ZyXEL Communications G-2000 Plus User Manual

ZyAIR G-2000 Plus
802.11g Wireless 4-port Router

User’s Guide

Version 3.60
4/2005
ZyAIR G-2000 Plus User’s Guide
Copyright © 2005 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Copyright 2
ZyAIR G-2000 Plus User’s Guide
Federal Communications
Commission (FCC) Interference
Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause undesired operations.
This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.

Notice 1

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

Certifications

Go to www.zyxel.com
1 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
2 Select the certification you wish to view from this page

3 Federal Communications Commission (FCC) Interference Statement

ZyAIR G-2000 Plus User’s Guide

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Safety Warnings

1 To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.
2 Do not use this product near water, for example, in a wet basement or near a swimming
pool.
3 Avoid using this product during an electrical storm. There may be a remote risk of
electric shock from lightening.
This product has been designed for the WLAN 2.4 GHz network throughout the EC region and Switzerland, with restrictions in France.
ZyXEL Limited Warranty 4
ZyAIR G-2000 Plus User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.

Customer Support

method
location
Corporate HeadQuarters (Worldwide)
Czech Republic
Denmark support@zyxel.dk +45 39 55 07 00 www.zyxel.dk Z y X E L C o m m u n i c a t i o n s A / S
Finland support@zyxel.fi +358-9-4780-8411 www.zyxel.fi Zy X E L C o mm u n ic a t io n s Oy
France info@zyxel.fr +33 (0)4 72 52 97 97 www.zyxel.fr Z y XE L Fr a nc e
Germany support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.
North America support@zyxel.com +1-800-255-4101
Norway support@zyxel.no +47 22 80 61 80 www.zyxel.no Z y X E L C o m m u n i c a t i o n s A / S
Support e-mail Telephone
Sales e-mail Fax FTP Site
support@zyxel.com.tw +886-3-578-3942 www.zyxel.com
sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com
info@cz.zyxel.com +420 241 091 350 www.zyxel.cz ZyXEL Communications
info@cz.zyxel.com +420 241 091 359
sales@zyxel.dk +45 39 55 07 07
sales@zyxel.fi +358-9-4780 8448
+33 (0)4 72 52 19 20
sales@zyxel.de +49-2405-6909-99
+1-714-632-0882
sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com
sales@zyxel.no +47 22 80 61 81
a
Web Site Regular Mail
ZyXEL Communications Corp.
www.europe.zyxel.com
ftp.europe.zyxel.com
www.us.zyxel.com ZyXEL Communications Inc.
6 Innov ati on Road II Sc ience Park Hs inchu 3 00 Ta iw a n
Czech s.r.o. Modranská 621 143 01 Praha 4 - Modrany Ceská Republika
Col um bu sv ej 5 2860 Soeborg Denmark
Mal mi nk aa ri 10 00700 Helsinki Finland
1 rue des Ve rg er s Ba t. 1 / C 69760 Limonest France
Adenauerstr. 20/A2 D-52146 Wuerselen Germany
1130 N. Miller St. Ana hei m
CA 92806- 2001 U.S.A.
Ni ls Hansens vei 13 0667 Oslo Norway
5 Customer Support
ZyAIR G-2000 Plus User’s Guide
SPAIN support@zyxel.es +34 902 195 420 www.zyxel.es Z y X E L C o m m u n i c at i o n s
sales@zyxel.es +34 913 005 345
Sweden support@zyxel.se +46 31 744 7700 www.zyxel.se ZyXEL Communications A/S
sales@zyxel.se +46 31 744 7701
United Kingdom
a. “+” is the (prefix) number you enter to make an international telephone call.
technical@zyxel.co.uk +44 (0) 8702 909090 www.zyxel.co.uk ZyXEL Communications UK
sales@zyxel.co.uk +44 (0) 8702 909091 ftp.zyxel.co.uk
A l e j a n d r o V i l l e g a s 3 3 1 º , 2 8 0 4 3 M a d r i d Spain
Sjöporten 4, 41764 Göteborg Sweden
Ltd.,11, The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)
Customer Support 6
ZyAIR G-2000 Plus User’s Guide
7 Customer Support
ZyAIR G-2000 Plus User’s Guide

Table of Contents

Copyright .................................................................................................................. 2
Federal Communications Commission (FCC) Interference Statement ............... 3
ZyXEL Limited Warranty.......................................................................................... 4
Customer Support.................................................................................................... 5
Preface .................................................................................................................... 32
Chapter 1
Getting to Know Your ZyAIR ................................................................................. 36
1.1 Introducing the ZyAIR .......................................................................................36
1.2 ZyAIR Features ..................................................................................................36
1.2.1 Physical Features .....................................................................................36
1.2.1.1 4-Port Switch ...................................................................................36
1.2.1.2 10/100M Auto-negotiating Ethernet/Fast Ethernet Interface ...........36
1.2.1.3 10/100M Auto-crossover Ethernet/Fast Ethernet Interface .............36
1.2.1.4 10/100 Mbps Ethernet WAN ............................................................37
1.2.1.5 Reset Button ...................................................................................37
1.2.1.6 ZyAIR LED ......................................................................................37
1.2.2 Firmware Features ....................................................................................37
1.2.2.1 Internal RADIUS Server ..................................................................37
1.2.2.2 Wi-Fi Protected Access ...................................................................37
1.2.2.3 802.11b Wireless LAN Standard .....................................................37
1.2.2.4 802.11g Wireless LAN Standard .....................................................38
1.2.2.5 STP (Spanning Tree Protocol) / RSTP (Rapid STP) .......................38
1.2.2.6 Certificates ......................................................................................38
1.2.2.7 Limit the number of Client Connections ..........................................38
1.2.2.8 SSL Passthrough ............................................................................38
1.2.2.9 Firewall ............................................................................................39
1.2.2.10 Brute-Force Password Guessing Protection ................................39
1.2.2.11 Wireless LAN MAC Address Filtering ............................................39
1.2.2.12 WEP Encryption ............................................................................39
1.2.2.13 IEEE 802.1X Network Security .....................................................39
1.2.2.14 Universal Plug and Play (UPnP) ...................................................39
1.2.2.15 Dynamic DNS Support ..................................................................39
Table of Contents 8
ZyAIR G-2000 Plus User’s Guide
1.2.2.16 PPPoE Support (RFC2516) ..........................................................40
1.2.2.17 PPTP Encapsulation .....................................................................40
1.2.2.18 Network Address Translation (NAT) ..............................................40
1.2.2.19 Traffic Redirect ..............................................................................40
1.2.2.20 NAT for Single-IP-address Internet Access ...................................40
1.2.2.21 DHCP (Dynamic Host Configuration Protocol) ..............................40
1.2.2.22 Multicast ........................................................................................41
1.2.2.23 IP Alias ..........................................................................................41
1.2.2.24 IP Policy Routing ...........................................................................41
1.2.2.25 SNMP ............................................................................................41
1.2.2.26 Full Network Management ............................................................41
1.2.2.27 Logging and Tracing ......................................................................41
1.2.2.28 Diagnostics Capabilities ................................................................41
1.2.2.29 Embedded FTP and TFTP Servers ...............................................42
1.2.2.30 Wireless Association List ..............................................................42
1.2.2.31 Wireless LAN Channel Usage .......................................................42
1.3 Applications for the ZyAIR ..................................................................................42
1.3.1 Internet Access Application ......................................................................42
Chapter 2
Introducing the Web Configurator........................................................................ 44
2.1 Web Configurator Overview ...............................................................................44
2.2 Accessing the ZyAIR Web Configurator .............................................................44
2.3 Resetting the ZyAIR ...........................................................................................46
2.3.1 .Procedure To Use The Reset Button .......................................................46
2.3.2 Method of Restoring Factory-Defaults Via Web Configurator ...................46
2.4 Navigating the ZyAIR Web Configurator ............................................................46
Chapter 3
Wizard Setup .......................................................................................................... 48
3.1 Wizard Setup Overview ......................................................................................48
3.1.1 Channel ....................................................................................................48
3.1.2 ESS ID ......................................................................................................48
3.1.3 WEP Encryption ........................................................................................48
3.1.4 WPA-PSK .................................................................................................49
3.2 Wizard Setup: General Setup ............................................................................49
3.3 Wizard Setup: Wireless LAN ..............................................................................50
3.4 Wizard Setup: Screen 3 .....................................................................................51
3.5 Wizard Setup: Screen 4 .....................................................................................53
3.5.1 Ethernet ....................................................................................................53
3.5.2 PPPoE Encapsulation ...............................................................................55
3.5.3 PPTP Encapsulation .................................................................................56
3.6 Wizard Setup: Screen 5 .....................................................................................58
9 Table of Contents
ZyAIR G-2000 Plus User’s Guide
3.6.1 WAN IP Address Assignment ...................................................................58
3.6.2 IP Address and Subnet Mask ...................................................................59
3.6.3 DNS Server Address Assignment .............................................................59
3.6.4 WAN MAC Address ..................................................................................59
3.7 Basic Setup Complete ........................................................................................62
Chapter 4
System Screens ..................................................................................................... 64
4.1 System Overview ...............................................................................................64
4.2 Configuring General Setup .................................................................................64
4.3 Dynamic DNS .....................................................................................................65
4.3.1 DynDNS Wildcard .....................................................................................65
4.4 Configuring Dynamic DNS .................................................................................66
4.5 Configuring Password ........................................................................................67
4.6 Configuring Time Setting ...................................................................................68
Chapter 5
LAN Screens...........................................................................................................70
5.1 LAN Overview ....................................................................................................70
5.2 DHCP Setup .......................................................................................................70
5.2.1 IP Pool Setup ............................................................................................70
5.2.2 System DNS Servers ................................................................................70
5.3 LAN TCP/IP ........................................................................................................70
5.3.1 Factory LAN Defaults ................................................................................70
5.3.2 IP Address and Subnet Mask ...................................................................71
5.3.3 RIP Setup .................................................................................................71
5.3.4 Multicast ....................................................................................................71
5.4 Configuring IP ....................................................................................................72
5.5 Configuring Static DHCP ....................................................................................75
5.6 Configuring IP Alias ............................................................................................76
Chapter 6
Wireless Configuration and Roaming .................................................................. 78
6.1 Wireless LAN Overview .....................................................................................78
6.1.1 IBSS ..........................................................................................................78
6.1.2 BSS ...........................................................................................................78
6.1.3 ESS ...........................................................................................................79
6.2 Wireless LAN Basics ..........................................................................................80
6.2.1 RTS/CTS .................................................................................................80
6.2.2 Fragmentation Threshold ..........................................................................81
6.3 Configuring Wireless ..........................................................................................82
6.4 Configuring Roaming .........................................................................................84
6.4.1 Requirements for Roaming .......................................................................85
Table of Contents 10
ZyAIR G-2000 Plus User’s Guide
Chapter 7
Wireless Security ................................................................................................... 88
7.1 Wireless Security Overview ...............................................................................88
7.2 Security Parameters Summary ..........................................................................90
7.3 WEP Overview ...................................................................................................90
7.3.1 Data Encryption .......................................................................................90
7.3.1.1 Authentication .................................................................................90
7.4 Configuring WEP Encryption ..............................................................................91
7.5 Introduction to WPA ...........................................................................................93
7.5.1 User Authentication .................................................................................93
7.5.2 Encryption ................................................................................................94
7.5.3 WPA-PSK Application Example ................................................................94
7.6 Configuring WPA-PSK Authentication ................................................................95
7.7 Wireless Client WPA Supplicants .......................................................................97
7.7.1 WPA with RADIUS Application Example ..................................................97
7.8 Configuring WPA Authentication ........................................................................98
7.9 Introduction to RADIUS ....................................................................................100
7.9.1 Types of RADIUS Messages ..................................................................100
7.9.1.1 Access-Challenge .........................................................................100
7.9.1.2 Accounting-Request ......................................................................101
7.9.1.3 Accounting-Response ...................................................................101
7.9.1.4 EAP Authentication Overview .......................................................101
7.10 Configuring RADIUS ......................................................................................102
7.11 802.1x Overview .............................................................................................104
7.12 Dynamic WEP Key Exchange ........................................................................104
7.13 Configuring 802.1x and Dynamic WEP Key Exchange ..................................105
7.14 Configuring 802.1x and Static WEP Key Exchange .......................................107
7.15 Configuring 802.1x .........................................................................................110
7.16 MAC Filter ......................................................................................................112
Chapter 8
Internal RADIUS Server ....................................................................................... 114
8.1 Internal RADIUS Overview ...............................................................................114
8.2 Internal RADIUS Server Setting ....................................................................... 116
8.3 Trusted AP Overview .......................................................................................118
8.4 Configuring Trusted AP .................................................................................... 119
8.5 Trusted Users Overview ...................................................................................120
8.6 Configuring Trusted Users ...............................................................................120
Chapter 9
WAN....................................................................................................................... 124
9.1 WAN Overview .................................................................................................124
9.2 Configuring WAN ISP .......................................................................................124
11 Table of Contents
ZyAIR G-2000 Plus User’s Guide
9.2.1 Ethernet Encapsulation ...........................................................................124
9.2.1.1 Service Type .................................................................................125
9.2.2 PPPoE Encapsulation .............................................................................126
9.2.3 PPTP Encapsulation ...............................................................................129
9.3 TCP/IP Priority (Metric) ....................................................................................131
9.4 Configuring WAN IP .........................................................................................131
9.5 Configuring WAN MAC .....................................................................................134
Chapter 10
Single User Account (SUA) / Network Address Translation (NAT).................. 136
10.1 NAT Overview ................................................................................................136
10.1.1 NAT Definitions .....................................................................................136
10.1.2 What NAT Does ....................................................................................137
10.1.3 How NAT Works ...................................................................................137
10.1.4 NAT Application ....................................................................................138
10.1.5 NAT Mapping Types .............................................................................139
10.2 Using NAT ......................................................................................................140
10.2.1 SUA (Single User Account) Versus NAT ..............................................140
10.3 SUA Server ....................................................................................................140
10.3.1 Default Server IP Address ....................................................................141
10.3.2 Port Forwarding: Services and Port Numbers ......................................141
10.3.3 Configuring Servers Behind SUA (Example) ........................................142
10.4 Configuring SUA Server ................................................................................143
10.5 Configuring Address Mapping ........................................................................145
10.5.1 Configuring Address Mapping ..............................................................147
10.6 Trigger Port Forwarding .................................................................................148
10.6.1 Trigger Port Forwarding Example .........................................................148
10.6.2 Two Points To Remember About Trigger Ports .....................................149
10.7 Configuring Trigger Port Forwarding ..............................................................149
Chapter 11
Static Route Screens ........................................................................................... 152
11.1 Static Route Overview ....................................................................................152
11.2 Configuring IP Static Route ............................................................................152
11.2.1 Configuring Route Entry ........................................................................153
Chapter 12
Remote Management Screens ............................................................................ 156
12.1 Remote Management Overview .....................................................................156
12.1.1 Remote Management Limitations .........................................................156
12.1.2 Remote Management and NAT ............................................................157
12.1.3 System Timeout ...................................................................................157
12.2 Configuring WWW ..........................................................................................157
Table of Contents 12
ZyAIR G-2000 Plus User’s Guide
12.3 Configuring Telnet ..........................................................................................158
12.4 Configuring TELNET ......................................................................................159
12.5 Configuring FTP .............................................................................................160
12.6 SNMP .............................................................................................................161
12.6.1 Supported MIBs ....................................................................................162
12.6.2 SNMP Traps .........................................................................................162
12.6.3 Configuring SNMP ................................................................................163
12.7 Configuring DNS ............................................................................................165
12.8 Configuring Security .......................................................................................166
Chapter 13
UPnP...................................................................................................................... 168
13.1 Universal Plug and Play Overview ................................................................168
13.1.1 How Do I Know If I'm Using UPnP? ......................................................168
13.1.2 NAT Traversal .......................................................................................168
13.1.3 Cautions with UPnP ..............................................................................168
13.2 UPnP and ZyXEL ...........................................................................................169
13.3 Configuring UPnP ..........................................................................................169
13.4 Installing UPnP in Windows Example ............................................................170
13.4.1 Installing UPnP in Windows Me ............................................................171
13.4.2 Installing UPnP in Windows XP ............................................................172
13.5 Using UPnP in Windows XP Example ...........................................................173
13.5.1 Auto-discover Your UPnP-enabled Network Device .............................174
13.5.2 Web Configurator Easy Access ............................................................175
13.5.3 Web Configurator Easy Access ............................................................176
Chapter 14
Firewalls................................................................................................................178
14.1 Firewall Overview ...........................................................................................178
14.2 Types of Firewalls ..........................................................................................178
14.2.1 Packet Filtering Firewalls ......................................................................178
14.2.2 Application-level Firewalls ....................................................................178
14.2.3 Stateful Inspection Firewalls .................................................................179
14.3 Introduction to ZyXEL’s Firewall .....................................................................179
14.4 Denial of Service ............................................................................................180
14.4.1 Basics ...................................................................................................180
14.4.2 Types of DoS Attacks ...........................................................................181
14.4.2.1 ICMP Vulnerability ......................................................................184
14.4.2.2 Traceroute ...................................................................................184
14.5 Stateful Inspection ..........................................................................................185
14.5.1 Stateful Inspection Process ..................................................................185
14.5.2 Stateful Inspection and the ZyAIR ........................................................186
14.5.3 TCP Security .........................................................................................187
13 Table of Contents
ZyAIR G-2000 Plus User’s Guide
14.5.4 UDP/ICMP Security ..............................................................................187
14.5.5 Upper Layer Protocols ..........................................................................188
14.6 Guidelines For Enhancing Security With Your Firewall ..................................188
14.7 Packet Filtering Vs Firewall ............................................................................188
14.7.1 Packet Filtering: ....................................................................................189
14.7.1.1 When To Use Filtering .................................................................189
14.7.2 Firewall .................................................................................................189
14.7.2.1 When To Use The Firewall ..........................................................189
Chapter 15
Firewall Screens...................................................................................................192
15.1 Access Methods .............................................................................................192
15.2 Firewall Policies Overview .............................................................................192
15.3 Rule Logic Overview ......................................................................................193
15.3.1 Rule Checklist .......................................................................................193
15.3.2 Security Ramifications ..........................................................................194
15.3.3 Key Fields For Configuring Rules .........................................................194
15.3.3.1 Action ..........................................................................................194
15.3.3.2 Service ........................................................................................194
15.3.3.3 Source Address ...........................................................................194
15.3.3.4 Destination Address ....................................................................194
15.4 Connection Direction Examples .....................................................................195
15.4.1 LAN to WAN Rules ...............................................................................195
15.4.2 WAN to LAN Rules ...............................................................................195
15.5 Alerts ..............................................................................................................196
15.6 Configuring Firewall .......................................................................................196
15.6.1 Rule Summary ......................................................................................197
15.6.2 Configuring Firewall Rules ....................................................................199
15.6.3 Configuring Custom Services ...............................................................202
15.7 Example Firewall Rule ...................................................................................203
15.8 Predefined Services .......................................................................................206
Chapter 16
Content Filtering ................................................................................................. 210
16.1 Introduction to Content Filtering .....................................................................210
16.2 Restrict Web Features ...................................................................................210
16.3 Days and Times .............................................................................................210
16.4 Configure Content Filtering ............................................................................210
Chapter 17
Certificates............................................................................................................ 214
17.1 Certificates Overview .....................................................................................214
17.1.1 Advantages of Certificates ....................................................................215
Table of Contents 14
ZyAIR G-2000 Plus User’s Guide
17.2 Self-signed Certificates ..................................................................................215
17.3 Configuration Summary .................................................................................215
17.4 My Certificates ...............................................................................................215
17.5 Certificate File Formats ..................................................................................218
17.6 Importing a Certificate ....................................................................................218
17.7 Creating a Certificate .....................................................................................219
17.8 My Certificate Details .....................................................................................222
17.9 Trusted CAs ...................................................................................................225
17.10 Importing a Trusted CA’s Certificate .............................................................227
17.11 Trusted CA Certificate Details ......................................................................228
Chapter 18
Log Screens.......................................................................................................... 232
18.1 Configuring View Log .....................................................................................232
18.2 Configuring Log Settings ................................................................................233
18.3 Configuring Reports .......................................................................................236
Chapter 19
Maintenance ......................................................................................................... 240
19.1 Maintenance Overview ...................................................................................240
19.2 System Status Screen ....................................................................................240
19.2.1 System Statistics ...................................................................................242
19.3 DHCP Table Screen .......................................................................................242
19.4 Association List ..............................................................................................243
19.5 F/W Upload Screen ........................................................................................244
19.6 Configuration Screen .....................................................................................247
19.6.1 Backup Configuration ...........................................................................248
19.6.2 Restore Configuration ..........................................................................248
19.6.3 Back to Factory Defaults .......................................................................250
19.7 Restart Screen ...............................................................................................250
Chapter 20
Introducing the SMT ............................................................................................252
20.1 SMT Introduction ............................................................................................252
20.2 Connect to your ZyAIR Using Telnet ..............................................................252
20.2.1 Entering Password ................................................................................252
20.3 Changing the System Password ....................................................................253
20.4 ZyAIR SMT Menu Overview Example ............................................................253
20.5 Navigating the SMT Interface .........................................................................254
20.5.1 System Management Terminal Interface Summary ..............................256
20.6 Changing the System Password ....................................................................256
15 Table of Contents
ZyAIR G-2000 Plus User’s Guide
Chapter 21
General Setup.......................................................................................................258
21.1 General Setup ................................................................................................258
21.1.1 Procedure To Configure Menu 1 ...........................................................258
21.1.2 Procedure to Configure Dynamic DNS .................................................260
Chapter 22
Menu 2 WAN Setup .............................................................................................. 262
22.1 Introduction to WAN .......................................................................................262
22.2 WAN Setup .....................................................................................................262
Chapter 23
LAN Setup.............................................................................................................264
23.1 LAN Setup ......................................................................................................264
23.1.1 General Ethernet Setup ........................................................................264
23.2 Protocol Dependent Ethernet Setup ..............................................................265
23.3 TCP/IP Ethernet Setup and DHCP ................................................................265
23.3.1 IP Alias Setup .......................................................................................267
23.4 Wireless LAN Setup .......................................................................................268
23.4.1 Configuring MAC Address Filter ...........................................................270
Chapter 24
Internet Access .................................................................................................... 274
24.1 Introduction to Internet Access Setup ............................................................274
24.2 Ethernet Encapsulation ..................................................................................274
24.3 Configuring the PPTP Client ..........................................................................276
24.4 Configuring the PPPoE Client ........................................................................277
24.5 Basic Setup Complete ....................................................................................278
Chapter 25
Remote Node Configuration ...............................................................................280
25.1 Introduction to Remote Node Setup ...............................................................280
25.2 Remote Node Profile Setup ...........................................................................280
25.2.1 Ethernet Encapsulation .........................................................................280
25.2.2 PPPoE Encapsulation ...........................................................................282
25.2.2.1 Outgoing Authentication Protocol ................................................283
25.2.2.2 Nailed-Up Connection .................................................................283
25.2.3 PPTP Encapsulation .............................................................................284
25.3 Edit IP .............................................................................................................285
25.4 Remote Node Filter ........................................................................................287
Table of Contents 16
ZyAIR G-2000 Plus User’s Guide
Chapter 26
Static Route Setup ............................................................................................... 290
26.1 IP Static Route Setup .....................................................................................290
Chapter 27
Dial-in User Setup ................................................................................................ 292
27.1 Dial-in User Setup ..........................................................................................292
Chapter 28
Network Address Translation (NAT)...................................................................294
28.1 Using NAT ......................................................................................................294
28.1.1 SUA (Single User Account) Versus NAT ..............................................294
28.2 Applying NAT .................................................................................................294
28.3 NAT Setup ......................................................................................................296
28.3.1 Address Mapping Sets ..........................................................................297
28.3.1.1 User-Defined Address Mapping Sets ..........................................298
28.3.1.2 Ordering Your Rules ....................................................................299
28.4 Configuring a Server behind NAT ..................................................................301
28.5 General NAT Examples ..................................................................................302
28.5.1 Example 1: Internet Access Only ..........................................................302
28.5.2 Example 2: Internet Access with an Inside Server ...............................303
28.5.3 Example 3: Multiple Public IP Addresses With Inside Servers .............304
28.5.4 Example 4: NAT Unfriendly Application Programs ...............................308
28.6 Configuring Trigger Port Forwarding .............................................................310
Chapter 29
Filter Configuration..............................................................................................312
29.1 Introduction to Filters ......................................................................................312
29.1.1 The Filter Structure of the ZyAIR ..........................................................313
29.2 Configuring a Filter Set ..................................................................................314
29.2.1 Configuring a Filter Rule .......................................................................316
29.2.2 Configuring a TCP/IP Filter Rule ..........................................................317
29.2.3 Configuring a Generic Filter Rule .........................................................319
29.3 Example Filter ................................................................................................321
29.4 Filter Types and NAT ......................................................................................323
29.5 Firewall Versus Filters ....................................................................................324
29.6 Applying a Filter ............................................................................................324
29.6.1 Applying LAN Filters .............................................................................324
29.6.2 Applying Remote Node Filters ..............................................................325
Chapter 30
Enabling the Firewall ........................................................................................... 326
30.1 Remote Management and the Firewall ..........................................................326
17 Table of Contents
ZyAIR G-2000 Plus User’s Guide
30.2 Access Methods .............................................................................................326
30.3 Enabling the Firewall ......................................................................................326
Chapter 31
SNMP Configuration ............................................................................................ 328
31.1 About SNMP ..................................................................................................328
31.2 Supported MIBs ............................................................................................329
31.3 SNMP Configuration ......................................................................................329
31.4 SNMP Traps ...................................................................................................330
Chapter 32
System Security ................................................................................................... 332
32.1 System Security .............................................................................................332
32.1.1 System Password .................................................................................332
32.1.2 Configuring External RADIUS Server ...................................................332
32.1.3 802.1x ...................................................................................................334
Chapter 33
System Information and Diagnosis .................................................................... 338
33.1 System Status ................................................................................................338
33.2 System Information ........................................................................................340
33.2.1 System Information ...............................................................................340
33.2.2 Console Port Speed ..............................................................................341
33.3 Log and Trace ................................................................................................341
33.3.1 Viewing Error Log .................................................................................341
33.3.2 UNIX Syslog .........................................................................................342
33.3.2.1 CDR ............................................................................................343
33.3.2.2 Packet triggered ..........................................................................343
33.3.2.3 Filter log .....................................................................................344
33.3.2.4 PPP log ......................................................................................344
33.3.2.5 Firewall log ..................................................................................345
33.3.3 Call-Triggering Packet ..........................................................................345
33.4 Diagnostic ......................................................................................................346
33.4.1 WAN DHCP ..........................................................................................347
Chapter 34
Firmware and Configuration File Maintenance ................................................. 350
34.1 Filename Conventions ...................................................................................350
34.2 Backup Configuration .....................................................................................351
34.2.1 Backup Configuration Using FTP .........................................................351
34.2.2 Using the FTP command from the DOS Prompt ..................................352
34.2.3 GUI-based FTP Clients .........................................................................353
34.2.4 TFTP and FTP over WAN Management Limitations .............................353
Table of Contents 18
ZyAIR G-2000 Plus User’s Guide
34.2.5 Backup Configuration Using TFTP .......................................................354
34.2.6 Example: TFTP Command ...................................................................354
34.2.7 GUI-based TFTP Clients ......................................................................355
34.3 Restore Configuration ...................................................................................355
34.3.1 Restore Using FTP ...............................................................................355
34.3.2 Restore Using FTP Session Example ..................................................356
34.4 Uploading Firmware and Configuration Files .................................................357
34.4.1 Firmware Upload ..................................................................................357
34.4.2 Configuration File Upload .....................................................................358
34.4.3 Using the FTP command from the DOS Prompt Example ...................358
34.4.4 TFTP File Upload ..................................................................................359
34.4.5 Example: TFTP Command ...................................................................360
Chapter 35
System Maintenance and Information ...............................................................362
35.1 Command Interpreter Mode ...........................................................................362
35.2 Call Control Support .......................................................................................363
35.2.1 Budget Management ............................................................................364
35.2.2 Call History ...........................................................................................364
35.3 Time and Date Setting ....................................................................................365
35.3.1 Resetting the Time ................................................................................367
Chapter 36
Remote Management ........................................................................................... 368
36.1 Remote Management .....................................................................................368
36.1.1 Telnet ....................................................................................................369
36.1.2 FTP .......................................................................................................370
36.1.3 Web ......................................................................................................370
36.1.4 Remote Management Limitations .........................................................370
36.2 Remote Management and NAT ......................................................................370
36.3 System Timeout .............................................................................................371
Chapter 37
Call Scheduling .................................................................................................... 372
37.1 Introduction to Call Scheduling ......................................................................372
Appendix A
Troubleshooting................................................................................................... 376
Appendix B
Brute-Force Password Guessing Protection..................................................... 378
Appendix C
Setting up Your Computer’s IP Address............................................................ 380
19 Table of Contents
ZyAIR G-2000 Plus User’s Guide
Appendix D
IP Address Assignment Conflicts ......................................................................392
Appendix E
IP Subnetting ........................................................................................................ 396
Appendix F
Command Interpreter........................................................................................... 404
Appendix G
Log Descriptions.................................................................................................. 406
Appendix H
Wireless LAN and IEEE 802.11 ...........................................................................410
Appendix I
Wireless LAN With IEEE 802.1x .......................................................................... 414
Appendix J
Types of EAP Authentication.............................................................................. 418
Appendix K
Antenna Selection and Positioning Recommendation..................................... 420
Appendix L
Power Adaptor Specifications ............................................................................ 422
Table of Contents 20
ZyAIR G-2000 Plus User’s Guide
21 Table of Contents
ZyAIR G-2000 Plus User’s Guide

List of Figures

Figure 1 Internet Access Application Example .................................................................... 42
Figure 2 Change Password Screen .................................................................................... 45
Figure 3 Replace Certificate Screen ................................................................................... 45
Figure 4 The MAIN MENU Screen of the Web Configurator ............................................... 47
Figure 5 Wizard 1 : General Setup ...................................................................................... 50
Figure 6 Wizard 2 : Wireless LAN Setup ............................................................................. 51
Figure 7 Wizard 3: Wireless LAN Setup: Basic Security ..................................................... 52
Figure 8 Wizard 3: Wireless LAN Setup: Extend Security .................................................. 53
Figure 9 Wizard 4: Ethernet Encapsulation ......................................................................... 54
Figure 10 Wizard 4: PPPoE Encapsulation ......................................................................... 56
Figure 11 Wizard 4: PPTP Encapsulation ........................................................................... 57
Figure 12 Wizard 5: WAN Setup ......................................................................................... 61
Figure 13 Wizard Finish ...................................................................................................... 63
Figure 14 System General Setup ........................................................................................ 64
Figure 15 DDNS .................................................................................................................. 66
Figure 16 Password. ........................................................................................................... 67
Figure 17 Time Setting ........................................................................................................ 68
Figure 18 LAN IP ................................................................................................................. 73
Figure 19 Static DHCP ........................................................................................................ 76
Figure 20 IP Alias ................................................................................................................ 77
Figure 21 IBSS (Ad-hoc) Wireless LAN .............................................................................. 78
Figure 22 Basic Service set ................................................................................................ 79
Figure 23 Extended Service Set ......................................................................................... 80
Figure 24 RTS/CTS ............................................................................................................ 81
Figure 25 Wireless ............................................................................................................. 83
Figure 26 Roaming Example ............................................................................................... 84
Figure 27 Roaming ..............................................................................................................86
Figure 28 ZyAIR Wireless Security Levels .......................................................................... 88
Figure 29 Wireless: No Security .......................................................................................... 89
Figure 30 WEP Authentication Steps .................................................................................. 91
Figure 31 Wireless: Static WEP Encryption ........................................................................ 92
Figure 32 WPA - PSK Authentication .................................................................................. 95
Figure 33 Wireless: WPA-PSK ............................................................................................ 96
Figure 34 WPA with RADIUS Application Example ............................................................ 98
Figure 35 Wireless: WPA .................................................................................................... 99
Figure 36 EAP Authentication ............................................................................................. 101
List of Figures 22
ZyAIR G-2000 Plus User’s Guide
Figure 37 Wireless: WPA .................................................................................................... 103
Figure 38 Wireless: 802.1x and Dynamic WEP .................................................................. 106
Figure 39 Wireless: 802.1x and Static WEP ....................................................................... 108
Figure 40 Wireless: 802.1x ................................................................................................. 111
Figure 41 MAC Address Filter ............................................................................................. 113
Figure 42 ZyAIR Authenticates Wireless Stations ............................................................... 115
Figure 43 ZyAIR Authenicates other AP’s ........................................................................... 115
Figure 44 Internal RADIUS Server Setting Screen ............................................................ 117
Figure 45 Trusted AP Overview .......................................................................................... 118
Figure 46 Trusted AP Screen .............................................................................................. 119
Figure 47 Trusted Users Screen ......................................................................................... 121
Figure 48 Ethernet Encapsulation ....................................................................................... 125
Figure 49 Ethernet Encapsulation ....................................................................................... 126
Figure 50 PPPoE Encapsulation ......................................................................................... 128
Figure 51 PPTP Encapsulation ........................................................................................... 130
Figure 52 WAN: IP .............................................................................................................132
Figure 53 MAC Setup .......................................................................................................... 134
Figure 54 How NAT Works .................................................................................................. 138
Figure 55 NAT Application With IP Alias ............................................................................. 139
Figure 56 Multiple Servers Behind NAT Example ............................................................... 143
Figure 57 SUA/NAT Setup .................................................................................................. 144
Figure 58 Address Mapping ................................................................................................ 146
Figure 59 Address Mapping Edit ......................................................................................... 147
Figure 60 Trigger Port Forwarding Process: Example ........................................................ 149
Figure 61 Trigger Port .........................................................................................................150
Figure 62 Example of Static Routing Topology ................................................................... 152
Figure 63 Static Route .........................................................................................................153
Figure 64 Static Route: Edit ................................................................................................ 154
Figure 65 Remote Management: WWW ............................................................................. 158
Figure 66 Telnet Configuration on a TCP/IP Network ......................................................... 159
Figure 67 Remote Management: Telnet .............................................................................. 159
Figure 68 Remote Management: FTP ................................................................................. 160
Figure 69 SNMP Management Model ................................................................................. 161
Figure 70 Remote Management: SNMP ............................................................................. 164
Figure 71 Remote Management: DNS ................................................................................ 165
Figure 72 Security ............................................................................................................... 167
Figure 73 Configuring UPnP ............................................................................................... 170
Figure 74 ZyAIR Firewall Application .................................................................................. 180
Figure 75 Three-Way Handshake ....................................................................................... 182
Figure 76 SYN Flood ........................................................................................................... 183
Figure 77 Smurf Attack ....................................................................................................... 184
Figure 78 Stateful Inspection ............................................................................................... 185
Figure 79 LAN to WAN Traffic ............................................................................................. 195
23 List of Figures
ZyAIR G-2000 Plus User’s Guide
Figure 80 WAN to LAN Traffic ............................................................................................. 196
Figure 81 Default Rule ....................................................................................................... 197
Figure 82 Rule Summary .................................................................................................... 198
Figure 83 Creating/Editing A Firewall Rule ......................................................................... 200
Figure 84 Creating/Editing A Custom Service ..................................................................... 202
Figure 85 Rule Summary .................................................................................................... 203
Figure 86 Rule Edit Example .............................................................................................. 204
Figure 87 Edit Custom Service Example ............................................................................ 204
Figure 88 My Service Rule Configuration ........................................................................... 205
Figure 89 My Service Example Rule Summary .................................................................. 206
Figure 90 Content Filter ...................................................................................................... 211
Figure 91 My Certificates .................................................................................................... 216
Figure 92 My Certificate Import ........................................................................................... 219
Figure 93 My Certificate Create .......................................................................................... 220
Figure 94 My Certificate Details .......................................................................................... 223
Figure 95 Trusted CAs ........................................................................................................ 226
Figure 96 Trusted CA Import ............................................................................................... 227
Figure 97 Trusted CA Details .............................................................................................. 229
Figure 98 View Log .............................................................................................................232
Figure 99 Log Settings ........................................................................................................ 234
Figure 100 Reports .............................................................................................................237
Figure 101 System Status ................................................................................................... 241
Figure 102 System Status: Show Statistics ......................................................................... 242
Figure 103 Maintenance DHCP Table ................................................................................. 243
Figure 104 Association List ................................................................................................. 244
Figure 105 Firmware Upload ............................................................................................... 245
Figure 106 Firmware Upload In Process ............................................................................. 246
Figure 107 Network Temporarily Disconnecte .................................................................... 246
Figure 108 Firmware Upload Error ...................................................................................... 247
Figure 109 Configuration ..................................................................................................... 248
Figure 110 Configuration Upload Successful ...................................................................... 249
Figure 111 Network Temporarily Disconnected ................................................................... 249
Figure 112 Configuration Upload Error ............................................................................... 250
Figure 113 Reset Warning Message ................................................................................... 250
Figure 114 Restart Screen .................................................................................................. 251
Figure 115 Login Screen ..................................................................................................... 252
Figure 116 Login Screen ..................................................................................................... 253
Figure 117 Menu 23.1 System Security : Change Password .............................................. 253
Figure 118 ZyAIR G-2000 Plus SMT Menu Overview Example .......................................... 254
Figure 119 ZyAIR G-2000 Plus SMT Main Menu ............................................................... 256
Figure 120 Menu 23: System Security ................................................................................ 257
Figure 121 Menu 23 System Password .............................................................................. 257
Figure 122 Menu 1 General Setup ...................................................................................... 259
List of Figures 24
ZyAIR G-2000 Plus User’s Guide
Figure 123 Menu 1.1 Configure Dynamic DNS .................................................................. 260
Figure 124 Menu 2 WAN Setup .......................................................................................... 262
Figure 125 Menu 3 LAN Setup ........................................................................................... 264
Figure 126 Menu 3.1 LAN Port Filter Setup. ....................................................................... 264
Figure 127 Menu 3.2 TCP/IP Setup .................................................................................... 265
Figure 128 Physical Network & Partitioned Logical Networks ............................................ 267
Figure 129 Menu 3.2.1: IP Alias Setup ............................................................................... 268
Figure 130 Menu 3.5 Wireless LAN Setup .......................................................................... 269
Figure 131 Menu 3.5 Wireless LAN Setup ......................................................................... 271
Figure 132 Menu 3.5.1 WLAN MAC Address Filter ............................................................ 272
Figure 133 Menu 4 Internet Access Setup .......................................................................... 275
Figure 134 Internet Access Setup (PPTP) ......................................................................... 277
Figure 135 Internet Access Setup (PPPoE) ........................................................................ 278
Figure 136 Menu 11.1 Remote Node Profile for Ethernet Encapsulation ............................ 281
Figure 137 Menu 11.1 Remote Node Profile for PPPoE Encapsulation .............................. 283
Figure 138 Menu 11.1 Remote Node Profile for PPTP Encapsulation ................................ 285
Figure 139 Menu 11.3 Remote Node Network Layer Options for Ethernet Encapsulation . 286
Figure 140 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) ................................ 288
Figure 141 Menu 11.5: Remote Node Filter (PPPoE and PPTP Encapsulation) ................ 288
Figure 142 Menu 12 IP Static Route Setup ........................................................................ 290
Figure 143 Menu12.1 Edit IP Static Route .......................................................................... 291
Figure 144 Menu 14- Dial-in User Setup ............................................................................. 292
Figure 145 Menu 14.1- Edit Dial-in User ............................................................................. 293
Figure 146 Menu 4 Applying NAT for Internet Access ........................................................ 295
Figure 147 Menu 11.3 Applying NAT to the Remote Node ................................................. 296
Figure 148 Menu 15 NAT Setup .......................................................................................... 297
Figure 149 Menu 15.1 Address Mapping Sets .................................................................... 297
Figure 150 Menu 15.1.255 SUA Address Mapping Rules ................................................. 298
Figure 151 Menu 15.1.1 First Set ........................................................................................ 299
Figure 152 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set ......................... 300
Figure 153 Menu 15.2.1 NAT Server Setup ........................................................................ 301
Figure 154 Multiple Servers Behind NAT Example ............................................................. 302
Figure 155 NAT Example 1 ................................................................................................. 303
Figure 156 Menu 4 Internet Access & NAT Example ......................................................... 303
Figure 157 NAT Example 2 ................................................................................................. 304
Figure 158 Menu 15.2.1 Specifying an Inside Server ......................................................... 304
Figure 159 NAT Example 3 ................................................................................................. 305
Figure 160 NAT Example 3: Menu 11.3 .............................................................................. 306
Figure 161 Example 3: Menu 15.1.1.1 ............................................................................... 307
Figure 162 Example 3: Final Menu 15.1.1 .......................................................................... 307
Figure 163 Example 3: Menu 15.2 ...................................................................................... 308
Figure 164 NAT Example 4 ................................................................................................. 309
Figure 165 Example 4: Menu 15.1.1.1 Address Mapping Rule. .......................................... 309
25 List of Figures
ZyAIR G-2000 Plus User’s Guide
Figure 166 Example 4: Menu 15.1.1 Address Mapping Rules ............................................ 310
Figure 167 Menu 15.3 Trigger Port Setup ........................................................................... 311
Figure 168 Outgoing Packet Filtering Process .................................................................... 312
Figure 169 Filter Rule Process ............................................................................................ 314
Figure 170 Menu 21: Filter and Firewall Setup ................................................................... 315
Figure 171 Menu 21.1: Filter Set Configuration .................................................................. 315
Figure 172 Menu 21.1.1.1 TCP/IP Filter Rule. .................................................................... 317
Figure 173 Executing an IP Filter ........................................................................................ 319
Figure 174 Menu 21.1.4.1 Generic Filter Rule .................................................................... 320
Figure 175 Telnet Filter Example ........................................................................................ 321
Figure 176 Example Filter: Menu 21.1.3.1 .......................................................................... 322
Figure 177 Example Filter Rules Summary: Menu 21.1.3 .................................................. 323
Figure 178 Protocol and Device Filter Sets ......................................................................... 324
Figure 179 Filtering LAN Traffic .......................................................................................... 325
Figure 180 Filtering Remote Node Traffic ........................................................................... 325
Figure 181 Menu 21.2 Firewall Setup ................................................................................. 327
Figure 182 SNMP Management Model ............................................................................... 328
Figure 183 Menu 22 SNMP Configuration ......................................................................... 330
Figure 184 Menu 23 System Security ................................................................................. 332
Figure 185 Menu 23 System Security ................................................................................. 333
Figure 186 Menu 23.2 System Security : RADIUS Server .................................................. 333
Figure 187 Menu 23 System Security ................................................................................. 334
Figure 188 Menu 23.4 System Security : IEEE802.1x ........................................................ 335
Figure 189 Menu 24 System Maintenance ......................................................................... 338
Figure 190 Menu 24.1 System Maintenance : Status ......................................................... 339
Figure 191 Menu 24.2 System Information and Console Port Speed ................................. 340
Figure 192 Menu 24.2.1 System Information : Information ................................................. 340
Figure 193 Menu 24.2.2 System Maintenance : Change Console Port Speed ................... 341
Figure 194 Menu 24.3 System Maintenance : Log and Trace ............................................ 342
Figure 195 Menu 24.3.2 System Maintenance : UNIX Syslog ........................................... 342
Figure 196 Call-Triggering Packet Example ........................................................................ 346
Figure 197 LAN & WAN DHCP ........................................................................................... 347
Figure 198 Menu 24.5 Backup Configuration ...................................................................... 352
Figure 199 FTP Session Example ...................................................................................... 353
Figure 200 Menu 24.6 Restore Configuration ..................................................................... 356
Figure 201 Restore Using FTP Session Examplei .............................................................. 356
Figure 202 Menu 24.7 System Maintenance: Upload Firmware ......................................... 357
Figure 203 Menu 24.7.1 System Maintenance : Upload System Firmware ........................ 358
Figure 204 Menu 24.7.2 System Maintenance: Upload System Configuration File ............ 358
Figure 205 FTP Session Example ...................................................................................... 359
Figure 206 Menu 24 System Maintenance ......................................................................... 363
Figure 207 Valid CI Commands .......................................................................................... 363
Figure 208 Menu 24.9 System Maintenance : Call Control ................................................. 364
List of Figures 26
ZyAIR G-2000 Plus User’s Guide
Figure 209 Budget Management ......................................................................................... 364
Figure 210 Menu 24.9.2 - Call History ................................................................................ 365
Figure 211 Menu 24.10 System Maintenance : Time and Date Setting .............................. 366
Figure 212 Menu 24.11 – Remote Management Control .................................................... 369
Figure 213 Telnet Configuration on a TCP/IP Network ....................................................... 370
Figure 214 Menu 26 Schedule Setup .................................................................................. 372
Figure 215 Menu 26.1 Schedule Set Setup ....................................................................... 373
Figure 216 Applying Schedule Set(s) to a Remote Node (PPPoE) .................................... 374
Figure 217 WIndows 95/98/Me: Network: Configuration ..................................................... 381
Figure 218 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 382
Figure 219 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 383
Figure 220 Windows XP: Start Menu .................................................................................. 384
Figure 221 Windows XP: Control Panel .............................................................................. 384
Figure 222 Windows XP: Control Panel: Network Connections: Properties ....................... 385
Figure 223 Windows XP: Local Area Connection Properties .............................................. 385
Figure 224 Windows XP: Advanced TCP/IP Settings ......................................................... 386
Figure 225 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 387
Figure 226 Macintosh OS 8/9: Apple Menu ........................................................................ 388
Figure 227 Macintosh OS 8/9: TCP/IP ................................................................................ 388
Figure 228 Macintosh OS X: Apple Menu ........................................................................... 389
Figure 229 Macintosh OS X: Network ................................................................................. 390
Figure 230 IP Address Conflicts: CaseA ............................................................................. 392
Figure 231 IP Address Conflicts: Case B ........................................................................... 393
Figure 232 IP Address Conflicts: Case C ............................................................................ 393
Figure 233 IP Address Conflicts: Case D ............................................................................ 394
Figure 234 Peer-to-Peer Communication in an Ad-hoc Network ........................................ 411
Figure 235 ESS Provides Campus-Wide Coverage ........................................................... 412
Figure 236 Sequences for EAP MD5–Challenge Authentication ........................................ 415
Figure 237 Sequences for PEAP, MS–CHAP V2 Authentication ........................................ 416
27 List of Figures
ZyAIR G-2000 Plus User’s Guide

List of Tables

Table 1 IEEE 802.11b ......................................................................................................... 37
Table 2 IEEE 802.11g ......................................................................................................... 38
Table 3 Wizard 1 : General Setup ...................................................................................... 50
Table 4 Wizard 2 : Wireless LAN Setup ............................................................................. 51
Table 5 Wizard 3: Wireless LAN Setup: Basic Security ..................................................... 52
Table 6 Wizard 3: Wireless LAN Setup: Extend Security ................................................... 53
Table 7 Wizard 4: Ethernet Encapsulation ......................................................................... 54
Table 8 Wizard 4: PPPoE Encapsulation ........................................................................... 56
Table 9 Wizard 4: PPTP Encapsulation ............................................................................. 57
Table 10 Private IP Address Ranges ................................................................................. 58
Table 11 Example of Network Properties for LAN Servers with Fixed IP Addresses ......... 60
Table 12 Wizard 5: WAN Setup .......................................................................................... 61
Table 13 System General Setup ........................................................................................ 64
Table 14 DDNS .................................................................................................................. 66
Table 15 Password .............................................................................................................67
Table 16 Time Setting ........................................................................................................ 68
Table 17 LAN IP ................................................................................................................. 73
Table 18 Static DHCP ......................................................................................................... 76
Table 19 IP Alias ................................................................................................................ 77
Table 20 Wireless ............................................................................................................... 83
Table 21 Roaming ..............................................................................................................86
Table 22 Wireless No Security ........................................................................................... 89
Table 23 Wireless Security Relational Matrix ..................................................................... 90
Table 24 Wireless: Static WEP Encryption ......................................................................... 92
Table 25 Wireless: WPA-PSK ............................................................................................ 96
Table 26 Wireless: WPA ..................................................................................................... 99
Table 27 RADIUS ...............................................................................................................103
Table 28 Wireless: 802.1x and Dynamic WEP ................................................................... 106
Table 29 Wireless: 802.1x and Static WEP ........................................................................ 108
Table 30 Wireless: 802.1x and No WEP ............................................................................ 111
Table 31 MAC Address Filter ............................................................................................. 113
Table 32 Internal RADIUS Server ...................................................................................... 115
Table 33 My Certificates ..................................................................................................... 117
Table 34 Trusted AP ...........................................................................................................119
Table 35 Trusted Users ...................................................................................................... 121
Table 36 Ethernet Encapsulation ....................................................................................... 125
List of Tables 28
ZyAIR G-2000 Plus User’s Guide
Table 37 Ethernet Encapsulation ....................................................................................... 126
Table 38 PPPoE Encapsulation ......................................................................................... 128
Table 39 PPTP Encapsulation ............................................................................................ 130
Table 40 WAN: IP ............................................................................................................... 132
Table 41 NAT Definitions .................................................................................................... 136
Table 42 NAT Mapping Types ............................................................................................ 140
Table 43 Services and Port Numbers ................................................................................. 142
Table 44 SUA/NAT Setup ................................................................................................... 144
Table 45 Address Mapping ................................................................................................. 146
Table 46 Address Mapping Edit ......................................................................................... 147
Table 47 Trigger Port .......................................................................................................... 150
Table 48 Static Route .........................................................................................................153
Table 49 Static Route: Edit ................................................................................................. 154
Table 50 Remote Management: WWW .............................................................................. 158
Table 51 Remote Management: Telnet .............................................................................. 159
Table 52 Remote Management: FTP ................................................................................. 160
Table 53 SNMP Traps ........................................................................................................ 162
Table 54 Remote Management: SNMP .............................................................................. 164
Table 55 Remote Management: DNS ................................................................................ 165
Table 56 Security ................................................................................................................ 167
Table 57 Configuring UPnP ................................................................................................ 170
Table 58 Common IP Ports ................................................................................................ 180
Table 59 ICMP Commands That Trigger Alerts .................................................................. 184
Table 60 Default Rule .........................................................................................................197
Table 61 Rule Summary ..................................................................................................... 198
Table 62 Creating/Editing A Firewall Rule .......................................................................... 201
Table 63 Creating/Editing A Custom Service ..................................................................... 202
Table 64 Predefined Services ............................................................................................ 206
Table 65 Content Filter .......................................................................................................211
Table 66 My Certificates ..................................................................................................... 216
Table 67 My Certificate Import ........................................................................................... 219
Table 68 My Certificate Create ........................................................................................... 221
Table 69 My Certificate Details ........................................................................................... 224
Table 70 Trusted CAs ......................................................................................................... 226
Table 71 Trusted CA Import ............................................................................................... 227
Table 72 Trusted CA Details ............................................................................................... 230
Table 73 View Log .............................................................................................................. 232
Table 74 Log Settings .........................................................................................................235
Table 75 Reports ................................................................................................................ 237
Table 76 System Status ...................................................................................................... 241
Table 77 System Status: Show Statistics ........................................................................... 242
Table 78 Maintenance DHCP Table ................................................................................... 243
Table 79 Association List .................................................................................................... 244
29 List of Tables
ZyAIR G-2000 Plus User’s Guide
Table 80 Firmware Upload ................................................................................................. 245
Table 81 Restore Configuration .......................................................................................... 248
Table 82 Main Menu Commands ....................................................................................... 254
Table 83 Main Menu Summary .......................................................................................... 256
Table 84 Menu 1 General Setup ........................................................................................ 259
Table 85 Menu 1.1 Configure Dynamic DNS ..................................................................... 260
Table 86 Menu 2 WAN Setup ............................................................................................. 262
Table 87 DHCP Ethernet Setup Fields ............................................................................... 265
Table 88 Menu 3.2: LAN TCP/IP Setup Fields ................................................................... 266
Table 89 Menu 3.2.1: IP Alias Setup .................................................................................. 268
Table 90 Menu 3.5 Wireless LAN Setup ............................................................................ 269
Table 91 Menu 3.5.1 WLAN MAC Address Filter ............................................................... 272
Table 92 Internet Access Setup (Ethernet ......................................................................... 275
Table 93 New Fields in Menu 4 (PPTP) Screen ................................................................. 277
Table 94 New Fields in Menu 4 (PPPoE) screen ............................................................... 278
Table 95 Menu 11.1 Remote Node Profile for Ethernet Encapsulation .............................. 281
Table 96 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ......................................... 284
Table 97 Menu 11.1 Remote Node Profile for PPTP Encapsulation .................................. 285
Table 98 Remote Node Network Layer Options ................................................................. 286
Table 99 Menu12.1 Edit IP Static Route ............................................................................. 291
Table 100 Menu 14.1- Edit Dial-in User ............................................................................. 293
Table 101 Applying NAT in Menus 4 & 11.3 ....................................................................... 296
Table 102 SUA Address Mapping Rules ............................................................................ 298
Table 103 Menu 15.1.1 First Set ........................................................................................ 299
Table 104 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set ......................... 300
Table 105 Menu 15.3 Trigger Port Setup ........................................................................... 311
Table 106 Abbreviations Used in the Filter Rules Summary Menu .................................... 315
Table 107 Rule Abbreviations Used ................................................................................... 316
Table 108 TCP/IP Filter Rule .............................................................................................. 317
Table 109 Generic Filter Rule Menu Fields ........................................................................ 320
Table 110 Menu 22 SNMP Configuration ........................................................................... 330
Table 111 SNMP Traps ....................................................................................................... 330
Table 112 Ports and Interface Types .................................................................................. 331
Table 113 Menu 23.2 System Security : RADIUS Server ................................................... 333
Table 114 Menu 23.4 System Security : IEEE802.1x ......................................................... 335
Table 115 Menu 24.1 System Maintenance : Status .......................................................... 339
Table 116 Menu 24.2.1 System Maintenance : Information ............................................... 340
Table 117 Menu 24.3.2 System Maintenance : UNIX Syslog ............................................. 342
Table 118 Menu 24.4 System Maintenance Menu: Diagnostic .......................................... 347
Table 119 Filename Conventions ....................................................................................... 351
Table 120 General Commands for Third Party FTP Clients ............................................... 353
Table 121 General Commands for Third Party TFTP Clients ............................................ 355
Table 122 Menu 24.9.1 - Budget Management .................................................................. 364
List of Tables 30
ZyAIR G-2000 Plus User’s Guide
Table 123 Call History Fields .............................................................................................. 365
Table 124 System Maintenance : Time and Date Setting .................................................. 366
Table 125 Menu 24.11 – Remote Management Control ..................................................... 369
Table 126 Menu 26.1 Schedule Set Setup ......................................................................... 373
Table 127 Troubleshooting the Start-Up of Your ZyAIR ..................................................... 376
Table 128 Troubleshooting the Ethernet Interface ............................................................. 376
Table 129 Troubleshooting the Password .......................................................................... 377
Table 130 Troubleshooting Telnet ...................................................................................... 377
Table 131 Troubleshooting the WLAN Interface ................................................................. 377
Table 132 Brute-Force Password Guessing Protection Commands .................................. 378
Table 133 Classes of IP Addresses ................................................................................... 396
Table 134 Allowed IP Address Range By Class ................................................................. 397
Table 135 “Natural” Masks ................................................................................................ 397
Table 136 Alternative Subnet Mask Notation ..................................................................... 398
Table 137 Two Subnets Example ....................................................................................... 398
Table 138 Subnet 1 ............................................................................................................399
Table 139 Subnet 2 ............................................................................................................399
Table 140 Subnet 1 ............................................................................................................400
Table 141 Subnet 2 ............................................................................................................400
Table 142 Subnet 3 ............................................................................................................400
Table 143 Subnet 4 ............................................................................................................401
Table 144 Eight Subnets .................................................................................................... 401
Table 145 Class C Subnet Planning ................................................................................... 401
Table 146 Class B Subnet Planning ................................................................................... 402
Table 147 System Error Logs ............................................................................................. 406
Table 148 System Maintenance Logs ................................................................................ 406
Table 149 ICMP Notes ....................................................................................................... 406
Table 150 Sys log ............................................................................................................... 407
Table 151 Log Categories and Available Settings .............................................................. 408
Table 152 Comparison of EAP Authentication Types ......................................................... 419
Table 153 NORTH AMERICAN PLUG STANDARDS ........................................................ 422
Table 154 NORTH AMERICAN PLUG STANDARDS ........................................................ 422
Table 155 EUROPEAN PLUG STANDARDS ..................................................................... 422
Table 156 United Kingdom PLUG STANDARDS ............................................................... 422
Table 157 Japan PLUG STANDARDS ............................................................................... 422
Table 158 Australia and New Zealand plug standards ....................................................... 423
31 List of Tables
ZyAIR G-2000 Plus User’s Guide

Preface

Congratulations on your purchase of the ZyAIR G-2000 Plus - 802.11g Wireless 4 port Router.
A wireless router is an access point and router rolled into one. It is a cost-effect solution to share Internet access with multiple computers and expand your wired network.
Your ZyAIR is easy to install and configure.
Note: Register your product online to receive e-mail notices of firmware upgrades and information at products, or at
www.us.zyxel.com for North American products.

About This User's Guide

This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the SMT. The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this guide contain background information solely on features not configurable by web configurator
www.zyxel.com for global
Note: Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your ZyAIR. Not all features can be configured through all interfaces.

Related Documentation

• Supporting Disk
Refer to the included CD for support documents.
• Compact Guide
The Quick Start Guide is designed to help you get up and running right away. It contains connection information and instructions on getting started.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation.
Preface 32
ZyAIR G-2000 Plus User’s Guide

User Guide Feedback

Help us help you! E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you!

Syntax Conventions

• “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are enclosed in square brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for “that is” or “in other words” throughout this manual.
• The ZyAIR G-2000 Plus may be referred to simply as the ZyAIR in the user’s guide.
33 Preface

Graphics Icons Key

ZyAIR Computer Notebook computer
Server DSLAM Firewall
Modem Switch Router
ZyAIR G-2000 Plus User’s Guide
Wireless Signal
Preface 34
ZyAIR G-2000 Plus User’s Guide
35 Preface

Getting to Know Your ZyAIR

This chapter introduces the main features and applications of the ZyAIR.

1.1 Introducing the ZyAIR

The ZyAIR G-2000 Plus, an IEEE802.11g compliant broadband wireless sharing gateway, provides wireless connectivity. As an Internet gateway, your ZyAIR can share an Internet connection (through a cable or xDSL modem) with multiple computers using SUA/NAT and DHCP. The ZyAIR offers highly secured wireless connectivity to your wired network with IEEE 802.1X, WEP data encryption, WPA (Wi-Fi Protected Access) and MAC address filtering.
ZyAIR G-2000 Plus User’s Guide
CHAPTER 1
The ZyAIR is easy to install and configure. The embedded web-based configurator and SNMP network management enables remote configuration and management of your ZyAIR.

1.2 ZyAIR Features

The following sections describe the features of the ZyAIR

1.2.1 Physical Features

1.2.1.1 4-Port Switch
A combination of switch and router makes your ZyAIR a cost-effective and viable network solution. You can connect up to four computers to the LAN ports on you ZyAIR without the cost of a hub.
1.2.1.2 10/100M Auto-negotiating Ethernet/Fast Ethernet Interface
This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
1.2.1.3 10/100M Auto-crossover Ethernet/Fast Ethernet Interface
The LAN interface automatically adjusts to either a crossover or straight-through Ethernet cable.
Chapter 1 Getting to Know Your ZyAIR 36
ZyAIR G-2000 Plus User’s Guide
1.2.1.4 10/100 Mbps Ethernet WAN
The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or router.
1.2.1.5 Reset Button
The ZyAIR reset button is built into the side panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33. .
1.2.1.6 ZyAIR LED
The blue ZyAIR LED (also known as the Breathing LED) is on when the ZyAIR is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. You may use the web configurator to turn this LED off even when the ZyAIR is on and data is being transmitted/received.

1.2.2 Firmware Features

1.2.2.1 Internal RADIUS Server
The ZyAIR has a built-in RADIUS server that can authenticate wireless clients or other AP’s in other wireless networks.The ZyAIR can also function as an AP and as a RADIUS server at the same time.
1.2.2.2 Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.
1.2.2.3 802.11b Wireless LAN Standard
The ZyAIR complies with the 802.11b wireless standard.
The 802.11b data rate and corresponding modulation techniques are shown in the table below. The modulation technique defines how bits are encoded onto radio waves.
Table 1 IEEE 802.11b
DATA RATE (MBPS) MODULATION
1 DBPSK (Differential Binary Phase Shift Keyed)
2 DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11 CCK (Complementary Code Keying)
37 Chapter 1 Getting to Know Your ZyAIR
1.2.2.4 802.11g Wireless LAN Standard
The ZyAIR, complies with the 802.11g wireless standard and is also fully compatible with the
802.11b standard. This means an 802.11b radio card can interface directly with an 802.11g device (and vice versa) at 11 Mbps or lower depending on range. 802.11g has several intermediate rate steps between the maximum and minimum data rates. The 802.11g data rate and modulation are as follows:
Table 2 IEEE 802.11g
.
ZyAIR G-2000 Plus User’s Guide
DATA RATE (MBPS)
6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)
MODULATION
Note: The ZyAIR may be prone to RF (Radio Frequency)
interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices, and other wireless LANs.
1.2.2.5 STP (Spanning Tree Protocol) / RSTP (Rapid STP)
(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your network to ensure that only one path exists between any two stations on the network.
1.2.2.6 Certificates
The ZyAIR can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
1.2.2.7 Limit the number of Client Connections
You may set a maximum number of wireless stations that may connect to the ZyAIR. This may be necessary if for example, there is interference or difficulty with channel assignment due to a high density of APs within a coverage area.
1.2.2.8 SSL Passthrough
SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https” instead of “http”. The ZyAIR allows SSL connections to take place through the ZyAIR.
Chapter 1 Getting to Know Your ZyAIR 38
ZyAIR G-2000 Plus User’s Guide
1.2.2.9 Firewall
The ZyAIR employs a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyAIR firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.
1.2.2.10 Brute-Force Password Guessing Protection
The ZyAIR has a special protection mechanism to discourage brute-force password guessing attacks on the ZyAIR's management interfaces. You can specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. Please see the appendix for details about this feature.
1.2.2.11 Wireless LAN MAC Address Filtering
Your ZyAIR checks the MAC address of the wireless station against a list of allowed or denied MAC addresses.
1.2.2.12 WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.
1.2.2.13 IEEE 802.1X Network Security
The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. Use the built-in user profile database to authenticate up to 32 users using MD5 encryption. Use an EAP­compatible RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server to authenticate a limitless number of users using EAP (Extensible Authentication Protocol). EAP is an authentication protocol that supports multiple types of authentication.
1.2.2.14 Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyAIR and other UPnP-enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.
1.2.2.15 Dynamic DNS Support
With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service.
39 Chapter 1 Getting to Know Your ZyAIR
1.2.2.16 PPPoE Support (RFC2516)
PPPoE (Point-to-Point Protocol over Ethernet) emulates a dial-up connection. It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the ZyAIR is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.
1.2.2.17 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. Use PPTP to connect to a broadband modem to achieve access to high-speed data networks via a familiar "dial-up networking" user interface.
1.2.2.18 Network Address Translation (NAT)
NAT (Network Address Translation - NAT, RFC 1631) allows the translations of multiple IP addresses used within one network to different IP addresses known within another network.
ZyAIR G-2000 Plus User’s Guide
1.2.2.19 Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyAIR cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.
1.2.2.20 NAT for Single-IP-address Internet Access
The ZyAIR's SUA (Single User Account) feature allows multiple-user Internet access for the cost of a single IP account. NAT supports popular Internet applications such as MS traceroute, CuSeeMe, IRC, RealPlayer, VDOLive, Quake, and PPTP. No configuration is needed to support these applications.
1.2.2.21 DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyAIR has built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The ZyAIR also acts as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.
Chapter 1 Getting to Know Your ZyAIR 40
ZyAIR G-2000 Plus User’s Guide
1.2.2.22 Multicast
Traditionally, IP packets are transmitted in two ways - unicast or broadcast. Multicast is a third way to deliver IP packets to a group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The latest version is version 2 (see RFC 2236). The ZyAIR supports versions 1 and 2.
1.2.2.23 IP Alias
IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyAIR supports three logical LAN interfaces via its single physical Ethernet LAN interface with the ZyAIR itself as the gateway for each LAN network.
1.2.2.24 IP Policy Routing
IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator.
1.2.2.25 SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).
1.2.2.26 Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily access the ZyAIR’s management settings. Most functions of the ZyAIR are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu­driven interface that you can access from a terminal emulator over a telnet connection.
1.2.2.27 Logging and Tracing
• Built-in message logging and packet tracing.
• Unix syslog facility support.
1.2.2.28 Diagnostics Capabilities
The ZyAIR can perform self-diagnostic tests. These tests check the integrity of the following circuitry:
• FLASH memory
•DRAM
• LAN port
• Wireless port
41 Chapter 1 Getting to Know Your ZyAIR
1.2.2.29 Embedded FTP and TFTP Servers
The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration.
1.2.2.30 Wireless Association List
With the wireless association list, you can see the list of the wireless stations that are currently using the ZyAIR to access your wired network.
1.2.2.31 Wireless LAN Channel Usage
The Wireless Channel Usage screen displays whether the radio channels are used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR.

1.3 Applications for the ZyAIR

ZyAIR G-2000 Plus User’s Guide
Here is an application example of what you can do with your ZyAIR.

1.3.1 Internet Access Application

Add a wireless LAN to your existing network without expensive network cables. Wireless stations can move freely anywhere in the coverage area and use resources on the wired network.
.
Figure 1 Internet Access Application Example
Chapter 1 Getting to Know Your ZyAIR 42
ZyAIR G-2000 Plus User’s Guide
43 Chapter 1 Getting to Know Your ZyAIR
Introducing the Web
This chapter describes how to access the ZyAIR web configurator and provides an overview of its screens. The default IP address of the ZyAIR is 192.168.1.1.

2.1 Web Configurator Overview

The embedded web configurator (ewc) allows you to manage the ZyAIR from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled. It is recommended that you set your screen resolution to 1024 by 768 pixels. The screens you see in the web configurator may vary somewhat from the ones shown in this document due to differences between individual firmware versions.
ZyAIR G-2000 Plus User’s Guide
CHAPTER 2
Configurator

2.2 Accessing the ZyAIR Web Configurator

1 Make sure your ZyAIR hardware is properly connected and prepare your computer/
computer network to connect to the ZyAIR (refer to the Quick Start Guide).
2 Launch your web browser.
3 Typ e "192.168.1.1" as the URL.
4 Typ e "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.
Note: If you do not change the password, the following screen appears every time you login.
Chapter 2 Introducing the Web Configurator 44
ZyAIR G-2000 Plus User’s Guide
Figure 2 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your ZyAIR’s
MAC address that will be specific to this device.
Figure 3 Replace Certificate Screen
You should now see the MAIN MENU screen..
Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyAIR if this happens to you.
45 Chapter 2 Introducing the Web Configurator

2.3 Resetting the ZyAIR

If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the side panel of the ZyAIR. Uploading this configuration file replaces the current configuration file with the factory­default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234, also.

2.3.1 .Procedure To Use The Reset Button

Make sure the SYS LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds or until the SYS LED, LINK LED or BRI/RPT
LED turns red, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyAIR restarts. Otherwise, go to step 2.
2 Turn the ZyAIR off.
ZyAIR G-2000 Plus User’s Guide
3 While pressing the RESET button, turn the ZyAIR on.
4 Continue to hold the RESET button. The SYS LED will begin to blink and flicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyAIR is now restarting.
5 Release the RESET button and wait for the ZyAIR to finish restarting.

2.3.2 Method of Restoring Factory-Defaults Via Web Configurator

Use the web configurator to restore defaults (refer to the Maintenance chapter).

2.4 Navigating the ZyAIR Web Configurator

The following summarizes how to navigate the web configurator from the MAIN MENU screen.
Note: Follow the instructions you see in the MAIN MENU screen or click the most screens) to view online help.
icon (located in the top right corner of
The icon does not appear in the MAIN MENU screen.
Chapter 2 Introducing the Web Configurator 46
ZyAIR G-2000 Plus User’s Guide
Figure 4 The MAIN MENU Screen of the Web Configurator
Use submenus to configure ZyAIR features.
Click WIZARD SETUP for initial configuration including general setup, wireless LAN setup, ISP Parameters for Internet Access and WAN IP/DNS/MAC Address Assignment.
Click the links under ADVANCED to configure advanced features such as SYSTEM (General Setup, Dynamic DNS, Password and Time Setting), LAN (DHCP and TCP/IP Setup), WLAN (WLAN and WLAN Security Setup), WAN, SUA/NAT, STATIC ROUTE (Route Entry), FIREWALL (Settings, Filter and Services), Internal RADIUS Server
Trusted AP and Trusted User databases
), CERTIFICATES (My Certificates, Trusted CAs),
(Settings,
REMOTE MGNT (Telnet, FTP, WWW, SNMP, DNS and Security), UPnP and Logs (View Log, Log Settings and Reports).
Click MAINTENANCE to view information about your ZyAIR or upgrade configuration/ firmware files. Maintenance includes Status (Statistics), Association List, Channel Usage, F/W (firmware) Upload, Configuration (Backup, Restore and Default) and Restart
Click LOGOUT at any time to exit the web configurator
47 Chapter 2 Introducing the Web Configurator
The web configurator’s setup wizard helps you configure your ZyAIR for Internet access and set up wireless LAN.

3.1 Wizard Setup Overview

The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in each field. Leave a field blank if you don’t have that information.

3.1.1 Channel

ZyAIR G-2000 Plus User’s Guide
CHAPTER 3

Wizard Setup

A channel is the radio frequency(ies) used by IEEE 802.11b and IEEE 802.11g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

3.1.2 ESS ID

An Extended Service Set (ESS) is a group of access points connected to a wired LAN on the same subnet. An ESS ID uniquely identifies each set. All access points and their associated wireless stations in the same set must have the same ESSID.

3.1.3 WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network. WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.
Chapter 3 Wizard Setup 48
ZyAIR G-2000 Plus User’s Guide

3.1.4 WPA-PSK

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to-use, consistent, single, alphanumeric password.
Therefore, if you don’t have an external RADIUS server you should use WPA-PSK (WPA ­Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN.

3.2 Wizard Setup: General Setup

General Setup contains administrative and system-related information.
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the ZyAIR via DHCP.
49 Chapter 3 Wizard Setup
Figure 5 Wizard 1 : General Setup
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 3 Wizard 1 : General Setup
LABEL DESCRIPTION
System Name It is recommended you type your computer's "Computer name".
In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.
In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.
In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyAIR System Name.
This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
Domain Name This is not a required field. Leave this field blank or enter the domain name here
Next Click Next to proceed to the next screen.
if you know it.

3.3 Wizard Setup: Wireless LAN

Use the second wizard screen to set up the wireless LAN.
Chapter 3 Wizard Setup 50
ZyAIR G-2000 Plus User’s Guide
Figure 6 Wizard 2 : Wireless LAN Setup
The following table describes the labels in this screen.
Table 4 Wizard 2 : Wireless LAN Setup
LABEL DESCRIPTION
Wireless LAN Setup
ESSID Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the
Choose Channel ID To manually set the ZyAIR to use a channel, select a channel from the drop-
Security The level of Security can be selected as none, basic or extended. Choose
Back Click Back to return to the previous screen.
Next Click Next to continue.
wireless LAN. If you change this field on the ZyAIR, make sure all wireless stations use the
same SSID in order to access the network.
down list box. Open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
None security to have no wireless LAN security configured and proceed to the ISP Parameters for Internet Access screen.
Choose Basic (WEP) security if you want to configure WEP Encryption parameters.
Choose Extend (WPA-PSK) security to configure a Pre-Shared Key. The third screen varies depending on which security level you select.
Note: The wireless stations and ZyAIR must use the same ESSID, channel ID and WEP encryption key (if WEP is enabled) or WPA-PSK (if WPA-PSK is enabled) for wireless communication

3.4 Wizard Setup: Screen 3

Choose Basic (WEP) security to setup WEP Encryption parameters.
51 Chapter 3 Wizard Setup
Figure 7 Wizard 3: Wireless LAN Setup: Basic Security
The following table describes the labels in this screen.
Table 5 Wizard 3: Wireless LAN Setup: Basic Security
ZyAIR G-2000 Plus User’s Guide
LABEL DESCRIPTION
Passphrase You can generate or manually enter a WEP key by either:
Entering a Passphrase (up to 32 printable characters) and clicking Generate. The Prestige automatically generates a WEP key.
Or Entering a manual key in a Key field and selecting ASCII or Hex WEP key input
method.
WEP Encryption
Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations
Back Click Back to display the previous screen.
Next Click Next to proceed to the next screen.
Select 64-bit WEP or 128-bit WEP to allow data encryption.
ASCII Select this option in order to enter ASCII characters as the WEP keys.
HEX Select this option to enter hexadecimal characters as the WEP keys.
The preceding “0x” is entered automatically.
must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal
characters ("0-9", "A-F"). ZyAIRIf you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal
characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time.
The default key is key 1.
Choose Extend (WPA-PSK) security in the Wireless LAN Setup screen to set up a Pre- Shared Key.
Chapter 3 Wizard Setup 52
ZyAIR G-2000 Plus User’s Guide
Figure 8 Wizard 3: Wireless LAN Setup: Extend Security
The following table describes the labels in this screen.
Table 6 Wizard 3: Wireless LAN Setup: Extend Security
LABEL DESCRIPTION
Pre-Shared Key
Back Click Back to display the previous screen.
Next Click Next to proceed to the next screen.
Type from 8 to 63 case-sensitive ASCII characters. You can set up the most secure wireless connection by configuring WPA in the advanced wireless screen. You need to configure an authentication server to do this.
Refer to the chapter on wireless LAN for more information.

3.5 Wizard Setup: Screen 4

The ZyAIR offers three choices of encapsulation. They are Ethernet, PPP over Ethernet or PPTP.

3.5.1 Ethernet

Choose Ethernet when the WAN port is used as a regular Ethernet.
53 Chapter 3 Wizard Setup
Figure 9 Wizard 4: Ethernet Encapsulation
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 7 Wizard 4: Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
Ethernet. Otherwise, choose PPP over Ethernet or PPTP for a dial-up connection.
Service Type Choose from Standard, Tels tra (RoadRunner Telstra authentication method), RR-
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Login Server IP Address
Login Server This field only applies when you select Telia Login in the Service Type field. Type
Relogin Every (min)
Back Click Back to return to the previous screen.
Next Click Next to continue.
Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login.
The following fields are not applicable (N/A) for the Standard service type.
Type the authentication server IP address here if your ISP gave you one.
the domain name of the Telia login server, for example “login1.telia.com”.
This field only applies when you select Telia Login in the Service Type field. The Telia server logs the ZyAIR out if the ZyAIR does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the ZyAIR to wait between logins.
Chapter 3 Wizard Setup 54
ZyAIR G-2000 Plus User’s Guide

3.5.2 PPPoE Encapsulation

Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for instance, Radius). For the user, PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
One of the benefits of PPPoE is the ability to let end users access one of multiple network services, a function known as dynamic service selection. This enables the service provider to easily create and offer new IP services for specific users.
Operationally, PPPoE saves significant effort for both the subscriber and the ISP/carrier, as it requires no specific configuration of the broadband modem at the subscriber’s site.
By implementing PPPoE directly on the ZyAIR (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyAIR does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Refer to the appendix for more information on PPPoE.
55 Chapter 3 Wizard Setup
Figure 10 Wizard 4: PPPoE Encapsulation
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 8 Wizard 4: PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for Internet Access
Encapsulation Choose PPP over Ethernet from the pull-down list box. PPPoE forms a dial-up
connection.
Service Name Type the name of your service provider.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Nailed-Up Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
Next Click Next to continue.
Back Click Back to return to the previous screen.
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPPoE server. The default time is 100 seconds.

3.5.3 PPTP Encapsulation

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks.
Chapter 3 Wizard Setup 56
ZyAIR G-2000 Plus User’s Guide
PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet.
Refer to the appendix for more information on PPTP.
Figure 11 Wizard 4: PPTP Encapsulation
Note: The ZyAIR supports one PPTP server connection at any
given time.
The following table describes the fields in this screen
Table 9 Wizard 4: PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation Select PPTP from the drop-down list box.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the User Name above.
Nailed-Up Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
PPTP Configuration
57 Chapter 3 Wizard Setup
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPTP server. The default is 100 seconds.
Table 9 Wizard 4: PPTP Encapsulation
LABEL DESCRIPTION
My IP Address Type the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address Type the IP address of the PPTP server.
Connection ID/ Name
Back Click Back to return to the previous screen.
Next Click Next to continue.
Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your ISP.

3.6 Wizard Setup: Screen 5

The fifth wizard screen allows you to configure WAN IP address assignment, DNS server address assignment and the WAN MAC address.
ZyAIR G-2000 Plus User’s Guide

3.6.1 WAN IP Address Assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.
Table 10 Private IP Address Ranges
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.
Chapter 3 Wizard Setup 58
ZyAIR G-2000 Plus User’s Guide

3.6.2 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyAIR, but make sure that no other device on your network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyAIR unless you are instructed to do otherwise.

3.6.3 DNS Server Address Assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
The ZyAIR can get the DNS server addresses in the following ways.
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
2 If the ISP did not give you DNS server information, leave the DNS Server fields in
DHCP Setup set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses.

3.6.4 WAN MAC Address

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
59 Chapter 3 Wizard Setup
ZyAIR G-2000 Plus User’s Guide
You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom" file.
Note: ZyXEL recommends you clone the MAC address from a computer on your LAN even if your ISP does not require MAC address authentication.
Table 11 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address 192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask 255.255.255.0
Gateway (or default route) 192.168.1.1(ZyAIR LAN IP)
The fifth wizard screen varies according to the type of encapsulation that you select in the third wizard screen.
Chapter 3 Wizard Setup 60
ZyAIR G-2000 Plus User’s Guide
Figure 12 Wizard 5: WAN Setup
The following table describes the labels in this screen
Table 12 Wizard 5: WAN Setup
LABEL DESCRIPTION
WAN IP Address Assignment
Get automatically from ISP
Use fixed IP address Select this option If the ISP assigned a fixed IP address. Enter a subnet
My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP
My WAN IP Subnet Mask Enter a Subnet Mask appropriate to your network. a
Gateway IP Address Enter the Gateway IP Address of the neighboring device, if you know it. If
System DNS Server Address Assignment (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyAIR uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
mask appropriate to your network and the gateway IP address if applicable.
Address.
you do not, leave the Gateway IP Address field as 0.0.0.0.
61 Chapter 3 Wizard Setup
Table 12 Wizard 5: WAN Setup
LABEL DESCRIPTION
ZyAIR G-2000 Plus User’s Guide
First DNS Server
Second DNS Server
Third DNS Server
WAN MAC Address The MAC address field allows you to configure the WAN port's MAC
Factory Default Select this option to use the factory assigned default MAC Address.
Spoof this Computer's MAC address - IP Address
Back Click Back to return to the previous screen.
Next Click Next to continue.
Select From ISP if your ISP dynamically assigns DNS server information (and the ZyAIR's WAN IP address). The field to the right displays the (read­only) DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right.
Select None if you do not want to configure DNS servers. If you do not configure a system DNS server, you must use IP addresses when configuring VPN, DDNS and the time server.
Address by either using the factory default or cloning the MAC address from a computer on your LAN.
Select this option and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different rom file. It is advisable to clone the MAC address from a computer on your LAN even if your ISP does not presently require MAC address authentication.

3.7 Basic Setup Complete

Click Back to return to the previous screen or click Finish to complete and save the wizard setup.
Chapter 3 Wizard Setup 62
ZyAIR G-2000 Plus User’s Guide
Figure 13 Wizard Finish
Well done! You have successfully set up the ZyAIR. A congratulations screen displays some information.
63 Chapter 3 Wizard Setup

4.1 System Overview

This section provides information on general system setup.

4.2 Configuring General Setup

Click the SYSTEM link under ADVANCED to open the General screen.
Figure 14 System General Setup
ZyAIR G-2000 Plus User’s Guide
CHAPTER 4

System Screens

The following table describes the labels in this screen.
Table 13 System General Setup
LABEL DESCRIPTION
General Setup
System Name Type a descriptive name to identify the ZyAIR in the Ethernet network.
This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
Domain Name This is not a required field. Leave this field blank or enter the domain name
Chapter 4 System Screens 64
here if you know it.
ZyAIR G-2000 Plus User’s Guide
Table 13 System General Setup
LABEL DESCRIPTION
Administrator Inactivity Timer
System DNS Servers
First DNS Server Second DNS Server Third DNS Server
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.

4.3 Dynamic DNS

Type how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out.
The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.
A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
Select From DHCP if your DHCP server dynamically assigns DNS server information (and the ZyAIR's Ethernet IP address). The field to the right displays the (read-only) DNS server IP address that the DHCP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
The default setting is None.
Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.

4.3.1 DynDNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.
Note: If you have a private WAN IP address, then you cannot use Dynamic DNS.
65 Chapter 4 System Screens

4.4 Configuring Dynamic DNS

To change your ZyAIR’s DDNS, click SYSTEM, then the DDNS tab. The screen appears as shown.
Figure 15 DDNS
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 14 DDNS
LABEL DESCRIPTION
Enable DDNS Select this check box to use dynamic DNS.
Service Provider Select the name of your Dynamic DNS service provider.
DDNS Type Select the type of service that you are registered for from your Dynamic DNS
service provider.
Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two
host names in each field separated by a comma (",").
User Name Enter your user name.
Password Enter the password assigned to you.
Enable Wildcard Option Select the check box to enable DynDNS Wildcard.
Enable off line option This option is available when CustomDNS is selected in the DDNS Type
field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line.
IP Address Update Policy:
Chapter 4 System Screens 66
ZyAIR G-2000 Plus User’s Guide
Table 14 DDNS
LABEL DESCRIPTION
Use WAN IP address Select this option to update the IP address of the host name(s) automatically
by the DDNS server. It is recommended that you select this option.
DDNS server auto detect IP Address
Use specified IP Address
IP Address Enter the IP address if you select the Use specified IP Address option.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Select this option to update the IP address of the host name(s) automatically by the DDNS server. It is recommended that you select this option.
Select this option to update the IP address of the host name(s) to the IP address specified below. Use this option if you have a static IP address.

4.5 Configuring Password

To change your ZyAIR’s password (recommended), click the SYSTEM link under ADVANCED and then the Password tab. The screen appears as shown. This screen allows
you to change the ZyAIR’s password.
If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See the Resetting the ZyAIR section for details
Figure 16 Password.
The following table describes the labels in this screen.
Table 15 Password
LABEL DESCRIPTIONS
Old Password Type in your existing system password (1234 is the default password).
New Password Type your new system password (up to 31 characters). Note that as you type a
Retype to Confirm Retype your new system password for confirmation.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
password, the screen displays an asterisk (*) for each character you type.
67 Chapter 4 System Screens

4.6 Configuring Time Setting

To change your ZyAIR’s time and date, click the SYSTEM link under ADVANCED and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone.
Figure 17 Time Setting
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 16 Time Setting
LABEL DESCRIPTION
Time Protocol Select the time service protocol that your time server sends when you turn on
Time Server Address Enter the IP address or the URL of your time server. Check with your ISP/
Current Time (hh:mm:ss)
Chapter 4 System Screens 68
the ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868). Select None to enter the time and date manually.
network administrator if you are unsure of this information.
This field displays the time of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the time with the time
server.
ZyAIR G-2000 Plus User’s Guide
Table 16 Time Setting
LABEL DESCRIPTION
New Time (hh:mm:ss) This field displays the last updated time from the time server.
Current Date (yyyy/ mm/dd)
New Date (yyyy/mm/ dd)
Time Zone Choose the time zone of your location. This will set the time difference
Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period
Start Date (mm-dd) Enter the month and day that your daylight-savings time starts on if you
End Date (mm-dd) Enter the month and day that your daylight-savings time ends on if you
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
When you select None in the Time Protocol field, enter the new time in this field and then click Apply.
This field displays the date of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the date with the time
server.
This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this
field and then click Apply.
between your time zone and Greenwich Mean Time (GMT).
from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.
selected Daylight Savings.
selected Daylight Savings.
69 Chapter 4 System Screens
This chapter describes how to configure LAN settings.

5.1 LAN Overview

Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks.

5.2 DHCP Setup

ZyAIR G-2000 Plus User’s Guide
CHAPTER 5

LAN Screens

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyAIR as a DHCP server or disable it. When configured as a server, the ZyAIR provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.

5.2.1 IP Pool Setup

The ZyAIR is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to
192.168.1.64. This configuration leaves 31 IP addresses (excluding the ZyAIR itself) in the lower range for other server computers, for instance, servers for mail, FTP, TFTP, web, etc., that you may have.

5.2.2 System DNS Servers

Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter.

5.3 LAN TCP/IP

The ZyAIR has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

5.3.1 Factory LAN Defaults

The LAN parameters of the ZyAIR are preset in the factory with the following values:
Chapter 5 LAN Screens 70
ZyAIR G-2000 Plus User’s Guide
• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
• DHCP server enabled with 32 client IP addresses starting from 192.168.1.33.
These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured.

5.3.2 IP Address and Subnet Mask

Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.

5.3.3 RIP Setup

RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the ZyAIR will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP Version controls the format and the broadcasting method of the RIP packets that the ZyAIR sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP- 2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.

5.3.4 Multicast

Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.
IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC
2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address
71 Chapter 5 LAN Screens
224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address
224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
The ZyAIR supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the ZyAIR queries all directly connected networks to gather group membership. After that, the ZyAIR periodically updates this information. IP multicasting can be enabled/disabled on the ZyAIR LAN and/or WAN interfaces in the web configurator (LAN; WAN ). Select None to disable IP multicasting on these interfaces.

5.4 Configuring IP

Click LAN to open the IP screen.
ZyAIR G-2000 Plus User’s Guide
Chapter 5 LAN Screens 72
ZyAIR G-2000 Plus User’s Guide
Figure 18 LAN IP
The following table describes the labels in this screen.
Table 17 LAN IP
LABEL DESCRIPTION
DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
IP Pool Starting Address
Pool Size This field specifies the size, or count of the IP address pool.
DNS Servers Assigned by DHCP Server The ZyAIR passes a DNS (Domain Name System) server IP address (in the order you specify here) to
the DHCP clients. The ZyAIR only passes this information to the LAN DHCP clients when you select the DHCP Server check box. When you clear the DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured.
individual clients (computers) to obtain TCP/IP configuration at startup from a server. Leave the DHCP Server check box selected unless your ISP instructs you to do otherwise. Clear it to disable the ZyAIR acting as a DHCP server. When configured as a server, the ZyAIR provides TCP/IP configuration for the clients. If not, DHCP service is disabled and you must have another DHCP server on your LAN, or else the computers must be manually configured. When set as a server, fill in the following four fields.
This field specifies the first of the contiguous addresses in the IP address pool.
73 Chapter 5 LAN Screens
Table 17 LAN IP
LABEL DESCRIPTION
ZyAIR G-2000 Plus User’s Guide
First DNS Server Second DNS Server Third DNS Server
LAN TCP/IP
IP Address Type the IP address of your ZyAIR in dotted decimal notation 192.168.1.1
IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your
RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
RIP Version The RIP Version field controls the format and the broadcasting method of the
Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol)
Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.
Select From ISP if your ISP dynamically assigns DNS server information (and the ZyAIR's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply.
Select DNS Relay to have the ZyAIR act as a DNS proxy. The ZyAIR's LAN IP address displays in the field to the right (read-only). The ZyAIR tells the DHCP clients on the LAN that the ZyAIR itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyAIR, the ZyAIR forwards the query to the ZyAIR's system DNS server (configured in the SYSTEM General screen) and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a computer in order to access it.
(factory default).
ZyAIR will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyAIR 255.255.255.0.
exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyAIR will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default.
RIP packets that the ZyAIR sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.
is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Chapter 5 LAN Screens 74
ZyAIR G-2000 Plus User’s Guide
Table 17 LAN IP
LABEL DESCRIPTION
Allow between LAN and WAN
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN.

5.5 Configuring Static DHCP

This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
To change your ZyAIR’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown.
75 Chapter 5 LAN Screens
Figure 19 Static DHCP
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 18 Static DHCP
LABEL DESCRIPTION
# This is the index number of the Static IP table entry (row).
MAC Address Type the MAC address (with colons) of a computer on your LAN.
IP Address Type the LAN IP address in this field.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.

5.6 Configuring IP Alias

IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyAIR supports three logical LAN interfaces via its single physical Ethernet interface with the ZyAIR itself as the gateway for each LAN network.
To change your ZyAIR’s IP Alias settings, click LAN, then the IP Alias tab. The screen appears as shown.
Chapter 5 LAN Screens 76
ZyAIR G-2000 Plus User’s Guide
Figure 20 IP Alias
The following table describes the labels in this screen.
Table 19 IP Alias
LABEL DESCRIPTION
IP Alias 1,2 Select the check box to configure another LAN network for the ZyAIR.
IP Address Enter the IP address of your ZyAIR in dotted decimal notation.
IP Subnet Mask Your ZyAIR will automatically calculate the subnet mask based on the IP address
that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyAIR.
RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyAIR will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received.
RIP Version The RIP Version field controls the format and the broadcasting method of the
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
RIP packets that the ZyAIR sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.
77 Chapter 5 LAN Screens
Wireless Configuration and
This chapter discusses how to configure the Wireless and Roaming screens on the ZyAIR.

6.1 Wireless LAN Overview

This section introduces the wireless LAN(WLAN) and some basic scenarios.

6.1.1 IBSS

ZyAIR G-2000 Plus User’s Guide
CHAPTER 6
Roaming
An Independent Basic Service Set (IBSS), also called an Ad-hoc network, is the simplest WLAN configuration. An IBSS is defined as two or more computers with wireless adapters within range of each other that from an independent (wireless) network without the need of an access point (AP).
Figure 21 IBSS (Ad-hoc) Wireless LAN

6.1.2 BSS

A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
Chapter 6 Wireless Configuration and Roaming 78
ZyAIR G-2000 Plus User’s Guide
Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled, wireless station A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless station A and B can still access the wired network but cannot communicate with each other.
Figure 22 Basic Service set

6.1.3 ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate.
79 Chapter 6 Wireless Configuration and Roaming
Figure 23 Extended Service Set
ZyAIR G-2000 Plus User’s Guide

6.2 Wireless LAN Basics

Refer also to the Wizard Setup chapter for more background information on Wireless LAN features, such as channels.

6.2.1 RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear” each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.
Chapter 6 Wireless Configuration and Roaming 80
ZyAIR G-2000 Plus User’s Guide
Figure 24 RTS/CTS
When station A sends data to the ZyAIR, it might not know that station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.
When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.
Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake.
You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the “cost” of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake.
If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.
Note:

6.2.2 Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the ZyAIR will fragment the packet into smaller data frames.
81 Chapter 6 Wireless Configuration and Roaming
A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set, then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

6.3 Configuring Wireless

Note: If you are configuring the ZyAIR from a computer
connected to the wireless LAN and you change the ZyAIR’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.
Click the WIRELESS link under ADVANCED to open the Wireless screen.
ZyAIR G-2000 Plus User’s Guide
Chapter 6 Wireless Configuration and Roaming 82
ZyAIR G-2000 Plus User’s Guide
Figure 25 Wireless
The following table describes the general wireless LAN labels in this screen.
Table 20 Wireless
LABEL DESCRIPTION
Enable Wireless LAN
ESSID (Extended Service Set IDentity) The ESSID identifies the Service Set with which a
Click the check box to activate wireless LAN.
wireless station is associated. Wireless stations associating to the access point (AP) must have the same ESSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
Note: If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.
Hide ESSID Select this check box to hide the ESSID in the outgoing beacon frame so a station
cannot obtain the ESSID through passive scanning using a site survey tool.
Choose Channel ID
RTS/CTS Threshold
Fragmentation Threshold
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
Set the operating frequency/channel depending on your particular region. Select a channel from the drop-down list box. Refer to the Wizard Setup chapter for more information on channels.
Enter a value between 0 and 2432. The default is 2432.
Enter a value between 256 and 2432. The default is 2432. It is the maximum data fragment size that can be sent.
83 Chapter 6 Wireless Configuration and Roaming
See the Wireless Security chapter for information on the other labels in this screen.

6.4 Configuring Roaming

A wireless station is a device with an IEEE 802.11mode compliant wireless adapter. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.
In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in
ZyAIR G-2000 Plus User’s Guide
see Figure 26.
If the roaming feature is not enabled on the access points, information is not communicated between the access points when a wireless station moves between coverage areas. The wireless station may not be able to communicate with other wireless stations on the network and vice versa.
Figure 26 Roaming Example
The steps below describe the roaming process.
Chapter 6 Wireless Configuration and Roaming 84
ZyAIR G-2000 Plus User’s Guide
1 As wireless station Y moves from the coverage area of access point P1 to that of access
point
2 P2, it scans and uses the signal of access point P2.
3 Access point P2 acknowledges the presence of wireless station Y and relays this
information to access point P1 through the wired LAN.
4 Access point P1 updates the new position of wireless station.
5 Wireless station Y sends a request to access point P2 for re-authentication.

6.4.1 Requirements for Roaming

The following requirements must be met in order for wireless stations to roam between the coverage areas.
1 All the access points must be on the same subnet and configured with the same ESSID.
2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point,
the new access point must have the user profile for the wireless station.
3 The adjacent access points should use different radio channels when their coverage areas
overlap.
4 All access points must use the same port number to relay roaming information.
5 The access points must be connected to the Ethernet and be able to get IP addresses from
a DHCP server if using dynamic IP address assignment.
To enable roaming on your ZyAIR, click the WIRELESS link under ADVANCED and then the Roaming tab. The screen appears as shown.
85 Chapter 6 Wireless Configuration and Roaming
Figure 27 Roaming
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 21 Roaming
LABEL DESCRIPTION
Active
Select Yes from the drop-down list box to enable roaming on the ZyAIR if you have two or more ZyAIRs on the same subnet.
Note: All APs on the same subnet and the wireless stations must have the same ESSID to allow roaming.
Port
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
Enter the port number to communicate roaming information between APs. The port number must be the same on all APs. The default is 3517. Make sure this port is not used by other services.
Chapter 6 Wireless Configuration and Roaming 86
ZyAIR G-2000 Plus User’s Guide
87 Chapter 6 Wireless Configuration and Roaming

Wireless Security

This Chapter describes how to use the MAC Filter, 802.1x, Roaming and RADIUS to configure wireless security on your ZyAIR.

7.1 Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.
The figure below shows the possible wireless security levels on your ZyAIR. EAP (Extensible Authentication Protocol) is used for authentication and utilizes dynamic WEP key exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server either on the WAN or your LAN to provide authentication service for wireless stations.
ZyAIR G-2000 Plus User’s Guide
CHAPTER 7
Figure 28 ZyAIR Wireless Security Levels
If you do not enable any wireless security on your ZyAIR, your network is accessible to any wireless networking device that is within range.
Select No Security to allow wireless stations to communicate with the access points without any data encryption.
Chapter 7 Wireless Security 88
ZyAIR G-2000 Plus User’s Guide
Figure 29 Wireless: No Security
The following table describes the labels in this screen.
Table 22 Wireless No Security
LABEL DESCRIPTION
Security Choose from one of the security features listed in the drop-down box.
No Security
Static WEP
WPA-PSK
•WPA
802.1x + Dynamic WEP
802.1x + Static WEP
802.1x + No WEP
Enable Breathing LED
Preamble Select a preamble type from the drop-down list menu. Choices are Long, Short and
802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
Select this check box to enable the Breathing LED, also known as the ZyAIR LED. The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data is
being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyAIR is on and data is being
transmitted/received.
Dynamic. See the section on preamble for more information.
associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices
to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.
89 Chapter 7 Wireless Security

7.2 Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. You enter manual keys by first selecting 64-bit WEP or 128-bit WEP from the WEP Encryption field and then typing the keys (in ASCII or hexadecimal format) in the key text boxes. MAC address filters are not dependent on how you configure these security features.
Table 23 Wireless Security Relational Matrix
ZyAIR G-2000 Plus User’s Guide
AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL
Open None No Disable
Open WEP No Enable with Dynamic WEP Key
Shared WEP No Enable with Dynamic WEP Key
WPA WEP No Enable
WPA TKIP No Enable
WPA-PSK WEP Yes Enable
WPA-PSK TKIP Ye s Enable

7.3 WEP Overview

ENCRYPTION METHOD
ENTER
MANUAL KEY
Yes Enable without Dynamic WEP
Yes Disable
Yes Enable without Dynamic WEP
Yes Disable
IEEE 802.1X
Key
Key
WEP (Wired Equivalent Privacy) as specified in the IEEE 802.11 standard provides methods for both data encryption and wireless station authentication.

7.3.1 Data Encryption

WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyAIR allows you to configure up to four 64-bit or 128-bit WEP keys, but only one key can be enabled at any one time.
7.3.1.1 Authentication
Three different methods can be used to authenticate wireless stations to the network: Open System, Shared Key, and Auto. The following figure illustrates the steps involved.
Chapter 7 Wireless Security 90
ZyAIR G-2000 Plus User’s Guide
Figure 30 WEP Authentication Steps
Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.
Shared key authentication involves a four-message procedure. A wireless station sends a shared key authentication request to the AP, which will then reply with a challenge text message. The wireless station must then use the AP’s default WEP key to encrypt the challenge text and return it to the AP, which attempts to decrypt the message using the AP’s default WEP key. If the decrypted message matches the challenge text, the wireless station is authenticated.
When your ZyAIR's authentication method is set to open system, it will only accept open system authentication requests. The same is true for shared key authentication. However, when it is set to auto authentication, the ZyAIR will accept either type of authentication request and the ZyAIR will fall back to use open authentication if the shared key does not match.

7.4 Configuring WEP Encryption

In order to configure and enable WEP encryption; click the WIRELESS link under ADVANCED to display the Wireless screen. Select Static WEP from the Security list.
91 Chapter 7 Wireless Security
Figure 31 Wireless: Static WEP Encryption
ZyAIR G-2000 Plus User’s Guide
The following table describes the wireless LAN security labels in this screen.
Table 24 Wireless: Static WEP Encryption
LABEL DESCRIPTION
Passphrase Enter a Passphrase (up to 32 printable characters) and click Generate. The ZyAIR
WEP Encryption
Authentication Method
ASCII
Hex
automatically generates a WEP key.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
This field is activated when you select 64-bit WEP or 128-bit WEP in the WEP Encryption field.
Select Auto, Open System or Shared Key from the drop-down list box.
Select this option in order to enter ASCII characters as the WEP keys.
Select this option in order to enter hexadecimal characters as the WEP keys.
The preceding "0x", that identifies a hexadecimal key, is entered automatically.
Chapter 7 Wireless Security 92
ZyAIR G-2000 Plus User’s Guide
Table 24 Wireless: Static WEP Encryption
LABEL DESCRIPTION
Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations
must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal
characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal
characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time.
The default key is key 1.
Enable Breathing LED
Preamble Select a preamble type from the drop-down list menu. Choices are Long, Short and
802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
Select this check box to enable the Breathing LED, also known as the ZyAIR LED. The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data is
being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyAIR is on and data is being
transmitted/received.
Dynamic. See the section on preamble for more information.
associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices
to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.

7.5 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.

7.5.1 User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using
page 114 for for more information on authentication of Trusted User’s. See later in this
chapter and the appendices for more information on IEEE 802.1x, RADIUS, EAP and PEAP.
If you don’t have an external RADIUS server you should use WPA-PSK (WPA -Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN.
an external RADIUS database. See “Internal RADIUS Server” on
93 Chapter 7 Wireless Security

7.5.2 Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x.
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.
ZyAIR G-2000 Plus User’s Guide
The RADIUS server distributes a Pairwise Master Key (PMK) key to the
By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network.
The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to­use, consistent, single, alphanumeric password.

7.5.3 WPA-PSK Application Example

A WPA-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).
2 The AP checks each client’s password and (only) allows it to join the network if it
matches its password.
3 The AP derives and distributes keys to the wireless clients.
4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged
between them.
Chapter 7 Wireless Security 94
ZyAIR G-2000 Plus User’s Guide
Figure 32 WPA - PSK Authentication

7.6 Configuring WPA-PSK Authentication

In order to configure and enable WPA-PSK Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen. Select WPA-PSK from the Security list.
95 Chapter 7 Wireless Security
Figure 33 Wireless: WPA-PSK
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 25 Wireless: WPA-PSK
LABEL DESCRIPTION
Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only
ReAuthentication Timer (in seconds)
difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
Specify how often wireless stations have to reenter usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).
Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).
WPA Group Key Update Timer
The WPA Group Key Update Timer is the rate at which the AP (if using WPA- PSK key management) or RADIUS server (if using WPA key management) sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the WPA Group Key Update Timer is also supported in WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).
Chapter 7 Wireless Security 96
ZyAIR G-2000 Plus User’s Guide
Table 25 Wireless: WPA-PSK
LABEL DESCRIPTION
Enable Breathing LED
Preamble Select a preamble type from the drop-down list menu. Choices are Long, Short
802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
Select this check box to enable the Breathing LED, also known as the ZyAIR LED. The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data
is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyAIR is on and data is
being transmitted/received.
and Dynamic. See the section on preamble for more information.
associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN
devices to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.

7.7 Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built­in "Zero Configuration" wireless client. However, you must run Windows XP to use it.
The Funk Software's Odyssey client is bundled free (at the time of writing) with the client wireless adaptor(s).

7.7.1 WPA with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA application example with an external RADIUS server looks as follows. “A” is the RADIUS server. “DS” is the distribution system.
1 The AP passes the wireless client’s authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then
sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
97 Chapter 7 Wireless Security
Figure 34 WPA with RADIUS Application Example
ZyAIR G-2000 Plus User’s Guide

7.8 Configuring WPA Authentication

In order to configure and enable WPA Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen. Select WPA from the Security list.
Chapter 7 Wireless Security 98
ZyAIR G-2000 Plus User’s Guide
Figure 35 Wireless: WPA
The following table describes the labels in this screen.
Table 26 Wireless: WPA
LABEL DESCRIPTION
ReAuthentication Timer (in seconds)
Specify how often wireless stations have to reenter usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).
Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).
99 Chapter 7 Wireless Security
Loading...