnet Mask (Binary) 11111111. 11111111.11111111. 11000000

Subnet Address:

192.168.1.0

Broadcast Address:

192.168.1.63

6

- 2 or 62 hosts for each subnet (a host ID of all

Lowest Host ID: 192.168.1.1

Highest Host ID: 192.168.1.62

LAST OCTET BIT
VAL UE

NBG460N User’s Guide

289

Appendix C IP Addresses and Subnetting

Table 122 Subnet 2

IP/SUBNET MASK NETWORK NUMBER

IP Address 192.168.1. 64

IP Address (Binary) 11000000.10101000.00000001. 01000000

Subnet Mask (Binary) 11111111.11111111.11111111. 11000000

Subnet Address:

192.168.1.64

Broadcast Address:

192.168.1.127

Table 123 Subnet 3

IP/SUBNET MASK NETWORK NUMBER

IP Address 192.168.1. 128

IP Address (Binary) 11000000.10101000.00000001. 10000000

Subnet Mask (Binary) 11111111 .11111111.11111111. 11000000

Subnet Address:

192.168.1.128

Broadcast Address:

192.168.1.191

LAST OCTET BIT
VAL UE

Lowest Host ID: 192.168.1.65

Highest Host ID: 192.168.1.126

LAST OCTET BIT
VAL UE

Lowest Host ID: 192.168.1.129

Highest Host ID: 192.168.1.190

Table 124 Subnet 4

IP/SUBNET MASK NETWORK NUMBER

IP Address 192.168.1. 192

IP Address (Binary) 11000000.10101000.00000001. 11000000

Subnet Mask (Binary) 11111111. 11111111.11111111 . 11 000000

Subnet Address:

192.168.1.192

Broadcast Address:

192.168.1.255

Example: Eight Subnets

Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and

111).

The following table shows IP address last octet values for each subnet.

Table 125 Eight Subnets

SUBNET

1 0 1 30 31

2 32 33 62 63

3 64 65 94 95

4 96 97 126 127

SUBNET
ADDRESS

Lowest Host ID: 192.168.1.193

Highest Host ID: 192.168.1.254

FIRST ADDRESS

LAST OCTET BIT
VALUE

LAST
ADDRESS

BROADCAST
ADDRESS

290

NBG460N User’s Guide

Table 125 Eight Subnets (continued)

SUBNET

5 128 129 158 159

6 160 161 190 191

7 192 193 222 223

8 224 225 254 255

Subnet Planning

The following table is a summary for subnet planning on a network with a 24-bit network
number.

Table 126 24-bit Network Number Subnet Planning

NO. “BORROWED”
HOST BITS

1 255.255.255.128 (/25) 2 126

2 255.255.255.192 (/26) 4 62

3 255.255.255.224 (/27) 8 30

4 255.255.255.240 (/28) 16 14

5 255.255.255.248 (/29) 32 6

6 255.255.255.252 (/30) 64 2

7 255.255.255.254 (/31) 128 1

SUBNET
ADDRESS

Appendix C IP Addresses and Subnetting

FIRST ADDRESS

SUBNET MASK NO. SUBNETS

LAST
ADDRESS

BROADCAST
ADDRESS

NO. HOSTS PER
SUBNET

The following table is a summary for subnet planning on a network with a 16-bit network
number.

Table 127 16-bit Network Number Subnet Planning

NO. “BORROWED”
HOST BITS

1 255.255.128.0 (/17) 2 32766

2 255.255.192.0 (/18) 4 16382

3 255.255.224.0 (/19) 8 8190

4 255.255.240.0 (/20) 16 4094

5 255.255.248.0 (/21) 32 2046

6 255.255.252.0 (/22) 64 1022

7 255.255.254.0 (/23) 128 510

8 255.255.255.0 (/24) 256 254

9 255.255.255.128 (/25) 512 126

10 255.255.255.192 (/26) 1024 62

11 255.255.255.224 (/27) 2048 30

12 255.255.255.240 (/28) 4096 14

13 255.255.255.248 (/29) 8192 6

SUBNET MASK NO. SUBNETS

NO. HOSTS PER
SUBNET

NBG460N User’s Guide

291

Appendix C IP Addresses and Subnetting

Table 127 16-bit Network Number Subnet Planning (continued)

NO. “BORROWED”
HOST BITS

14 255.255.255.252 (/30) 16384 2

15 255.255.255.254 (/31) 32768 1

SUBNET MASK NO. SUBNETS

Configuring IP Addresses

Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. If this is the case, it is recommended that you select a network number from

192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this
block of addresses specifically for private use; please do not use any other number unless you
are told otherwise. You must also enable Network Address Translation (NAT) on the
NBG460N.

NO. HOSTS PER
SUBNET

Once you have decided on the network number, pick an IP address for your NBG460N that is
easy to remember (for instance, 192.168.1.1) but make sure that no other device on your
network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your NBG460N will
compute the subnet mask automatically based on the IP address that you entered. You don't
need to change the subnet mask computed by the NBG460N unless you are instructed to do
otherwise.

Private IP Addresses

Every machine on the Internet must have a unique address. If your networks are isolated from
the Internet (running only between two branch offices, for example) you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks:

• 10.0.0.0 — 10.255.255.255

• 172.16.0.0 — 172.31.255.255

• 192.168.0.0 — 192.168.255.255

You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a
private network. If you belong to a small organization and your Internet access is through an
ISP, the ISP can provide you with the Internet addresses for your local networks. On the other
hand, if you are part of a much larger organization, you should consult your network
administrator for the appropriate IP addresses.

292

Regardless of your particular situation, do not create an arbitrary IP address; always follow the
guidelines above. For more information on address assignment, please refer to RFC 1597,

Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP
Address Space.

NBG460N User’s Guide

APPENDIX D

Setting up Your Computer’s IP

Address

All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed.

Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions
of UNIX/LINUX include the software components you need to install and use TCP/IP on your
computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.

TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS
7 and later operating systems.

After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order
to "communicate" with your network.

If you manually assign IP information instead of using dynamic assignment, make sure that
your computers have IP addresses that place them in the same subnet as the Prestige’s LAN
port.

Windows 95/98/Me

Click Start, Settings, Control Panel and double-click the Network icon to open the Network
window.

NBG460N User’s Guide

293

Appendix D Setting up Your Computer’s IP Address

Figure 179 WIndows 95/98/Me: Network: Configuration

Installing Components

The Network window Configuration tab displays a list of installed components. You need a
network adapter, the TCP/IP protocol and Client for Microsoft Networks.

If you need the adapter:

1 In the Network window, click Add.
2 Select Adapter and then click Add.
3 Select the manufacturer and model of your network adapter and then click OK.

If you need TCP/IP:

1 In the Network window, click Add.
2 Select Protocol and then click Add.
3 Select Microsoft from the list of manufacturers.
4 Select TCP/IP from the list of network protocols and then click OK.

If you need Client for Microsoft Networks:

1 Click Add.
2 Select Client and then click Add.
3 Select Microsoft from the list of manufacturers.
4 Select Client for Microsoft Networks from the list of network clients and then click

OK.

5 Restart your computer so the changes you made take effect.

294

NBG460N User’s Guide

Configuring

Figure 180 Windows 95/98/Me: TCP/IP Properties: IP Address

Appendix D Setting up Your Computer’s IP Address

1 In the Network window Configuration tab, select your network adapter's TCP/IP entry

and click Properties

2 Click the IP Address tab.

• If your IP address is dynamic, select Obtain an IP address automatically.

• If you have a static IP address, select Specify an IP address and type your
information into the IP Address and Subnet Mask fields.

3 Click the DNS Configuration tab.

• If you do not know your DNS information, select Disable DNS.

• If you know your DNS information, select Enable DNS and type the information in
the fields below (you may not need to fill them all in).

NBG460N User’s Guide

295

Appendix D Setting up Your Computer’s IP Address

Figure 181 Windows 95/98/Me: TCP/IP Properties: DNS Configuration

4 Click the Gateway tab.

• If you do not know your gateway’s IP address, remove previously installed gateways.

• If you have a gateway IP address, type it in the New gateway field and click Add.

5 Click OK to save and close the TCP/IP Properties window.
6 Click OK to close the Network window. Insert the Windows CD if prompted.
7 Turn on your Prestige and restart your computer when prompted.

Verifying Settings

1 Click Start and then Run.
2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration

window.

3 Select your network adapter. You should see your computer's IP address, subnet mask

and default gateway.

Windows 2000/NT/XP

The following example figures use the default Windows XP GUI theme.

1 Click start (Start in Windows 2000/NT), Settings, Control Panel.

296

NBG460N User’s Guide

Figure 182 Windows XP: Start Menu

Appendix D Setting up Your Computer’s IP Address

2 In the Control Panel, double-click Network Connections (Network and Dial-up

Connections in Windows 2000/NT).

Figure 183 Windows XP: Control Panel

3 Right-click Local Area Connection and then click Properties.

NBG460N User’s Guide

297

Appendix D Setting up Your Computer’s IP Address

Figure 184 Windows XP: Control Panel: Network Connections: Properties

4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click

Properties.

Figure 185 Windows XP: Local Area Connection Properties

5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows

XP).

• If you have a dynamic IP address click Obtain an IP address automatically.

• If you have a static IP address click Use the following IP Address and fill in the IP
address, Subnet mask, and Default gateway fields.

• Click Advanced.

298

NBG460N User’s Guide

Appendix D Setting up Your Computer’s IP Address

Figure 186 Windows XP: Internet Protocol (TCP/IP) Properties

6 If you do not know your gateway's IP address, remove any previously installed

gateways in the IP Settings tab and click OK.

Do one or more of the following if you want to configure additional IP addresses:

•In the IP Settings tab, in IP addresses, click Add.

•In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet
mask, and then click Add.

• Repeat the above two steps for each IP address you want to add.

• Configure additional default gateways in the IP Settings tab by clicking Add in
Default gateways.

•In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway.
To manually configure a default metric (the number of transmission hops), clear the
Automatic metric check box and type a metric in Metric.

• Click Add.

• Repeat the previous three steps for each default gateway you want to add.

• Click OK when finished.

NBG460N User’s Guide

299

Appendix D Setting up Your Computer’s IP Address

Figure 187 Windows XP: Advanced TCP/IP Properties

7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows

XP):

• Click Obtain DNS server address automatically if you do not know your DNS
server IP address(es).

• If you know your DNS server IP address(es), click Use the following DNS server
addresses, and type them in the Preferred DNS server and Alternate DNS server
fields.

If you have previously configured DNS servers, click Advanced and then the DNS
tab to order them.

300

NBG460N User’s Guide

Appendix D Setting up Your Computer’s IP Address

Figure 188 Windows XP: Internet Protocol (TCP/IP) Properties

8 Click OK to close the Internet Protocol (TCP/IP) Properties window.
9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection

Properties window.

10 Close the Network Connections window (Network and Dial-up Connections in

Windows 2000/NT).

11 Turn on your Prestige and restart your computer (if prompted).

Verifying Settings

1 Click Start, All Programs, Accessories and then Command Prompt.
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can

also open Network Connections, right-click a network connection, click Status and
then click the Support tab.

Macintosh OS 8/9

1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP

Control Panel.

NBG460N User’s Guide

301

Appendix D Setting up Your Computer’s IP Address

Figure 189 Macintosh OS 8/9: Apple Menu

302

2 Select Ethernet built-in from the Connect via list.

Figure 190 Macintosh OS 8/9: TCP/IP

3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
4 For statically assigned settings, do the following:

NBG460N User’s Guide

•From the Configure box, select Manually.

• Type your IP address in the IP Address box.

• Type your subnet mask in the Subnet mask box.

• Type the IP address of your Prestige in the Router address box.

5 Close the TCP/IP Control Panel.
6 Click Save if prompted, to save changes to your configuration.
7 Turn on your Prestige and restart your computer (if prompted).

Verifying Settings

Check your TCP/IP properties in the TCP/IP Control Panel window.

Macintosh OS X

1 Click the Apple menu, and click System Preferences to open the System Preferences

window.

Figure 191 Macintosh OS X: Apple Menu

Appendix D Setting up Your Computer’s IP Address

2 Click Network in the icon bar.

• Select Automatic from the Location list.

• Select Built-in Ethernet from the Show list.

• Click the TCP/IP tab.

3 For dynamically assigned settings, select Using DHCP from the Configure list.

NBG460N User’s Guide

303

Appendix D Setting up Your Computer’s IP Address

Figure 192 Macintosh OS X: Network

4 For statically assigned settings, do the following:

•From the Configure box, select Manually.

• Type your IP address in the IP Address box.

• Type your subnet mask in the Subnet mask box.

• Type the IP address of your Prestige in the Router address box.

5 Click Apply Now and close the window.
6 Turn on your Prestige and restart your computer (if prompted).

Verifying Settings

Check your TCP/IP properties in the Network window.

Linux

This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux

9.0. Procedure, screens and file location may vary depending on your Linux distribution and
release version.

304

NBG460N User’s Guide

"

Make sure you are logged in as the root administrator.

Using the K Desktop Environment (KDE)

Follow the steps below to configure your computer IP address using the KDE.

1 Click the Red Hat button (located on the bottom left corner), select System Setting and

click Network.

Figure 193 Red Hat 9.0: KDE: Network Configuration: Devices

Appendix D Setting up Your Computer’s IP Address

2 Double-click on the profile of the network card you wish to configure. The Ethernet

Device General screen displays as shown.

NBG460N User’s Guide

305

Appendix D Setting up Your Computer’s IP Address

Figure 194 Red Hat 9.0: KDE: Ethernet Device: General

• If you have a dynamic IP address click Automatically obtain IP address settings
with and select dhcp from the drop down list.

• If you have a static IP address click Statically set IP Addresses and fill in the
Address, Subnet mask, and Default Gateway Address fields.

3 Click OK to save the changes and close the Ethernet Device General screen.
4 If you know your DNS server IP address(es), click the DNS tab in the Network

Configuration screen. Enter the DNS server information in the fields provided.

Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS

5 Click the Devices tab.
6 Click the Activate button to apply the changes. The following screen displays. Click Yes

to save the changes in all screens.

306

NBG460N User’s Guide

Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate

7 After the network card restart process is complete, make sure the Status is Active in the

Network Configuration screen.

Using Configuration Files

Follow the steps below to edit the network configuration files and set your computer IP
address.

Appendix D Setting up Your Computer’s IP Address

1 Assuming that you have only one network card on the computer, locate the

configuration file (where eth0 is the name of the Ethernet card). Open the

eth0

configuration file with any plain text editor.

• If you have a dynamic IP address, enter

dhcp in the BOOTPROTO= field. The following

figure shows an example.

Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0

DEVICE=eth0
ONBOOT=yes

BOOTPROTO=dhcp

USERCTL=no
PEERDNS=yes
TYPE=Ethernet

• If you have a static IP address, enter static in the BOOTPROTO= field. Type

IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK=

followed by the subnet mask. The following example shows an example where the
static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.

Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0

DEVICE=eth0
ONBOOT=yes

BOOTPROTO=static
IPADDR=192.168.1.10
NETMASK=255.255.255.0

USERCTL=no
PEERDNS=yes
TYPE=Ethernet

ifconfig-

NBG460N User’s Guide

307

Appendix D Setting up Your Computer’s IP Address

2 If you know your DNS server IP address(es), enter the DNS server information in the

resolv.conf file in the /etc directory. The following figure shows an example where

two DNS server IP addresses are specified.

Figure 199 Red Hat 9.0: DNS Settings in resolv.conf

nameserver 172.23.5.1
nameserver 172.23.5.2

3 After you edit and save the configuration files, you must restart the network card.

Enter

./network restart in the /etc/rc.d/init.d directory. The following

figure shows an example.

Figure 200 Red Hat 9.0: Restart Ethernet Card

[root@localhost init.d]# network restart

Shutting down interface eth0: [OK]
Shutting down loopback interface: [OK]
Setting network parameters: [OK]
Bringing up loopback interface: [OK]
Bringing up interface eth0: [OK]

26.6.1 Verifying Settings

Enter ifconfig in a terminal screen to check your TCP/IP properties.

Figure 201 Red Hat 9.0: Checking TCP/IP Properties

[root@localhost]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44
inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:717 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb)
Interrupt:10 Base address:0x1000
[root@localhost]#

308

NBG460N User’s Guide

APPENDIX E

Wireless LANs

Wireless LAN Topologies

This section discusses ad-hoc and infrastructure wireless LAN topologies.

Ad-hoc Wireless LAN Configuration

The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of
computers with wireless stations (A, B, C). Any time two or more wireless adapters are within
range of each other, they can set up an independent network, which is commonly referred to as
an Ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an
example of notebook computers using wireless adapters to form an Ad-hoc wireless LAN.

Figure 202 Peer-to-Peer Communication in an Ad-hoc Network

BSS

A Basic Service Set (BSS) exists when all communications between wireless stations or
between a wireless station and a wired network client go through one access point (AP).

Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled,
wireless station A and B can access the wired network and communicate with each other.
When Intra-BSS is disabled, wireless station A and B can still access the wired network but
cannot communicate with each other.

NBG460N User’s Guide

309

Appendix E Wireless LANs

Figure 203 Basic Service Set

ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an
access point, with each access point connected together by a wired network. This wired
connection between APs is called a Distribution System (DS).

This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not
only provide communication with the wired network but also mediate wireless network traffic
in the immediate neighborhood.

An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their
associated wireless stations within the same ESS must have the same ESSID in order to
communicate.

310

NBG460N User’s Guide

Figure 204 Infrastructure WLAN

Appendix E Wireless LANs

Channel

A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels
available depend on your geographical area. You may have a choice of channels (for your
region) so you should use a different channel than an adjacent AP (access point) to reduce
interference. Interference occurs when radio signals from different access points overlap
causing interference and degrading performance.

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP
should be on a channel at least five channels away from a channel that an adjacent AP is using.
For example, if your region has 11 channels and an adjacent AP is using channel 1, then you
need to select a channel between 6 or 11.

RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not
within range of each other. The following figure illustrates a hidden node. Both stations (STA)
are within range of the access point (AP) or wireless gateway, but out-of-range of each other,
so they cannot "hear" each other, that is they do not know if the channel is currently being
used. Therefore, they are considered hidden from each other.

NBG460N User’s Guide

311

Appendix E Wireless LANs

"

Figure 205 RTS/CTS

When station A sends data to the AP, it might not know that the station B is already using the
channel. If these two stations send data at the same time, collisions may occur when both sets
of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the
biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send)
handshake is invoked.

When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station
that wants to transmit this frame must first send an RTS (Request To Send) message to the AP
for permission to send it. The AP then responds with a CTS (Clear to Send) message to all
other stations within its range to notify them to defer their transmission. It also reserves and
confirms with the requesting station the time frame for the requested transmission.

Stations can send frames smaller than the specified RTS/CTS directly to the AP without the
RTS (Request To Send)/CTS (Clear to Send) handshake.

You should only configure RTS/CTS if the possibility of hidden nodes exists on your network
and the "cost" of resending large frames is more than the extra network overhead involved in
the RTS (Request To Send)/CTS (Clear to Send) handshake.

If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will
be fragmented before they reach RTS/CTS size.

Enabling the RTS Threshold causes redundant network overhead that could
negatively affect the throughput performance instead of providing a remedy.

Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432
bytes) that can be sent in the wireless network before the AP will fragment the packet into
smaller data frames.

A large Fragmentation Threshold is recommended for networks not prone to interference
while you should set a smaller threshold for busy networks or networks that are prone to
interference.

312

NBG460N User’s Guide

If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously)

"

you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as
data frames will be fragmented before they reach RTS/CTS size.

Preamble Type

A preamble is used to synchronize the transmission timing in your wireless network. There are
two preamble modes: Long and Short.

Short preamble takes less time to process and minimizes overhead, so it should be used in a
good wireless network environment when all wireless stations support it.

Select Long if you have a ‘noisy’ network or are unsure of what preamble mode your wireless
stations support as all IEEE 802.11b compliant wireless adapters must support long preamble.
However, not all wireless adapters support short preamble. Use long preamble if you are
unsure what preamble mode the wireless adapters support, to ensure interpretability between
the AP and the wireless stations and to provide more reliable communication in ‘noisy’
networks.

Select Dynamic to have the AP automatically use short preamble when all wireless stations
support it, otherwise the AP uses long preamble.

Appendix E Wireless LANs

The AP and the wireless stations MUST use the same preamble mode in order
to communicate.

IEEE 802.11g Wireless LAN

IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE

802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at
11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps
between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation
are as follows:

Table 128 IEEE 802.11g

DATA RATE (MBPS) MODULATION

1 DBPSK (Differential Binary Phase Shift Keyed)

2 DQPSK (Differential Quadrature Phase Shift Keying)

5.5 / 11 CCK (Complementary Code Keying)

6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)

IEEE 802.1x

In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to
support extended authentication as well as providing additional accounting and control
features. It is supported by Windows XP and a number of network devices. Some advantages
of IEEE 802.1x are:

NBG460N User’s Guide

313

Appendix E Wireless LANs

• User based identification that allows for roaming.

• Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for
centralized user profile and accounting management on a network RADIUS server.

• Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional
authentication methods to be deployed with no changes to the access point or the wireless
stations.

RADIUS

RADIUS is based on a client-server model that supports authentication, authorization and
accounting. The access point is the client and the server is the RADIUS server. The RADIUS
server handles the following tasks:

• Authentication
Determines the identity of the users.

• Authorization
Determines the network services available to authenticated users once they are connected

to the network.

• Accounting
Keeps track of the client’s network activity.

RADIUS is a simple package exchange in which your AP acts as a message relay between the
wireless station and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the
RADIUS server for user authentication:

• Access-Request
Sent by an access point requesting authentication.

• Access-Reject
Sent by a RADIUS server rejecting access.

• Access-Accept
Sent by a RADIUS server allowing access.

• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The

access point sends a proper response from the user and then sends another Access-Request
message.

The following types of RADIUS messages are exchanged between the access point and the
RADIUS server for user accounting:

• Accounting-Request
Sent by the access point requesting accounting.

• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.

314

NBG460N User’s Guide

In order to ensure network security, the access point and the RADIUS server use a shared
secret key, which is a password, they both know. The key is not sent over the network. In
addition to the shared key, password information exchanged is also encrypted to protect the
network from unauthorized access.

Types of Authentication

This appendix discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP­TTLS, PEAP and LEAP.

The type of authentication you use depends on the RADIUS server or the AP. Consult your
network administrator for more information.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server
sends a challenge to the wireless station. The wireless station ‘proves’ that it knows the
password by encrypting the password with the challenge and sends back the information.
Password is not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to
get the plaintext passwords, the passwords must be stored. Thus someone other than the
authentication server may access the password file. In addition, it is possible to impersonate an
authentication server as MD5 authentication method does not perform mutual authentication.
Finally, MD5 authentication method does not support data encryption with dynamic session
key. You must configure WEP encryption keys for data encryption.

Appendix E Wireless LANs

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless stations
for mutual authentication. The server presents a certificate to the client. After validating the
identity of the server, the client sends a different certificate to the server. The exchange of
certificates is done in the open before a secured tunnel is created. This makes user identity
vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the
sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to
handle certificates, which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the
server-side authentications to establish a secure connection. Client authentication is then done
by sending username and password through the secure connection, thus client identity is
protected. For client authentication, EAP-TTLS supports EAP methods and legacy
authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

NBG460N User’s Guide

315

Appendix E Wireless LANs

"

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection,
then use simple username and password methods through the secured connection to
authenticate the clients, thus hiding client identity. However, PEAP only supports EAP
methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card),
for client authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE

802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when
the wireless connection times out, disconnects or reauthentication times out. A new WEP key
is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the
Wireless screen. You may still configure and store keys here, but they will not be used while
Dynamic WEP is enabled.

WPA(2)

EAP-MD5 cannot be used with dynamic WEP key exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use
dynamic keys for data encryption. They are often deployed in corporate environments, but for
public deployment, a simple user name and password pair is more practical. The following
table is a comparison of the features of authentication types.

Table 129 Comparison of EAP Authentication Types

EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP

Mutual Authentication No Yes Yes Yes Ye s

Certificate – Client No Yes Optional Optional No

Certificate – Server No Yes Yes Yes No

Dynamic Key Exchange No Yes Ye s Ye s Yes

Credential Integrity None Strong Strong Strong Moderate

Deployment Difficulty Easy Hard Moderate Moderate Moderate

Client Identity Protection No No Ye s Yes No

316

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE

802.11i) is a wireless security standard that defines stronger encryption, authentication and
key management than WPA.

NBG460N User’s Guide

Appendix E Wireless LANs

Key differences between WPA(2) and WEP are improved data encryption and user
authentication.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol
(TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also
uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining
Message authentication code Protocol (CCMP) to offer stronger encryption.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and
distributed by the authentication server. It includes a per-packet key mixing function, a
Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with
sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is
never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP
that then sets up a key hierarchy and management system, using the pair-wise key to
dynamically generate unique data encryption keys to encrypt every data packet that is
wirelessly communicated between the AP and the wireless clients. This all happens in the
background automatically.

WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit
mathematical algorithm called Rijndael.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data
packets, altering them and resending them. The MIC provides a strong mathematical function
in which the receiver and the transmitter each compute and then compare the MIC. If they do
not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi
network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference
between the two is that WPA-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA-PSK susceptible to brute-force
password-guessing attacks but it's still an improvement over WEP as it employs an easier-to­use, consistent, single, alphanumeric password.

User Authentication

WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to
authenticate wireless clients using an external RADIUS database.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS
server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server,
you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that only requires a single (identical)
password entered into each access point, wireless gateway and wireless client. As long as the
passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending
on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is
less secure than WPA or WPA2.

NBG460N User’s Guide

317

Appendix E Wireless LANs

26.6.2 WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key

(PSK) must consist of between 8 and 63 ASCII characters (including spaces and
symbols).

2 The AP checks each wireless client's password and (only) allows it to join the network if

the password matches.

3 The AP derives and distributes keys to the wireless clients.
4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data

exchanged between them.

Figure 206 WPA(2)-PSK Authentication

26.6.3 WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the
RADIUS shared secret. A WPA(2) application example with an external RADIUS server
looks as follows. "A" is the RADIUS server. "DS" is the distribution system.

1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants

or denies network access accordingly.

3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then

sets up a key hierarchy and management system, using the pair-wise key to dynamically
generate unique data encryption keys to encrypt every data packet that is wirelessly
communicated between the AP and the wireless clients.

318

NBG460N User’s Guide

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each
Authentication Method/ key management protocol type. MAC address filters are not
dependent on how you configure these security features.

Table 130 Wireless Security Relational Matrix

AUTHENTICATION
METHOD/ KEY
MANAGEMENT PROTOCOL

Open None No Disable

Open WEP No Enable with Dynamic WEP Key

Shared WEP No Enable with Dynamic WEP Key

WPA TKIP No Enable

WPA-PSK TKIP Yes Enable

WPA2 AES No Enable

WPA2-PSK AES Yes Enable

ENCRYPTIO
N METHOD

Appendix E Wireless LANs

ENTER
MANUAL KEY

Yes Enable without Dynamic WEP

Yes Disable

Yes Enable without Dynamic WEP

Yes Disable

IEEE 802.1X

Enable without Dynamic WEP
Key

Key

Key

NBG460N User’s Guide

319

Appendix E Wireless LANs

320

NBG460N User’s Guide

APPENDIX F

Services

The following table lists some commonly-used services and their associated protocols and port
numbers.

• Name: This is a short, descriptive name for the service. You can use this one or create a
different one, if you like.

• Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the
service uses the same port number with TCP and UDP. If this is User-Defined, the Port(s)
is the IP protocol number, not the port number.

• Port(s): This value depends on the Protocol.

• If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number.

• If the Protocol is USER, this is the IP protocol number.

• Description: This is a brief explanation of the applications that use this service or the
situations in which this service is used.

Table 131 Examples of Services

NAME PROTOCOL PORT(S) DESCRIPTION

AH
(IPSEC_TUNNEL)

AIM TCP 5190 AOL’s Internet Messenger service.

AUTH TCP 113 Authentication protocol used by some

BGP TCP 179 Border Gateway Protocol.

BOOTP_CLIENT UDP 68 DHCP Client.

BOOTP_SERVER UDP 67 DHCP Server.

CU-SEEME TCP/UDP

DNS TCP/UDP 53 Domain Name Server, a service that

ESP
(IPSEC_TUNNEL)

FINGER TCP 79 Finger is a UNIX or Internet related

FTP TCP

User-Defined 51 The IPSEC AH (Authentication Header)

7648

TCP/UDP

User-Defined 50 The IPSEC ESP (Encapsulation Security

TCP

24032

20
21

tunneling protocol uses this service.

servers.

A popular videoconferencing solution from
White Pines Software.

matches web names (e.g. www.zyxel.com
to IP numbers.

Protocol) tunneling protocol uses this
service.

command that can be used to find out if a
user is logged on.

File Transfer Program, a program to enable
fast transfer of files, including large files that
may not be possible by e-mail.

)

NBG460N User’s Guide

321

Appendix F Services

Table 131 Examples of Services (continued)

NAME PROTOCOL PORT(S) DESCRIPTION

H.323 TCP 1720 NetMeeting uses this protocol.

HTTP TCP 80 Hyper Text Transfer Protocol - a client/

HTTPS TCP 443 HTTPS is a secured http session often used

ICMP User-Defined 1 Internet Control Message Protocol is often

ICQ UDP 4000 This is a popular Internet chat program.

IGMP (MULTICAST) User-Defined 2 Internet Group Multicast Protocol is used

IKE UDP 500 The Internet Key Exchange algorithm is

IMAP4 TCP 143 The Internet Message Access Protocol is

IMAP4S TCP 993 This is a more secure version of IMAP4 that

IRC TCP/UDP 6667 This is another popular Internet chat

MSN Messenger TCP 1863 Microsoft Networks’ messenger service

NetBIOS TCP/UDP

NEW-ICQ TCP 5190 An Internet chat program.

NEWS TCP 144 A protocol for news groups.

NFS UDP 2049 Network File System - NFS is a client/

NNTP TCP 119 Network News Transport Protocol is the

PING User-Defined 1 Packet INternet Groper is a protocol that

POP3 TCP 11 0 Post Office Protocol version 3 lets a client

POP3S TCP 995 This is a more secure version of POP3 that

PPTP TCP 1723 Point-to-Point Tunneling Protocol enables

TCP/UDP
TCP/UDP
TCP/UDP

137
138
139
445

server protocol for the world wide web.

in e-commerce.

used for diagnostic purposes.

when sending packets to a specific group of
hosts.

used for key distribution and management.

used for e-mail.

runs over SSL.

program.

uses this protocol.

The Network Basic Input/Output System is
used for communication between
computers in a LAN.

server distributed file service that provides
transparent file sharing for network
environments.

delivery mechanism for the USENET
newsgroup service.

sends out ICMP echo requests to test
whether or not a remote host is reachable.

computer get e-mail from a POP3 server
through a temporary connection (TCP/IP or
other).

runs over SSL.

secure transfer of data over public
networks. This is the control channel.

322

NBG460N User’s Guide

Appendix F Services

Table 131 Examples of Services (continued)

NAME PROTOCOL PORT(S) DESCRIPTION

PPTP_TUNNEL
(GRE)

RCMD TCP 512 Remote Command Service.

REAL_AUDIO TCP 7070 A streaming audio service that enables real

REXEC TCP 514 Remote Execution Daemon.

RLOGIN TCP 513 Remote Login.

ROADRUNNER TCP/UDP 1026 This is an ISP that provides services mainly

RTELNET TCP 107 Remote Telnet.

RTSP TCP/UDP 554 The Real Time Streaming (media control)

SFTP TCP 115 The Simple File Transfer Protocol is an old

SMTP TCP 25 Simple Mail Transfer Protocol is the

SMTPS TCP 465 This is a more secure version of SMTP that

SNMP TCP/UDP 161 Simple Network Management Program.

SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).

SQL-NET TCP 1521 Structured Query Language is an interface

SSDP UDP 1900 The Simple Service Discovery Protocol

SSH TCP/UDP 22 Secure Shell Remote Login Program.

STRM WORKS UDP 1558 Stream Works Protocol.

SYSLOG UDP 514 Syslog allows you to send system logs to a

TACACS UDP 49 Login Host Protocol used for (Terminal

TELNET TCP 23 Telnet is the login and terminal emulation

User-Defined 47 PPTP (Point-to-Point Tunneling Protocol)

enables secure transfer of data over public
networks. This is the data channel.

time sound over the web.

for cable modems.

Protocol (RTSP) is a remote control for
multimedia on the Internet.

way of transferring files between
computers.

message-exchange standard for the
Internet. SMTP enables you to move
messages from one e-mail server to
another.

runs over SSL.

to access data on many different types of
database systems, including mainframes,
midrange systems, UNIX systems and
network servers.

supports Universal Plug-and-Play (UPnP).

UNIX server.

Access Controller Access Control System).

protocol common on the Internet and in
UNIX environments. It operates over TCP/
IP networks. Its primary function is to allow
users to log into remote host systems.

NBG460N User’s Guide

323

Appendix F Services

Table 131 Examples of Services (continued)

NAME PROTOCOL PORT(S) DESCRIPTION

TFTP UDP 69 Trivial File Transfer Protocol is an Internet

VDOLIVE TCP

UDP

7000
user-

defined

file transfer protocol similar to FTP, but uses
the UDP (User Datagram Protocol) rather
than TCP (Transmission Control Protocol).

A videoconferencing solution. The UDP port
number is specified in the application.

324

NBG460N User’s Guide

APPENDIX G

Legal Information

Copyright

Copyright © 2008 by ZyXEL Communications Corporation.

The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.

Published by ZyXEL Communications Corporation. All rights reserved.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.

Certifications

Federal Communications Commission (FCC) Interference Statement

The device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:

• This device may not cause harmful interference.

• This device must accept any interference received, including interference that may cause
undesired operations.

This device has been tested and found to comply with the limits for a Class B digital device
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This device generates,
uses, and can radiate radio frequency energy, and if not installed and used in accordance with
the instructions, may cause harmful interference to radio communications. However, there is
no guarantee that interference will not occur in a particular installation.

NBG460N User’s Guide

325

Appendix G Legal Information

ࣹრʳʴ

If this device does cause harmful interference to radio/television reception, which can be
determined by turning the device off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:

1 Reorient or relocate the receiving antenna.
2 Increase the separation between the equipment and the receiver.
3 Connect the equipment into an outlet on a circuit different from that to which the

receiver is connected.

4 Consult the dealer or an experienced radio/TV technician for help.

FCC Radiation Exposure Statement

• This transmitter must not be co-located or operating in conjunction with any other antenna
or transmitter.

• IEEE 802.11b or 802.11g operation of this product in the U.S.A. is firmware-limited to
channels 1 through 11.

• To comply with FCC RF exposure compliance requirements, a separation distance of at
least 20 cm must be maintained between the antenna of this device and all persons.

Notices

Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.

This device has been designed for the WLAN 2.4 GHz network throughout the EC region and
Switzerland, with restrictions in France.

This Class B digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.

Viewing Certifications

1 Go to http://www.zyxel.com
2 Select your product on the ZyXEL home page to go to that product's page.

ࠉᖕʳʳ܅פ෷ሽᘿ୴ࢤሽᖲጥ෻ᙄ

รԼԲයʳʳᆖীڤᎁᢞٽ௑հ܅פ෷୴᙮ሽᖲΔᆖ๺ױΔֆ׹Ε೸ᇆࢨࠌش
݁լ൓ᖐ۞᧢ޓ᙮෷ΕףՕפ෷ࢨ᧢ޓ଺๻ૠհ௽ࢤ֗פ౨Ζ

รԼ؄යʳʳ܅פ෷୴᙮ሽᖲհࠌشլ൓ᐙ᥼ଆ౰ڜ٤֗եឫٽຏΙᆖ࿇෼
ڶեឫ෼ွழΔᚨمܛೖشΔࠀޏ࿳۟ྤեឫழֱ൓ᤉᥛࠌشΖ
ছႈٽຏΔࠉሽ๵ࡳ܂ᄐհྤᒵሽΖ܅פ෷୴᙮ሽᖲႊݴ
࠹ٽຏࢨՠᄐΕઝᖂ֗᠔᛭شሽᘿ୴ࢤሽᖲ๻ໂհեឫΖʳ

ءᖲૻڇլեឫٽሽፕፖլ࠹๯եឫঅᎽයٙՀ࣍৛փࠌشΖ!
྇֟ሽ጖ᐙ᥼ΔᓮݔᔞࠌشΖ

.

326

NBG460N User’s Guide

3 Select the certification you wish to view from this page.

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty
shall not apply if the product has been modified, misused, tampered with, damaged by an act
of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind to the purchaser.

Appendix G Legal Information

To obtain the services of this warranty, contact your vendor. You may also refer to the
warranty policy for the region in which you bought the device at http://www.zyxel.com/web/
support_warranty_info.php.

Registration

Register your product online to receive e-mail notices of firmware upgrades and information
at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.

NBG460N User’s Guide

327

Appendix G Legal Information

328

NBG460N User’s Guide

APPENDIX H

Customer Support

In the event of problems that cannot be solved by using this manual, you should contact your
vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in
which you bought the device. Regional offices are listed below (see also http://
www.zyxel.com/web/contact_us.php). Please have the following information ready when you
contact an office.

Required Information

• Product model and serial number.

• Warranty Information.

• Date that you received your device.

• Brief description of the problem and the steps you took to solve it.

“+” is the (prefix) number you dial to make an international telephone call.

Corporate Headquarters (Worldwide)

• Support E-mail: support@zyxel.com.tw

• Sales E-mail: sales@zyxel.com.tw

• Telephone: +886-3-578-3942

• Fax: +886-3-578-2439

• Web: www.zyxel.com, www.europe.zyxel.com

• Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park,
Hsinchu 300, Taiwan

China - ZyXEL Communications (Beijing) Corp.

• Support E-mail: cso.zycn@zyxel.cn

• Sales E-mail: sales@zyxel.cn

• Telephone: +86-010-82800646

• Fax: +86-010-82800587

• Address: 902, Unit B, Horizon Building, No.6, Zhichun Str, Haidian District, Beijing

• Web: http://www.zyxel.cn

China - ZyXEL Communications (Shanghai) Corp.

• Support E-mail: cso.zycn@zyxel.cn

• Sales E-mail: sales@zyxel.cn

• Telephone: +86-021-61199055

• Fax: +86-021-52069033

NBG460N User’s Guide

329

Appendix H Customer Support

• Address: 1005F, ShengGao International Tower, No.137 XianXia Rd., Shanghai

• Web: http://www.zyxel.cn

Costa Rica

• Support E-mail: soporte@zyxel.co.cr

• Sales E-mail: sales@zyxel.co.cr

• Telephone: +506-2017878

• Fax: +506-2015098

• Web: www.zyxel.co.cr

• FTP: ftp.zyxel.co.cr

• Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San
José, Costa Rica

Czech Republic

• E-mail: info@cz.zyxel.com

• Telephone: +420-241-091-350

• Fax: +420-241-091-359

• Web: www.zyxel.cz

• Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 ­Modrany, Ceská Republika

Denmark

• Support E-mail: support@zyxel.dk

• Sales E-mail: sales@zyxel.dk

• Telephone: +45-39-55-07-00

• Fax: +45-39-55-07-07

• Web: www.zyxel.dk

• Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark

Finland

• Support E-mail: support@zyxel.fi

• Sales E-mail: sales@zyxel.fi

• Telephone: +358-9-4780-8411

• Fax: +358-9-4780-8448

• Web: www.zyxel.fi

• Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland

France

• E-mail: info@zyxel.fr

• Telephone: +33-4-72-52-97-97

• Fax: +33-4-72-52-19-20

• Web: www.zyxel.fr

• Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France

330

NBG460N User’s Guide

Appendix H Customer Support

Germany

• Support E-mail: support@zyxel.de

• Sales E-mail: sales@zyxel.de

• Telephone: +49-2405-6909-69

• Fax: +49-2405-6909-99

• Web: www.zyxel.de

• Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen,
Germany

Hungary

• Support E-mail: support@zyxel.hu

• Sales E-mail: info@zyxel.hu

• Telephone: +36-1-3361649

• Fax: +36-1-3259100

• Web: www.zyxel.hu

• Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, Hungary

India

• Support E-mail: support@zyxel.in

• Sales E-mail: sales@zyxel.in

• Telephone: +91-11-30888144 to +91-11-30888153

• Fax: +91-11-30888149, +91-11-26810715

• Web: http://www.zyxel.in

• Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1,
New Delhi 110020, India

Japan

• Support E-mail: support@zyxel.co.jp

• Sales E-mail: zyp@zyxel.co.jp

• Telephone: +81-3-6847-3700

• Fax: +81-3-6847-3705

• Web: www.zyxel.co.jp

• Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Shinagawa-ku,
Tokyo 141-0022, Japan

Kazakhstan

• Support: http://zyxel.kz/support

• Sales E-mail: sales@zyxel.kz

• Telephone: +7-3272-590-698

• Fax: +7-3272-590-689

• Web: www.zyxel.kz

• Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre,
050010 Almaty, Republic of Kazakhstan

NBG460N User’s Guide

331

Appendix H Customer Support

Malaysia

• Support E-mail: support@zyxel.com.my

• Sales E-mail: sales@zyxel.com.my

• Telephone: +603-8076-9933

• Fax: +603-8076-9833

• Web: http://www.zyxel.com.my

• Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar
Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia

North America

• Support E-mail: support@zyxel.com

• Support Telephone: +1-800-978-7222

• Sales E-mail: sales@zyxel.com

• Sales Telephone: +1-714-632-0882

• Fax: +1-714-632-0858

• Web: www.zyxel.com

• Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806­2001, U.S.A.

Norway

• Support E-mail: support@zyxel.no

• Sales E-mail: sales@zyxel.no

• Telephone: +47-22-80-61-80

• Fax: +47-22-80-61-81

• Web: www.zyxel.no

• Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway

Poland

• E-mail: info@pl.zyxel.com

• Telephone: +48-22-333 8250

• Fax: +48-22-333 8251

• Web: www.pl.zyxel.com

• Regular Mail: ZyXEL Communications, ul. Okrzei 1A, 03-715 Warszawa, Poland

Russia

• Support: http://zyxel.ru/support

• Sales E-mail: sales@zyxel.ru

• Telephone: +7-095-542-89-29

• Fax: +7-095-542-89-25

• Web: www.zyxel.ru

• Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, Russia

332

NBG460N User’s Guide

Appendix H Customer Support

Singapore

• Support E-mail: support@zyxel.com.sg

• Sales E-mail: sales@zyxel.com.sg

• Telephone: +65-6899-6678

• Fax: +65-6899-8887

• Web: http://www.zyxel.com.sg

• Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy
#03-28, Singapore 609930

Spain

• Support E-mail: support@zyxel.es

• Sales E-mail: sales@zyxel.es

• Telephone: +34-902-195-420

• Fax: +34-913-005-345

• Web: www.zyxel.es

• Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain

Sweden

• Support E-mail: support@zyxel.se

• Sales E-mail: sales@zyxel.se

• Telephone: +46-31-744-7700

• Fax: +46-31-744-7701

• Web: www.zyxel.se

• Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden

Taiwan

• Support E-mail: support@zyxel.com.tw

• Sales E-mail: sales@zyxel.com.tw

• Telephone: +886-2-27399889

• Fax: +886-2-27353220

• Web: http://www.zyxel.com.tw

• Address: Room B, 21F., No.333, Sec. 2, Dunhua S. Rd., Da-an District, Taipei

Thailand

• Support E-mail: support@zyxel.co.th

• Sales E-mail: sales@zyxel.co.th

• Telephone: +662-831-5315

• Fax: +662-831-5395

• Web: http://www.zyxel.co.th

• Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi,
Muang, Nonthaburi 11000, Thailand.

NBG460N User’s Guide

333

Appendix H Customer Support

Turkey

• Support E-mail: cso@zyxel.com.tr

• Telephone: +90 212 222 55 22

• Fax: +90-212-220-2526

• Web: http:www.zyxel.com.tr

• Address: Kaptanpasa Mahallesi Piyalepasa Bulvari Ortadogu Plaza N:14/13 K:6
Okmeydani/Sisli Istanbul/Turkey

Ukraine

• Support E-mail: support@ua.zyxel.com

• Sales E-mail: sales@ua.zyxel.com

• Telephone: +380-44-247-69-78

• Fax: +380-44-494-49-32

• Web: www.ua.zyxel.com

• Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev 04050, Ukraine

United Kingdom

• Support E-mail: support@zyxel.co.uk

• Sales E-mail: sales@zyxel.co.uk

• Telephone: +44-1344-303044, 08707-555779 (UK only)

• Fax: +44-1344-303034

• Web: www.zyxel.co.uk

• FTP: ftp.zyxel.co.uk

• Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road,
Bracknell, Berkshire RG12 2XB, United Kingdom (UK)

334

NBG460N User’s Guide

Index

Index

A

active protocol 188

AH 188
and encapsulation 189

ESP 188
ActiveX 162
address resolution protocol (ARP) 129
AH 188

and transport mode 189
Alert 234
alternative subnet mask notation 287
any IP

note 129
AP 259
AP (Access Point) 311
AP Mode 259

menu 68

overview 65

status screen 66
AP network 259
Asymmetrical routes 154

and IP alias 154

see also triangle routes 154
authentication algorithms 185, 190

and active protocol 185
Authentication Header. See AH.
Auto-bridge 126

C

CA 315
Certificate Authority 315
certifications 325

notices 326
viewing 326

Channel 41, 67, 311

Interference 311
channel 89
command interface 33
Configuration

backup 253

reset the factory defaults 254

restore 253
contact information 329
Content Filtering

Days and Times 161

Restrict Web Features 161
Cookies 162
copyright 325
CPU usage 41, 67
CTS (Clear to Send) 312
customer support 329

D

B

Backup configuration 253
Bandwidth management 62

application-based 199
classes and priorities 202
monitor 206
overview 199
priority 200
services 201

subnet-based 199
Bandwidth management monitor 44
Basic wireless security 53
BitTorrent 201
BSS 309

NBG460N User’s Guide

Daylight saving 231
DDNS 147

see also Dynamic DNS

DHCP 45, 133

DHCP server
see also Dynamic Host Configuration Protocol

DHCP client information 135
DHCP client list 135
DHCP server 127, 133
DHCP table 45, 135

DHCP client information
DHCP status

Diffie-Hellman key group 185

Perfect Forward Secrecy (PFS) 189
Dimensions 273
disclaimer 325
DNS 59, 135

335

Index

DNS server
see also Domain name system

DNS (Domain Name System) 212
DNS Server

For VPN Host 190
DNS server 135
Domain name 51

vs host name. see also system name
Domain Name System 135
duplex setting 42, 68
Dynamic DNS 147
Dynamic Host Configuration Protocol 133
Dynamic WEP Key Exchange 316
DynDNS Wildcard 147

E

EAP Authentication 315
e-mail 105
Encapsulating Security Payload. See ESP.
encapsulation

and active protocol 189

transport mode 188

tunnel mode 188

VPN 188
Encryption 317
encryption 91

and local (user) database 91

key 92

WPA compatible 92
encryption algorithms 185, 190

and active protocol 185
ESP 188

and transport mode 189
ESS 310
ESSID 269
Extended Service Set 310
Extended wireless security 54

F

Factory LAN defaults 127
FCC interference statement 325
feature specifications 275
File Transfer Program 201
Firewall 153

Firewall overview

guidelines 154

ICMP packets 156
network security
Stateful inspection 153
ZyXEL device firewall 153

Firmware upload 251

file extension
using HTTP

firmware version 40, 67
Fragmentation Threshold 312
FTP 33, 212
FTP. see also File Transfer Program 201

G

gateway 196
General wireless LAN screen 94

H

Hidden Node 311
HTTP 201
Hyper Text Transfer Protocol 201

I

IANA 292
IBSS 309
IEEE 802.11g 313
IGMP 117, 128

see also Internet Group Multicast Protocol
version

IGMP version 117, 128
IKE SA

aggressive mode 166, 187
authentication algorithms 185, 190
Diffie-Hellman key group 185
encryption algorithms 185, 190
ID content 186
ID type 186
IP address, remote IPSec router 167
IP address, ZyXEL Device 166
local identity 186
main mode 166, 187
NAT traversal 188
negotiation mode 166
peer identity 186
pre-shared key 186
proposal 185

336

NBG460N User’s Guide

Index

SA life time 190
IKE SA. See also VPN.
Independent Basic Service Set 309
Install UPnP 217

Windows Me 217

Windows XP 218
Internet Assigned Numbers Authority

See IANA
Internet connection

Ethernet

PPPoE. see also PPP over Ethernet

PPTP

WAN connection
Internet connection wizard 54
Internet Group Multicast Protocol 11 7, 128
Internet Protocol Security. See IPSec.
IP Address 130, 139
IP address 59

dynamic
IP alias 130
IP packet transmission 128

Broadcast

Multicast

Unicast
IP Pool 133
IPSec 165
IPSec SA

active protocol 188

authentication algorithms 185, 190

authentication key (manual keys) 179

encapsulation 188

encryption algorithms 185, 190

encryption key (manual keys) 179

local policy 167

manual keys 179

Perfect Forward Secrecy (PFS) 189

proposal 189

remote policy 167

SA life time 190

Security Parameter Index (SPI) (manual keys) 180

transport mode 188

tunnel mode 188

when IKE SA is disconnected 167, 190
IPSec SA. See also VPN.
IPSec. See also VPN.

J

K

Keep alive 190

L

LAN 127

IP pool setup 127
LAN overview 127
LAN Setup 117
LAN setup 127
LAN TCP/IP 127
Language 263
Link type 41, 67
local (user) database 90

and encryption 91
Local Area Network 127
Log 233

M

MAC 101
MAC address 90, 117

cloning 61, 117
MAC address filter 90
MAC address filtering 101
MAC filter 101
managing the device

good habits 33

using FTP. See FTP.

using Telnet. See command interface.

using the command interface. See command

interface.

using the web configurator. See web configurator.
Media access control 101
Memory usage 41, 67
Metric 197
MSN messenger 201
MSN Webcam 201
Multicast 117, 128

IGMP 117, 128

Java 162

NBG460N User’s Guide

N

NAT 137, 139, 292

337

Index

and VPN 187
overview 137
port forwarding 137
see also Network Address Translation

server sets 137
NAT session 144
NAT Traversal 215
NAT traversal 188
Navigation Panel 42, 68
navigation panel 42, 68
NetBIOS 125, 132

see also Network Basic Input/Output System 125
Network Address Translation 137, 139
Network Basic Input/Output System 132

O

Operating Channel 41, 67

P

P2P 201
peer-to-peer 201
Perfect Forward Secrecy. see PFS.
PFS 189

Diffie-Hellman key group 189
Pocket GUI 108
Point-to-Point Protocol over Ethernet 55, 119
Point-to-Point Tunneling Protocol 56, 122
Pool Size 133
Port forwarding 137, 139

default server 137

example 138

local server 139

port numbers

services
port speed 42, 68
Power Specification 273
PPPoE 55, 119

benefits 56

dial-up connection

see also Point-to-Point Protocol over Ethernet 55
PPTP 56, 122

see also Point-to-Point Tunneling Protocol 56
Preamble Mode 313
priorities 94
Private 197
product registration 327

Q

QoS 94
QoS priorities 94
Quality of Service (QoS) 103

R

RADIUS 314

Shared Secret Key 315
RADIUS Message Types 314
RADIUS Messages 314
RADIUS server 90
registration

product 327
related documentation 3
Remote management 209

and NAT 210

and the firewall 209

FTP 212

limitations 209

remote management session 209

system timeout 210
remote management

Te ln e t 211
Reset button 39, 254
Reset the device 39
Restore configuration 253
Restrict Web Features 162
RF (Radio Frequency) 274
RFC 2402. See AH.
RFC 2406. See ESP.
RoadRunner 119
Roaming 102
roaming 92

requirements 93
router 259
Router Mode 259
RTS (Request To Send) 312
RTS Threshold 311, 312
RTS/CTS Threshold 103

S

SA

life time 190
safety warnings 6

338

NBG460N User’s Guide

Index

Scheduling 107
security associations. See VPN.
Security Parameters 319
Service and port numbers 201
Service Set 95
Service Set IDentification 95
Service Set IDentity. See SSID.
services

and port numbers 321

and protocols 321
Session Initiated Protocol 201
Simple Mail Transfer Protocol 236
SIP 201
SMTP 236
SNMP 154
SSID 41, 67, 89, 95
Static DHCP 134
Static Route 195
Status 39
subnet 285
Subnet Mask 130
subnet mask 59, 286
subnetting 288
Summary 44

Bandwidth management monitor 44

DHCP table 45

Packet statistics 46

Wireless station status 47
syntax conventions 4
Sys Op Mode 259

selecting 260
System General Setup 229
System Name 229
System name 50

vs computer name
System restart 254

process 142

U

Universal Plug and Play 215

Application 215

UPnP 215

Forum 216

security issues 215
URL Keyword Blocking 162
Use Authentication 317
user authentication 90

local (user) database 90

RADIUS server 90
User Name 148

V

Virtual Private Network. See VPN.
VoIP 201
VPN 80, 122, 165

active protocol 188

and NAT 187

established in two phases 166

IKE SA. See IKE SA.

IPSec 165

IPSec SA. See IPSec SA.

local network 165

proposal 185

remote IPSec router 165

remote network 165

security associations (SA) 166
VPN. See also IKE SA, IPSec SA.

T

TCP/IP configuration 133
Te ln e t 211
Temperature 273
Time setting 230
trademarks 325
Triangle routes

and IP alias 154

see also asymmetrical routes 154
trigger port 142
Trigger port forwarding 142

example 142

NBG460N User’s Guide

W

Wake On LAN 139, 141, 255
WAN

IP address assignment 58
WAN advanced 125
WAN IP address 58
WAN IP address assignment 60
WAN MAC address 117
warranty 327

note 327
Web Configurator

how to access 37

339

Index

Overview 37

Web configurator

navigating 39
web configurator 33
Web Proxy 162
WEP Encryption 97
WEP encryption 96
WEP key 97
Wi-Fi Multimedia QoS 94
Wildcard 147
Windows Networking 132
Wireless association list 47
wireless channel 269
wireless LAN 269
wireless LAN scheduling 107
Wireless LAN wizard 51
Wireless network

basic guidelines 89

channel 89

encryption 91

example 89

MAC address filter 90

overview 89

security 90

SSID 89
Wireless security 90

overview 90

type 90
wireless security 269
Wireless tutorial 65, 73

WPS 73
Wizard setup 49

Bandwidth management 62

complete 63

Internet connection 54

system information 50

wireless LAN 51
WLAN

Interference 311

Security Parameters 319
WMM 94
WMM priorities 94
WoL. See Wake On LAN.
World Wide Web 201
WPA compatible 92
WPA, WPA2 316
WPS 34
WWW 105, 201

X

Xbox Live 201

Z

ZyNOS 40, 67

340

NBG460N User’s Guide