The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Copyright2
ZyAIR G-2000 Plus User’s Guide
Federal Communications
Commission (FCC) Interference
Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
This equipment has been tested and found to comply with the limits for a Class B digital
device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy, and if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
Certifications
Go to www.zyxel.com
1 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
2 Select the certification you wish to view from this page
3 Federal Communications Commission (FCC) Interference Statement
ZyAIR G-2000 Plus User’s Guide
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or
subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind of character to the
purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
Safety Warnings
1 To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.
2 Do not use this product near water, for example, in a wet basement or near a swimming
pool.
3 Avoid using this product during an electrical storm. There may be a remote risk of
electric shock from lightening.
This product has been designed for the WLAN 2.4 GHz network throughout the EC region and
Switzerland, with restrictions in France.
ZyXEL Limited Warranty4
ZyAIR G-2000 Plus User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
Customer Support
method
location
Corporate
HeadQuarters
(Worldwide)
Czech
Republic
Denmarksupport@zyxel.dk +45 39 55 07 00www.zyxel.dk Z y X E L C o m m u n i c a t i o n s A / S
Finlandsupport@zyxel.fi+358-9-4780-8411www.zyxel.fi Zy X E L C o mm u n ic a t io n s Oy
Franceinfo@zyxel.fr +33 (0)4 72 52 97 97www.zyxel.fr Z y XE L Fr a nc e
Germanysupport@zyxel.de+49-2405-6909-0www.zyxel.deZyXEL Deutschland GmbH.
North America support@zyxel.com+1-800-255-4101
Norwaysupport@zyxel.no +47 22 80 61 80www.zyxel.no Z y X E L C o m m u n i c a t i o n s A / S
Table 151 Log Categories and Available Settings .............................................................. 408
Table 152 Comparison of EAP Authentication Types ......................................................... 419
Table 153 NORTH AMERICAN PLUG STANDARDS ........................................................ 422
Table 154 NORTH AMERICAN PLUG STANDARDS ........................................................ 422
Table 155 EUROPEAN PLUG STANDARDS ..................................................................... 422
Table 156 United Kingdom PLUG STANDARDS ............................................................... 422
Table 157 Japan PLUG STANDARDS ............................................................................... 422
Table 158 Australia and New Zealand plug standards ....................................................... 423
31 List of Tables
ZyAIR G-2000 Plus User’s Guide
Preface
Congratulations on your purchase of the ZyAIR G-2000 Plus - 802.11g Wireless 4 port
Router.
A wireless router is an access point and router rolled into one. It is a cost-effect solution to
share Internet access with multiple computers and expand your wired network.
Your ZyAIR is easy to install and configure.
Note: Register your product online to receive e-mail notices of
firmware upgrades and information at
products, or at
www.us.zyxel.com for North American products.
About This User's Guide
This User’s Guide is designed to guide you through the configuration of your ZyAIR using the
web configurator or the SMT. The web configurator parts of this guide contain background
information on features configurable by web configurator. The SMT parts of this guide
contain background information solely on features not configurable by web configurator
www.zyxel.com for global
Note: Use the web configurator, System Management Terminal (SMT) or
command interpreter interface to configure your ZyAIR. Not all features can
be configured through all interfaces.
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Compact Guide
The Quick Start Guide is designed to help you get up and running right away. It contains
connection information and instructions on getting started.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary
information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional
support documentation.
Preface32
ZyAIR G-2000 Plus User’s Guide
User Guide Feedback
Help us help you! E-mail all User Guide-related comments, questions or suggestions for
improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing
Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,
Hsinchu, 300, Taiwan. Thank you!
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for
you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field
choices are in Bold Arial font. Command and arrow keys are enclosed in square
brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key
and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon,
Control Panels and then Modem” means first click the Apple icon, then point your
mouse pointer to Control Panels and then click Modem.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for
“that is” or “in other words” throughout this manual.
• The ZyAIR G-2000 Plus may be referred to simply as the ZyAIR in the user’s guide.
33 Preface
Graphics Icons Key
ZyAIRComputerNotebook computer
ServerDSLAMFirewall
ModemSwitchRouter
ZyAIR G-2000 Plus User’s Guide
Wireless Signal
Preface34
ZyAIR G-2000 Plus User’s Guide
35 Preface
Getting to Know Your ZyAIR
This chapter introduces the main features and applications of the ZyAIR.
1.1 Introducing the ZyAIR
The ZyAIR G-2000 Plus, an IEEE802.11g compliant broadband wireless sharing gateway,
provides wireless connectivity. As an Internet gateway, your ZyAIR can share an Internet
connection (through a cable or xDSL modem) with multiple computers using SUA/NAT and
DHCP. The ZyAIR offers highly secured wireless connectivity to your wired network with
IEEE 802.1X, WEP data encryption, WPA (Wi-Fi Protected Access) and MAC address
filtering.
ZyAIR G-2000 Plus User’s Guide
CHAPTER 1
The ZyAIR is easy to install and configure. The embedded web-based configurator and SNMP
network management enables remote configuration and management of your ZyAIR.
1.2 ZyAIR Features
The following sections describe the features of the ZyAIR
1.2.1 Physical Features
1.2.1.1 4-Port Switch
A combination of switch and router makes your ZyAIR a cost-effective and viable network
solution. You can connect up to four computers to the LAN ports on you ZyAIR without the
cost of a hub.
This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions
and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps
or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
The LAN interface automatically adjusts to either a crossover or straight-through Ethernet
cable.
Chapter 1 Getting to Know Your ZyAIR36
ZyAIR G-2000 Plus User’s Guide
1.2.1.4 10/100 Mbps Ethernet WAN
The 10/100 Mbps Ethernet WAN port attaches to the Internet via broadband modem or router.
1.2.1.5 Reset Button
The ZyAIR reset button is built into the side panel. Use this button to restore the factory
default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP
server enabled with a pool of 32 IP addresses starting at 192.168.1.33. .
1.2.1.6 ZyAIR LED
The blue ZyAIR LED (also known as the Breathing LED) is on when the ZyAIR is on and
blinks (or breaths) when data is being transmitted to/from its wireless stations. You may use
the web configurator to turn this LED off even when the ZyAIR is on and data is being
transmitted/received.
1.2.2 Firmware Features
1.2.2.1 Internal RADIUS Server
The ZyAIR has a built-in RADIUS server that can authenticate wireless clients or other AP’s
in other wireless networks.The ZyAIR can also function as an AP and as a RADIUS server at
the same time.
1.2.2.2 Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Key differences between WPA and WEP are user authentication and improved data
encryption.
1.2.2.3 802.11b Wireless LAN Standard
The ZyAIR complies with the 802.11b wireless standard.
The 802.11b data rate and corresponding modulation techniques are shown in the table below.
The modulation technique defines how bits are encoded onto radio waves.
The ZyAIR, complies with the 802.11g wireless standard and is also fully compatible with the
802.11b standard. This means an 802.11b radio card can interface directly with an 802.11g
device (and vice versa) at 11 Mbps or lower depending on range. 802.11g has several
intermediate rate steps between the maximum and minimum data rates. The 802.11g data rate
and modulation are as follows:
Table 2 IEEE 802.11g
.
ZyAIR G-2000 Plus User’s Guide
DATA RATE
(MBPS)
6/9/12/18/24/36/48/54OFDM (Orthogonal Frequency Division Multiplexing)
MODULATION
Note: The ZyAIR may be prone to RF (Radio Frequency)
interference from other 2.4 GHz devices such as microwave
ovens, wireless phones, Bluetooth enabled devices, and other
wireless LANs.
1.2.2.5 STP (Spanning Tree Protocol) / RSTP (Rapid STP)
(R)STP detects and breaks network loops and provides backup links between switches,
bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your
network to ensure that only one path exists between any two stations on the network.
1.2.2.6 Certificates
The ZyAIR can use certificates (also called digital IDs) to authenticate users. Certificates are
based on public-private key pairs. Certificates provide a way to exchange public keys for use
in authentication.
1.2.2.7 Limit the number of Client Connections
You may set a maximum number of wireless stations that may connect to the ZyAIR. This
may be necessary if for example, there is interference or difficulty with channel assignment
due to a high density of APs within a coverage area.
1.2.2.8 SSL Passthrough
SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL
connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites
use the protocol to obtain confidential user information, such as credit card numbers. By
convention, URLs that require an SSL connection start with “https” instead of “http”. The
ZyAIR allows SSL connections to take place through the ZyAIR.
Chapter 1 Getting to Know Your ZyAIR38
ZyAIR G-2000 Plus User’s Guide
1.2.2.9 Firewall
The ZyAIR employs a stateful inspection firewall with DoS (Denial of Service) protection. By
default, when the firewall is activated, all incoming traffic from the WAN to the LAN is
blocked unless it is initiated from the LAN. The ZyAIR firewall supports TCP/UDP
inspection, DoS detection and prevention, real time alerts, reports and logs.
1.2.2.10 Brute-Force Password Guessing Protection
The ZyAIR has a special protection mechanism to discourage brute-force password guessing
attacks on the ZyAIR's management interfaces. You can specify a wait-time that must expire
before entering a fourth password after three incorrect passwords have been entered. Please
see the appendix for details about this feature.
1.2.2.11 Wireless LAN MAC Address Filtering
Your ZyAIR checks the MAC address of the wireless station against a list of allowed or
denied MAC addresses.
1.2.2.12 WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless
network to help keep network communications private.
1.2.2.13 IEEE 802.1X Network Security
The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. Use the built-in
user profile database to authenticate up to 32 users using MD5 encryption. Use an EAPcompatible RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server
to authenticate a limitless number of users using EAP (Extensible Authentication Protocol).
EAP is an authentication protocol that supports multiple types of authentication.
1.2.2.14 Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyAIR and other UPnP-enabled devices can
dynamically join a network, obtain an IP address and convey its capabilities to other devices
on the network.
1.2.2.15 Dynamic DNS Support
With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address,
allowing the host to be more easily accessible from various locations on the Internet. You must
register for this service.
39 Chapter 1 Getting to Know Your ZyAIR
1.2.2.16 PPPoE Support (RFC2516)
PPPoE (Point-to-Point Protocol over Ethernet) emulates a dial-up connection. It allows your
ISP to use their existing network configuration with newer broadband technologies such as
ADSL. The PPPoE driver on the ZyAIR is transparent to the computers on the LAN, which
see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE
clients on individual computers.
1.2.2.17 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using a
TCP/IP-based network. PPTP supports on-demand, multi-protocol and virtual private
networking over public networks, such as the Internet. Use PPTP to connect to a broadband
modem to achieve access to high-speed data networks via a familiar "dial-up networking" user
interface.
1.2.2.18 Network Address Translation (NAT)
NAT (Network Address Translation - NAT, RFC 1631) allows the translations of multiple IP
addresses used within one network to different IP addresses known within another network.
ZyAIR G-2000 Plus User’s Guide
1.2.2.19 Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyAIR
cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN
connection fails.
1.2.2.20 NAT for Single-IP-address Internet Access
The ZyAIR's SUA (Single User Account) feature allows multiple-user Internet access for the
cost of a single IP account. NAT supports popular Internet applications such as MS traceroute,
CuSeeMe, IRC, RealPlayer, VDOLive, Quake, and PPTP. No configuration is needed to
support these applications.
DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to
obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyAIR has
built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default
gateway and DNS servers to DHCP clients. The ZyAIR also acts as a surrogate DHCP server
(DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the
clients.
Chapter 1 Getting to Know Your ZyAIR40
ZyAIR G-2000 Plus User’s Guide
1.2.2.22 Multicast
Traditionally, IP packets are transmitted in two ways - unicast or broadcast. Multicast is a
third way to deliver IP packets to a group of hosts. IGMP (Internet Group Management
Protocol) is the protocol used to support multicast groups. The latest version is version 2 (see
RFC 2236). The ZyAIR supports versions 1 and 2.
1.2.2.23 IP Alias
IP Alias allows you to partition a physical network into logical networks over the same
Ethernet interface. The ZyAIR supports three logical LAN interfaces via its single physical
Ethernet LAN interface with the ZyAIR itself as the gateway for each LAN network.
1.2.2.24 IP Policy Routing
IP Policy Routing provides a mechanism to override the default routing behavior and alter
packet forwarding based on the policies defined by the network administrator.
1.2.2.25 SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger
station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP
version one (SNMPv1) and version two c (SNMPv2c).
1.2.2.26 Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily
access the ZyAIR’s management settings. Most functions of the ZyAIR are also software
configurable via the SMT (System Management Terminal) interface. The SMT is a menudriven interface that you can access from a terminal emulator over a telnet connection.
1.2.2.27 Logging and Tracing
• Built-in message logging and packet tracing.
• Unix syslog facility support.
1.2.2.28 Diagnostics Capabilities
The ZyAIR can perform self-diagnostic tests. These tests check the integrity of the following
circuitry:
• FLASH memory
•DRAM
• LAN port
• Wireless port
41 Chapter 1 Getting to Know Your ZyAIR
1.2.2.29 Embedded FTP and TFTP Servers
The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as
configuration file backups and restoration.
1.2.2.30 Wireless Association List
With the wireless association list, you can see the list of the wireless stations that are currently
using the ZyAIR to access your wired network.
1.2.2.31 Wireless LAN Channel Usage
The Wireless Channel Usage screen displays whether the radio channels are used by other
wireless devices within the transmission range of the ZyAIR. This allows you to select the
channel with minimum interference for your ZyAIR.
1.3 Applications for the ZyAIR
ZyAIR G-2000 Plus User’s Guide
Here is an application example of what you can do with your ZyAIR.
1.3.1 Internet Access Application
Add a wireless LAN to your existing network without expensive network cables. Wireless
stations can move freely anywhere in the coverage area and use resources on the wired
network.
.
Figure 1 Internet Access Application Example
Chapter 1 Getting to Know Your ZyAIR42
ZyAIR G-2000 Plus User’s Guide
43 Chapter 1 Getting to Know Your ZyAIR
Introducing the Web
This chapter describes how to access the ZyAIR web configurator and provides an overview
of its screens. The default IP address of the ZyAIR is 192.168.1.1.
2.1 Web Configurator Overview
The embedded web configurator (ewc) allows you to manage the ZyAIR from anywhere
through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet
Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled. It
is recommended that you set your screen resolution to 1024 by 768 pixels. The screens you see
in the web configurator may vary somewhat from the ones shown in this document due to
differences between individual firmware versions.
ZyAIR G-2000 Plus User’s Guide
CHAPTER 2
Configurator
2.2 Accessing the ZyAIR Web Configurator
1 Make sure your ZyAIR hardware is properly connected and prepare your computer/
computer network to connect to the ZyAIR (refer to the Quick Start Guide).
2 Launch your web browser.
3 Typ e "192.168.1.1" as the URL.
4 Typ e "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
5 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore.
Note: If you do not change the password, the following screen
appears every time you login.
Chapter 2 Introducing the Web Configurator44
ZyAIR G-2000 Plus User’s Guide
Figure 2 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your ZyAIR’s
MAC address that will be specific to this device.
Figure 3 Replace Certificate Screen
You should now see the MAIN MENU screen..
Note: The management session automatically times out when
the time period set in the Administrator Inactivity Timer field
expires (default five minutes). Simply log back into the ZyAIR if
this happens to you.
45 Chapter 2 Introducing the Web Configurator
2.3 Resetting the ZyAIR
If you forget your password or cannot access the web configurator, you will need to reload the
factory-default configuration file or use the RESET button on the side panel of the ZyAIR.
Uploading this configuration file replaces the current configuration file with the factorydefault configuration file. This means that you will lose all configurations that you had
previously and the speed of the console port will be reset to the default of 9600bps with 8 data
bit, no parity, one stop bit and flow control set to none. The password will be reset to 1234,
also.
2.3.1 .Procedure To Use The Reset Button
Make sure the SYS LED is on (not blinking) before you begin this procedure.
1 Press the RESET button for ten seconds or until the SYS LED, LINK LED or BRI/RPT
LED turns red, and then release it. If the SYS LED begins to blink, the defaults have been
restored and the ZyAIR restarts. Otherwise, go to step 2.
2 Turn the ZyAIR off.
ZyAIR G-2000 Plus User’s Guide
3 While pressing the RESET button, turn the ZyAIR on.
4 Continue to hold the RESET button. The SYS LED will begin to blink andflicker very
quickly after about 20 seconds. This indicates that the defaults have been restored and the
ZyAIR is now restarting.
5 Release the RESETbutton and wait for the ZyAIR to finish restarting.
2.3.2 Method of Restoring Factory-Defaults Via Web Configurator
Use the web configurator to restore defaults (refer to the Maintenance chapter).
2.4 Navigating the ZyAIR Web Configurator
The following summarizes how to navigate the web configurator from the MAIN MENU
screen.
Note: Follow the instructions you see in the MAIN MENU
screen or click the
most screens) to view online help.
icon (located in the top right corner of
The icon does not appear in the MAIN MENU screen.
Chapter 2 Introducing the Web Configurator46
ZyAIR G-2000 Plus User’s Guide
Figure 4 The MAIN MENU Screen of the Web Configurator
Use submenus to configure ZyAIR features.
Click WIZARD SETUP for initial configuration including general setup, wireless LAN
setup, ISP Parameters for Internet Access and WAN IP/DNS/MAC Address Assignment.
Click the links under ADVANCED to configure advanced features such as SYSTEM
(General Setup, Dynamic DNS, Password and Time Setting), LAN (DHCP and TCP/IP
Setup), WLAN (WLAN and WLAN Security Setup), WAN, SUA/NAT, STATIC ROUTE
(Route Entry), FIREWALL (Settings, Filter and Services), Internal RADIUS Server
Trusted AP and Trusted User databases
), CERTIFICATES (My Certificates, Trusted CAs),
(Settings,
REMOTE MGNT (Telnet, FTP, WWW, SNMP, DNS and Security), UPnP and Logs (View
Log, Log Settings and Reports).
Click MAINTENANCE to view information about your ZyAIR or upgrade configuration/
firmware files. Maintenance includes Status (Statistics), Association List, Channel Usage,
F/W (firmware) Upload, Configuration (Backup, Restore and Default) and Restart
Click LOGOUT at any time to exit the web configurator
47 Chapter 2 Introducing the Web Configurator
The web configurator’s setup wizard helps you configure your ZyAIR for Internet access and
set up wireless LAN.
3.1 Wizard Setup Overview
The web configurator’s setup wizard helps you configure your device to access the Internet.
The second screen has three variations depending on what encapsulation type you use. Refer
to your ISP checklist in the Quick Start Guide to know what to enter in each field. Leave a
field blank if you don’t have that information.
3.1.1 Channel
ZyAIR G-2000 Plus User’s Guide
CHAPTER 3
Wizard Setup
A channel is the radio frequency(ies) used by IEEE 802.11b and IEEE 802.11g wireless
devices. Channels available depend on your geographical area. You may have a choice of
channels (for your region) so you should use a different channel than an adjacent AP (access
point) to reduce interference. Interference occurs when radio signals from different access
points overlap causing interference and degrading performance.
Adjacent channels partially overlap however. To avoid interference due to overlap, your AP
should be on a channel at least five channels away from a channel that an adjacent AP is using.
For example, if your region has 11 channels and an adjacent AP is using channel 1, then you
need to select a channel between 6 or 11.
3.1.2 ESS ID
An Extended Service Set (ESS) is a group of access points connected to a wired LAN on the
same subnet. An ESS ID uniquely identifies each set. All access points and their associated
wireless stations in the same set must have the same ESSID.
3.1.3 WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless
network. WEP encryption scrambles the data transmitted between the wireless stations and the
access points to keep network communications private. It encrypts unicast and multicast
communications in a network. Both the wireless stations and the access points must use the
same WEP key for data encryption and decryption.
Chapter 3 Wizard Setup48
ZyAIR G-2000 Plus User’s Guide
3.1.4 WPA-PSK
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Key differences between WPA and WEP are user authentication and improved data
encryption.The encryption mechanisms used for WPA and WPA-PSK are the same. The only
difference between the two is that WPA-PSK uses a simple common password, instead of
user-specific credentials. The common-password approach makes WPA-PSK susceptible to
brute-force password-guessing attacks but it’s still an improvement over WEP as it employs
an easier-to-use, consistent, single, alphanumeric password.
Therefore, if you don’t have an external RADIUS server you should use WPA-PSK (WPA Pre-Shared Key) that only requires a single (identical) password entered into each access
point, wireless gateway and wireless client. As long as the passwords match, a client will be
granted access to a WLAN.
3.2 Wizard Setup: General Setup
General Setup contains administrative and system-related information.
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave
this blank, the domain name obtained by DHCP from the ISP is used. While you must enter
the host name (System Name) on each individual computer, the domain name can be assigned
from the ZyAIR via DHCP.
49 Chapter 3 Wizard Setup
Figure 5 Wizard 1 : General Setup
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 3 Wizard 1 : General Setup
LABELDESCRIPTION
System NameIt is recommended you type your computer's "Computer name".
In Windows 95/98 click Start, Settings, Control Panel, Network. Click the
Identification tab, note the entry for the Computer Name field and enter it as the
System Name.
In Windows 2000, click Start, Settings, Control Panel and then double-click
System. Click the Network Identification tab and then the Properties button.
Note the entry for the Computer name field and enter it as the System Name.
In Windows XP, click Start, My Computer, View system information and then
click the Computer Name tab. Note the entry in the Full computer name field
and enter it as the ZyAIR System Name.
This name can be up to 30 alphanumeric characters long. Spaces are not
allowed, but dashes "-" and underscores "_" are accepted.
Domain NameThis is not a required field. Leave this field blank or enter the domain name here
NextClick Next to proceed to the next screen.
if you know it.
3.3 Wizard Setup: Wireless LAN
Use the second wizard screen to set up the wireless LAN.
Chapter 3 Wizard Setup50
ZyAIR G-2000 Plus User’s Guide
Figure 6 Wizard 2 : Wireless LAN Setup
The following table describes the labels in this screen.
Table 4 Wizard 2 : Wireless LAN Setup
LABELDESCRIPTION
Wireless LAN Setup
ESSIDEnter a descriptive name (up to 32 printable 7-bit ASCII characters) for the
Choose Channel IDTo manually set the ZyAIR to use a channel, select a channel from the drop-
SecurityThe level of Security can be selected as none, basic or extended. Choose
BackClick Back to return to the previous screen.
NextClick Next to continue.
wireless LAN.
If you change this field on the ZyAIR, make sure all wireless stations use the
same SSID in order to access the network.
down list box. Open the Channel Usage screen to make sure the channel is
not already used by another AP or independent peer-to-peer wireless network.
None security to have no wireless LAN security configured and proceed to the
ISP Parameters for Internet Access screen.
Choose Basic (WEP) security if you want to configure WEP Encryption
parameters.
Choose Extend(WPA-PSK) security to configure a Pre-Shared Key.
The third screen varies depending on which security level you select.
Note: The wireless stations and ZyAIR must use the same
ESSID, channel ID and WEP encryption key (if WEP is
enabled) or WPA-PSK (if WPA-PSK is enabled) for wireless
communication
3.4 Wizard Setup: Screen 3
Choose Basic (WEP) security to setup WEP Encryption parameters.
51 Chapter 3 Wizard Setup
Figure 7 Wizard 3: Wireless LAN Setup: Basic Security
The following table describes the labels in this screen.
Table 5 Wizard 3: Wireless LAN Setup: Basic Security
ZyAIR G-2000 Plus User’s Guide
LABELDESCRIPTION
PassphraseYou can generate or manually enter a WEP key by either:
Entering a Passphrase (up to 32 printable characters) and clicking Generate. The
Prestige automatically generates a WEP key.
Or
Entering a manual key in a Key field and selecting ASCII or Hex WEP key input
method.
WEP
Encryption
Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations
BackClick Back to display the previous screen.
NextClick Next to proceed to the next screen.
Select 64-bit WEP or 128-bit WEP to allow data encryption.
ASCII Select this option in order to enter ASCII characters as the WEP keys.
HEX Select this option to enter hexadecimal characters as the WEP keys.
The preceding “0x” is entered automatically.
must use the same WEP key for data transmission.
If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal
characters ("0-9", "A-F").
ZyAIRIf you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal
characters ("0-9", "A-F").
You must configure all four keys, but only one key can be activated at any one time.
The default key is key 1.
Choose Extend (WPA-PSK) security in the Wireless LAN Setup screen to set up a Pre-
Shared Key.
Chapter 3 Wizard Setup52
ZyAIR G-2000 Plus User’s Guide
Figure 8 Wizard 3: Wireless LAN Setup: Extend Security
The following table describes the labels in this screen.
Table 6 Wizard 3: Wireless LAN Setup: Extend Security
LABELDESCRIPTION
Pre-Shared
Key
BackClick Back to display the previous screen.
NextClick Next to proceed to the next screen.
Type from 8 to 63 case-sensitive ASCII characters. You can set up the most secure
wireless connection by configuring WPA in the advanced wireless screen. You need to
configure an authentication server to do this.
Refer to the chapter on wireless LAN for more information.
3.5 Wizard Setup: Screen 4
The ZyAIR offers three choices of encapsulation. They are Ethernet, PPP over Ethernet or
PPTP.
3.5.1 Ethernet
Choose Ethernet when the WAN port is used as a regular Ethernet.
53 Chapter 3 Wizard Setup
Figure 9 Wizard 4: Ethernet Encapsulation
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 7 Wizard 4: Ethernet Encapsulation
LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationYou must choose the Ethernet option when the WAN port is used as a regular
Ethernet. Otherwise, choose PPP over Ethernet or PPTP for a dial-up connection.
Service TypeChoose from Standard, Tels tra (RoadRunner Telstra authentication method), RR-
User NameType the user name given to you by your ISP.
PasswordType the password associated with the user name above.
Login Server IP
Address
Login Server This field only applies when you select Telia Login in the Service Type field. Type
The following fields are not applicable (N/A) for the Standard service type.
Type the authentication server IP address here if your ISP gave you one.
the domain name of the Telia login server, for example “login1.telia.com”.
This field only applies when you select Telia Login in the Service Type field. The
Telia server logs the ZyAIR out if the ZyAIR does not log in periodically. Type the
number of minutes from 1 to 59 (30 default) for the ZyAIR to wait between logins.
Chapter 3 Wizard Setup54
ZyAIR G-2000 Plus User’s Guide
3.5.2 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an
IETF (Internet Engineering Task Force) draft standard specifying how a host personal
computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to
achieve access to high-speed data networks.
For the service provider, PPPoE offers an access and authentication method that works with
existing access control systems (for instance, Radius). For the user, PPPoE provides a login
and authentication method that the existing Microsoft Dial-Up Networking software can
activate, and therefore requires no new learning or procedures for Windows users.
One of the benefits of PPPoE is the ability to let end users access one of multiple network
services, a function known as dynamic service selection. This enables the service provider to
easily create and offer new IP services for specific users.
Operationally, PPPoE saves significant effort for both the subscriber and the ISP/carrier, as it
requires no specific configuration of the broadband modem at the subscriber’s site.
By implementing PPPoE directly on the ZyAIR (rather than individual computers), the
computers on the LAN do not need PPPoE software installed, since the ZyAIR does that part
of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Refer to the appendix for more information on PPPoE.
55 Chapter 3 Wizard Setup
Figure 10 Wizard 4: PPPoE Encapsulation
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 8 Wizard 4: PPPoE Encapsulation
LABELDESCRIPTION
ISP Parameter for Internet Access
EncapsulationChoose PPP over Ethernet from the pull-down list box. PPPoE forms a dial-up
connection.
Service Name Type the name of your service provider.
User NameType the user name given to you by your ISP.
Password Type the password associated with the user name above.
Nailed-Up
Connection
Idle TimeoutType the time in seconds that elapses before the router automatically disconnects
NextClick Next to continue.
BackClick Back to return to the previous screen.
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPPoE server. The default time is 100 seconds.
3.5.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data
from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/
IP-based networks.
Chapter 3 Wizard Setup56
ZyAIR G-2000 Plus User’s Guide
PPTP supports on-demand, multi-protocol, and virtual private networking over public
networks, such as the Internet.
Refer to the appendix for more information on PPTP.
Figure 11 Wizard 4: PPTP Encapsulation
Note: The ZyAIR supports one PPTP server connection at any
given time.
The following table describes the fields in this screen
Table 9 Wizard 4: PPTP Encapsulation
LABELDESCRIPTION
ISP Parameters for Internet Access
EncapsulationSelect PPTP from the drop-down list box.
User NameType the user name given to you by your ISP.
PasswordType the password associated with the User Name above.
Nailed-Up
Connection
Idle TimeoutType the time in seconds that elapses before the router automatically disconnects
PPTP Configuration
57 Chapter 3 Wizard Setup
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPTP server. The default is 100 seconds.
Table 9 Wizard 4: PPTP Encapsulation
LABELDESCRIPTION
My IP AddressType the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP AddressType the IP address of the PPTP server.
Connection ID/
Name
BackClick Back to return to the previous screen.
NextClick Next to continue.
Enter the connection ID or connection name in this field. It must follow the "c:id"
and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your ISP.
3.6 Wizard Setup: Screen 5
The fifth wizard screen allows you to configure WAN IP address assignment, DNS server
address assignment and the WAN MAC address.
ZyAIR G-2000 Plus User’s Guide
3.6.1 WAN IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated
from the Internet, for instance, only between your two branch offices, you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks.
Table 10 Private IP Address Ranges
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private
network. If you belong to a small organization and your Internet access is through an ISP, the
ISP can provide you with the Internet addresses for your local networks. On the other hand, if
you are part of a much larger organization, you should consult your network administrator for
the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an
arbitrary IP address; always follow the guidelines above. For
more information on address assignment, please refer to RFC
1597, Address Allocation for Private Internets and RFC 1466,
Guidelines for Management of IP Address Space.
Chapter 3 Wizard Setup58
ZyAIR G-2000 Plus User’s Guide
3.6.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a
LAN share one common network number.
Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. The Internet Assigned Number Authority (IANA) reserved this block of addresses
specifically for private use; please do not use any other number unless you are told otherwise.
Let's say you select 192.168.1.0 as the network number; which covers 254 individual
addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the
first three numbers specify the network number while the last number identifies an individual
computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember,
for instance, 192.168.1.1, for your ZyAIR, but make sure that no other device on your network
is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyAIR will
compute the subnet mask automatically based on the IP address that you entered. You don't
need to change the subnet mask computed by the ZyAIR unless you are instructed to do
otherwise.
3.6.3 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is
extremely important because without it, you must know the IP address of a computer before
you can access it.
The ZyAIR can get the DNS server addresses in the following ways.
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS
Server fields in DHCP Setup.
2 If the ISP did not give you DNS server information, leave the DNS Server fields in
DHCP Setup set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses.
3.6.4 WAN MAC Address
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
59 Chapter 3 Wizard Setup
ZyAIR G-2000 Plus User’s Guide
You can configure the WAN port's MAC address by either using the factory default or cloning
the MAC address from a computer on your LAN. Once it is successfully configured, the
address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless
you change the setting or upload a different "rom" file.
Note: ZyXEL recommends you clone the MAC address from a
computer on your LAN even if your ISP does not require MAC
address authentication.
Table 11 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask 255.255.255.0
Gateway (or default route)192.168.1.1(ZyAIR LAN IP)
The fifth wizard screen varies according to the type of encapsulation that you select in the
third wizard screen.
Chapter 3 Wizard Setup60
ZyAIR G-2000 Plus User’s Guide
Figure 12 Wizard 5: WAN Setup
The following table describes the labels in this screen
Table 12 Wizard 5: WAN Setup
LABELDESCRIPTION
WAN IP Address Assignment
Get automatically from
ISP
Use fixed IP addressSelect this option If the ISP assigned a fixed IP address. Enter a subnet
My WAN IP AddressEnter your WAN IP address in this field if you selected Use Fixed IP
My WAN IP Subnet MaskEnter a Subnet Mask appropriate to your network. a
Gateway IP AddressEnter the Gateway IP Address of the neighboring device, if you know it. If
System DNS Server Address Assignment (if applicable)
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice
versa. The DNS server is extremely important because without it, you must know the IP address of a
computer before you can access it. The ZyAIR uses a system DNS server (in the order you specify
here) to resolve domain names for VPN, DDNS and the time server.
Select this option If your ISP did not assign you a fixed IP address. This is
the default selection.
mask appropriate to your network and the gateway IP address if
applicable.
Address.
you do not, leave the Gateway IP Address field as 0.0.0.0.
61 Chapter 3 Wizard Setup
Table 12 Wizard 5: WAN Setup
LABELDESCRIPTION
ZyAIR G-2000 Plus User’s Guide
First DNS Server
Second DNS Server
Third DNS Server
WAN MAC AddressThe MAC address field allows you to configure the WAN port's MAC
Factory Default Select this option to use the factory assigned default MAC Address.
Spoof this Computer's
MAC address - IP Address
BackClick Back to return to the previous screen.
NextClick Next to continue.
Select From ISP if your ISP dynamically assigns DNS server information
(and the ZyAIR's WAN IP address). The field to the right displays the (readonly) DNS server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the
DNS server's IP address in the field to the right.
Select None if you do not want to configure DNS servers. If you do not
configure a system DNS server, you must use IP addresses when
configuring VPN, DDNS and the time server.
Address by either using the factory default or cloning the MAC address
from a computer on your LAN.
Select this option and enter the IP address of the computer on the LAN
whose MAC you are cloning. Once it is successfully configured, the
address will be copied to the rom file (ZyNOS configuration file). It will not
change unless you change the setting or upload a different rom file. It is
advisable to clone the MAC address from a computer on your LAN even if
your ISP does not presently require MAC address authentication.
3.7 Basic Setup Complete
Click Back to return to the previous screen or click Finish to complete and save the wizard
setup.
Chapter 3 Wizard Setup62
ZyAIR G-2000 Plus User’s Guide
Figure 13 Wizard Finish
Well done! You have successfully set up the ZyAIR. A congratulations screen displays some
information.
63 Chapter 3 Wizard Setup
4.1 System Overview
This section provides information on general system setup.
4.2 Configuring General Setup
Click the SYSTEM link under ADVANCED to open the General screen.
Figure 14 System General Setup
ZyAIR G-2000 Plus User’s Guide
CHAPTER 4
System Screens
The following table describes the labels in this screen.
Table 13 System General Setup
LABELDESCRIPTION
General Setup
System NameType a descriptive name to identify the ZyAIR in the Ethernet network.
This name can be up to 30 alphanumeric characters long. Spaces are not
allowed, but dashes "-" and underscores "_" are accepted.
Domain NameThis is not a required field. Leave this field blank or enter the domain name
Chapter 4 System Screens64
here if you know it.
ZyAIR G-2000 Plus User’s Guide
Table 13 System General Setup
LABELDESCRIPTION
Administrator
Inactivity Timer
System DNS Servers
First DNS Server
Second DNS Server
Third DNS Server
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
4.3 Dynamic DNS
Type how many minutes a management session (either via the web
configurator or SMT) can be left idle before the session times out.
The default is 5 minutes. After it times out you have to log in with your
password again. Very long idle timeouts may have security risks.
A value of "0" means a management session never times out, no matter how
long it has been left idle (not recommended).
Select From DHCP if your DHCP server dynamically assigns DNS server
information (and the ZyAIR's Ethernet IP address). The field to the right
displays the (read-only) DNS server IP address that the DHCP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the
DNS server's IP address in the field to the right. If you chose User-Defined, but
leave the IP address set to 0.0.0.0, User-Defined changes to None after you
click Apply. If you set a second choice to User-Defined, and enter the same IP
address, the second User-Defined changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to
access it.
The default setting is None.
Dynamic DNS allows you to update your current dynamic IP address with one or many
dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You
can also access your FTP server or Web site on your own computer using a domain name (for
instance myhost.dhs.org, where myhost is a name of your choice) that will never change
instead of using an IP address that changes each time you reconnect. Your friends or relatives
will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is
for people with a dynamic IP from their ISP or DHCP server that would still like to have a
domain name. The Dynamic DNS service provider will give you a password or key.
4.3.1 DynDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the
same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use,
for example, www.yourhost.dyndns.org and still reach your hostname.
Note: If you have a private WAN IP address, then you cannot
use Dynamic DNS.
65 Chapter 4 System Screens
4.4 Configuring Dynamic DNS
To change your ZyAIR’s DDNS, click SYSTEM, then the DDNS tab. The screen appears as
shown.
Figure 15 DDNS
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 14 DDNS
LABELDESCRIPTION
Enable DDNSSelect this check box to use dynamic DNS.
Service ProviderSelect the name of your Dynamic DNS service provider.
DDNS TypeSelect the type of service that you are registered for from your Dynamic DNS
service provider.
Host Names 1~3Enter the host names in the three fields provided. You can specify up to two
host names in each field separated by a comma (",").
User NameEnter your user name.
PasswordEnter the password assigned to you.
Enable Wildcard Option Select the check box to enable DynDNS Wildcard.
Enable off line optionThis option is available when CustomDNS is selected in the DDNS Type
field. Check with your Dynamic DNS service provider to have traffic
redirected to a URL (that you can specify) while you are off line.
IP Address Update Policy:
Chapter 4 System Screens66
ZyAIR G-2000 Plus User’s Guide
Table 14 DDNS
LABELDESCRIPTION
Use WAN IP addressSelect this option to update the IP address of the host name(s) automatically
by the DDNS server. It is recommended that you select this option.
DDNS server auto
detect IP Address
Use specified IP
Address
IP AddressEnter the IP address if you select the Use specified IP Address option.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Select this option to update the IP address of the host name(s) automatically
by the DDNS server. It is recommended that you select this option.
Select this option to update the IP address of the host name(s) to the IP
address specified below. Use this option if you have a static IP address.
4.5 Configuring Password
To change your ZyAIR’s password (recommended), click the SYSTEM link under
ADVANCED andthen the Password tab. The screen appears as shown. This screen allows
you to change the ZyAIR’s password.
If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See
the Resetting the ZyAIR section for details
Figure 16 Password.
The following table describes the labels in this screen.
Table 15 Password
LABELDESCRIPTIONS
Old PasswordType in your existing system password (1234 is the default password).
New PasswordType your new system password (up to 31 characters). Note that as you type a
Retype to ConfirmRetype your new system password for confirmation.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
password, the screen displays an asterisk (*) for each character you type.
67 Chapter 4 System Screens
4.6 Configuring Time Setting
To change your ZyAIR’s time and date, click the SYSTEM link under ADVANCED and then
the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s
time based on your local time zone.
Figure 17 Time Setting
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 16 Time Setting
LABELDESCRIPTION
Time ProtocolSelect the time service protocol that your time server sends when you turn on
Time Server AddressEnter the IP address or the URL of your time server. Check with your ISP/
Current Time
(hh:mm:ss)
Chapter 4 System Screens68
the ZyAIR. Not all time servers support all protocols, so you may have to check
with your ISP/network administrator or use trial and error to find a protocol that
works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server.
Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0.
The default, NTP (RFC 1305), is similar to Time (RFC 868).
Select None to enter the time and date manually.
network administrator if you are unsure of this information.
This field displays the time of your ZyAIR.
Each time you reload this page, the ZyAIR synchronizes the time with the time
server.
ZyAIR G-2000 Plus User’s Guide
Table 16 Time Setting
LABELDESCRIPTION
New Time (hh:mm:ss) This field displays the last updated time from the time server.
Current Date (yyyy/
mm/dd)
New Date (yyyy/mm/
dd)
Time ZoneChoose the time zone of your location. This will set the time difference
Daylight SavingsSelect this option if you use daylight savings time. Daylight saving is a period
Start Date (mm-dd)Enter the month and day that your daylight-savings time starts on if you
End Date (mm-dd)Enter the month and day that your daylight-savings time ends on if you
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
When you select None in the Time Protocol field, enter the new time in this
field and then click Apply.
This field displays the date of your ZyAIR.
Each time you reload this page, the ZyAIR synchronizes the date with the time
server.
This field displays the last updated date from the time server.
When you select None in the Time Protocol field, enter the new date in this
field and then click Apply.
between your time zone and Greenwich Mean Time (GMT).
from late spring to early fall when many countries set their clocks ahead of
normal local time by one hour to give more daytime light in the evening.
selected Daylight Savings.
selected Daylight Savings.
69 Chapter 4 System Screens
This chapter describes how to configure LAN settings.
5.1 LAN Overview
Local Area Network (LAN) is a shared communication system to which many computers are
attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses,
and partition your physical network into logical networks.
5.2 DHCP Setup
ZyAIR G-2000 Plus User’s Guide
CHAPTER 5
LAN Screens
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyAIR
as a DHCP server or disable it. When configured as a server, the ZyAIR provides the TCP/IP
configuration for the clients. If DHCP service is disabled, you must have another DHCP server
on your LAN, or else the computer must be manually configured.
5.2.1 IP Pool Setup
The ZyAIR is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to
192.168.1.64. This configuration leaves 31 IP addresses (excluding the ZyAIR itself) in the
lower range for other server computers, for instance, servers for mail, FTP, TFTP, web, etc.,
that you may have.
5.2.2 System DNS Servers
Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter.
5.3 LAN TCP/IP
The ZyAIR has built-in DHCP server capability that assigns IP addresses and DNS servers to
systems that support DHCP client capability.
5.3.1 Factory LAN Defaults
The LAN parameters of the ZyAIR are preset in the factory with the following values:
Chapter 5 LAN Screens70
ZyAIR G-2000 Plus User’s Guide
• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
• DHCP server enabled with 32 client IP addresses starting from 192.168.1.33.
These parameters should work for the majority of installations. If your ISP gives you explicit
DNS server address(es), read the embedded web configurator help regarding what fields need
to be configured.
5.3.2 IP Address and Subnet Mask
Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this
information.
5.3.3 RIP Setup
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange
routing information with other routers. RIP Direction controls the sending and receiving of
RIP packets. When set to Both or Out Only, the ZyAIR will broadcast its routing table
periodically. When set to Both or In Only, it will incorporate the RIP information that it
receives; when set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version controls the format and the broadcasting method of the RIP packets that the
ZyAIR sends (it recognizes both formats when receiving). RIP-1 is universally supported; but
RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you
have an unusual network topology.
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the
load on non-router machines since they generally do not listen to the RIP multicast address
and so will not receive the RIP packets. However, if one router uses multicasting, then all
routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.
5.3.4 Multicast
Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1
recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to
a group of hosts on the network - not everybody and not just 1.
IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish
membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC
2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between IGMP
version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is
used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address
71 Chapter 5 LAN Screens
224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address
224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP.
The address 224.0.0.2 is assigned to the multicast routers group.
The ZyAIR supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At
start up, the ZyAIR queries all directly connected networks to gather group membership. After
that, the ZyAIR periodically updates this information. IP multicasting can be enabled/disabled
on the ZyAIR LAN and/or WAN interfaces in the web configurator (LAN; WAN ). Select
None to disable IP multicasting on these interfaces.
5.4 Configuring IP
Click LAN to open the IP screen.
ZyAIR G-2000 Plus User’s Guide
Chapter 5 LAN Screens72
ZyAIR G-2000 Plus User’s Guide
Figure 18 LAN IP
The following table describes the labels in this screen.
Pool SizeThis field specifies the size, or count of the IP address pool.
DNS Servers Assigned by DHCP Server
The ZyAIR passes a DNS (Domain Name System) server IP address (in the order you specify here) to
the DHCP clients. The ZyAIR only passes this information to the LAN DHCP clients when you select the
DHCP Server check box. When you clear the DHCP Server check box, DHCP service is disabled and
you must have another DHCP sever on your LAN, or else the computers must have their DNS server
addresses manually configured.
individual clients (computers) to obtain TCP/IP configuration at startup from a
server. Leave the DHCP Server check box selected unless your ISP instructs
you to do otherwise. Clear it to disable the ZyAIR acting as a DHCP server. When
configured as a server, the ZyAIR provides TCP/IP configuration for the clients. If
not, DHCP service is disabled and you must have another DHCP server on your
LAN, or else the computers must be manually configured. When set as a server,
fill in the following four fields.
This field specifies the first of the contiguous addresses in the IP address pool.
73 Chapter 5 LAN Screens
Table 17 LAN IP
LABELDESCRIPTION
ZyAIR G-2000 Plus User’s Guide
First DNS Server
Second DNS Server
Third DNS Server
LAN TCP/IP
IP AddressType the IP address of your ZyAIR in dotted decimal notation 192.168.1.1
IP Subnet MaskThe subnet mask specifies the network number portion of an IP address. Your
RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
RIP VersionThe RIP Version field controls the format and the broadcasting method of the
MulticastSelect IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol)
Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP
or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For
some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it
may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a
computer on the WAN.
Select From ISP if your ISP dynamically assigns DNS server information (and
the ZyAIR's WAN IP address). The field to the right displays the (read-only) DNS
server IP address that the ISP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS
server's IP address in the field to the right. If you chose User-Defined, but leave
the IP address set to 0.0.0.0, User-Defined changes to None after you click
Apply. If you set a second choice to User-Defined, and enter the same IP
address, the second User-Defined changes to None after you click Apply.
Select DNS Relay to have the ZyAIR act as a DNS proxy. The ZyAIR's LAN IP
address displays in the field to the right (read-only). The ZyAIR tells the DHCP
clients on the LAN that the ZyAIR itself is the DNS server. When a computer on
the LAN sends a DNS query to the ZyAIR, the ZyAIR forwards the query to the
ZyAIR's system DNS server (configured in the SYSTEM General screen) and
relays the response back to the computer. You can only select DNS Relay for
one of the three servers; if you select DNS Relay for a second or third DNS
server, that choice changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure
a DNS server, you must know the IP address of a computer in order to access it.
(factory default).
ZyAIR will automatically calculate the subnet mask based on the IP address that
you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyAIR 255.255.255.0.
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyAIR will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the
RIP information that it receives; when set to None, it will not send any RIP
packets and will ignore any RIP packets received. Both is the default.
RIP packets that the ZyAIR sends (it recognizes both formats when receiving).
RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the
RIP packets. However, if one router uses multicasting, then all routers on your
network must use multicasting, also. By default, RIP direction is set to Both and
the Version set to RIP-1.
is a network-layer protocol used to establish membership in a Multicast group - it
is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement
over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would
like to read more detailed information about interoperability between IGMP
version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Chapter 5 LAN Screens74
ZyAIR G-2000 Plus User’s Guide
Table 17 LAN IP
LABELDESCRIPTION
Allow between LAN
and WAN
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Select this check box to forward NetBIOS packets from the LAN to the WAN and
from the WAN to the LAN. If your firewall is enabled with the default policy set to
block WAN to LAN traffic, you also need to enable the default WAN to LAN
firewall rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the
WAN and from the WAN to the LAN.
5.5 Configuring Static DHCP
This table allows you to assign IP addresses on the LAN to specific individual computers
based on their MAC Addresses.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
To change your ZyAIR’s Static DHCP settings, click LAN, then the Static DHCP tab. The
screen appears as shown.
75 Chapter 5 LAN Screens
Figure 19 Static DHCP
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 18 Static DHCP
LABELDESCRIPTION
#This is the index number of the Static IP table entry (row).
MAC AddressType the MAC address (with colons) of a computer on your LAN.
IP AddressType the LAN IP address in this field.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
5.6 Configuring IP Alias
IP Alias allows you to partition a physical network into different logical networks over the
same Ethernet interface. The ZyAIR supports three logical LAN interfaces via its single
physical Ethernet interface with the ZyAIR itself as the gateway for each LAN network.
To change your ZyAIR’s IP Alias settings, click LAN, then the IP Alias tab. The screen
appears as shown.
Chapter 5 LAN Screens76
ZyAIR G-2000 Plus User’s Guide
Figure 20 IP Alias
The following table describes the labels in this screen.
Table 19 IP Alias
LABELDESCRIPTION
IP Alias 1,2Select the check box to configure another LAN network for the ZyAIR.
IP AddressEnter the IP address of your ZyAIR in dotted decimal notation.
IP Subnet MaskYour ZyAIR will automatically calculate the subnet mask based on the IP address
that you assign. Unless you are implementing subnetting, use the subnet mask
computed by the ZyAIR.
RIP DirectionRIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyAIR will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the
RIP information that it receives; when set to None, it will not send any RIP
packets and will ignore any RIP packets received.
RIP VersionThe RIP Version field controls the format and the broadcasting method of the
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
RIP packets that the ZyAIR sends (it recognizes both formats when receiving).
RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the RIP
packets. However, if one router uses multicasting, then all routers on your
network must use multicasting, also. By default, RIP direction is set to Both and
the Version set to RIP-1.
77 Chapter 5 LAN Screens
Wireless Configuration and
This chapter discusses how to configure the Wireless and Roaming screens on the ZyAIR.
6.1 Wireless LAN Overview
This section introduces the wireless LAN(WLAN) and some basic scenarios.
6.1.1 IBSS
ZyAIR G-2000 Plus User’s Guide
CHAPTER 6
Roaming
An Independent Basic Service Set (IBSS), also called an Ad-hoc network, is the simplest
WLAN configuration. An IBSS is defined as two or more computers with wireless adapters
within range of each other that from an independent (wireless) network without the need of an
access point (AP).
Figure 21 IBSS (Ad-hoc) Wireless LAN
6.1.2 BSS
A Basic Service Set (BSS) exists when all communications between wireless stations or
between a wireless station and a wired network client go through one access point (AP).
Chapter 6 Wireless Configuration and Roaming78
ZyAIR G-2000 Plus User’s Guide
Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled,
wireless station A and B can access the wired network and communicate with each other.
When Intra-BSS is disabled, wireless station A and B can still access the wired network but
cannot communicate with each other.
Figure 22 Basic Service set
6.1.3 ESS
An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an
access point, with each access point connected together by a wired network. This wired
connection between APs is called a Distribution System (DS). An ESSID (ESS IDentification)
uniquely identifies each ESS. All access points and their associated wireless stations within
the same ESS must have the same ESSID in order to communicate.
79 Chapter 6 Wireless Configuration and Roaming
Figure 23 Extended Service Set
ZyAIR G-2000 Plus User’s Guide
6.2 Wireless LAN Basics
Refer also to the Wizard Setup chapter for more background information on Wireless LAN
features, such as channels.
6.2.1 RTS/CTS
A hidden node occurs when two stations are within range of the same access point, but are not
within range of each other. The following figure illustrates a hidden node. Both stations (STA)
are within range of the access point (AP) or wireless gateway, but out-of-range of each other,
so they cannot “hear” each other, that is they do not know if the channel is currently being
used. Therefore, they are considered hidden from each other.
Chapter 6 Wireless Configuration and Roaming80
ZyAIR G-2000 Plus User’s Guide
Figure 24 RTS/CTS
When station A sends data to the ZyAIR, it might not know that station B is already using the
channel. If these two stations send data at the same time, collisions may occur when both sets
of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the
biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send)
handshake is invoked.
When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station
that wants to transmit this frame must first send an RTS (Request To Send) message to the AP
for permission to send it. The AP then responds with a CTS (Clear to Send) message to all
other stations within its range to notify them to defer their transmission. It also reserves and
confirms with the requesting station the time frame for the requested transmission.
Stations can send frames smaller than the specified RTS/CTS directly to the AP without the
RTS (Request To Send)/CTS (Clear to Send) handshake.
You should only configure RTS/CTS if the possibility of hidden nodes exists on your network
and the “cost” of resending large frames is more than the extra network overhead involved in
the RTS (Request To Send)/CTS (Clear to Send) handshake.
If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will
be fragmented before they reach RTS/CTS size.
Note: Enabling the RTS Threshold causes redundant network
overhead that could negatively affect the throughput
performance instead of providing a remedy.
Note:
6.2.2 Fragmentation Threshold
A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432
bytes) that can be sent in the wireless network before the ZyAIR will fragment the packet into
smaller data frames.
81 Chapter 6 Wireless Configuration and Roaming
A large Fragmentation Threshold is recommended for networks not prone to interference
while you should set a smaller threshold for busy networks or networks that are prone to
interference.
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously)
you set, then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as
data frames will be fragmented before they reach RTS/CTS size.
6.3 Configuring Wireless
Note: If you are configuring the ZyAIR from a computer
connected to the wireless LAN and you change the ZyAIR’s
ESSID or WEP settings, you will lose your wireless connection
when you press Apply to confirm. You must then change the
wireless settings of your computer to match the ZyAIR’s new
settings.
Click the WIRELESS link under ADVANCED to open the Wireless screen.
ZyAIR G-2000 Plus User’s Guide
Chapter 6 Wireless Configuration and Roaming82
ZyAIR G-2000 Plus User’s Guide
Figure 25 Wireless
The following table describes the general wireless LAN labels in this screen.
Table 20 Wireless
LABELDESCRIPTION
Enable
Wireless LAN
ESSID(Extended Service Set IDentity) The ESSID identifies the Service Set with which a
Click the check box to activate wireless LAN.
wireless station is associated. Wireless stations associating to the access point (AP)
must have the same ESSID. Enter a descriptive name (up to 32 printable 7-bit ASCII
characters) for the wireless LAN.
Note: If you are configuring the ZyAIR from a computer connected to
the wireless LAN and you change the ZyAIR’s ESSID or WEP
settings, you will lose your wireless connection when you press Apply
to confirm. You must then change the wireless settings of your
computer to match the ZyAIR’s new settings.
Hide ESSIDSelect this check box to hide the ESSID in the outgoing beacon frame so a station
cannot obtain the ESSID through passive scanning using a site survey tool.
Choose
Channel ID
RTS/CTS
Threshold
Fragmentation
Threshold
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
Set the operating frequency/channel depending on your particular region.
Select a channel from the drop-down list box.
Refer to the Wizard Setup chapter for more information on channels.
Enter a value between 0 and 2432. The default is 2432.
Enter a value between 256 and 2432. The default is 2432. It is the maximum data
fragment size that can be sent.
83 Chapter 6 Wireless Configuration and Roaming
See the Wireless Security chapter for information on the other labels in this screen.
6.4 Configuring Roaming
A wireless station is a device with an IEEE 802.11mode compliant wireless adapter. An access
point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own
wireless coverage area. A wireless station can associate with a particular access point only if it
is within the access point’s coverage area.
In a network environment with multiple access points, wireless stations are able to switch from
one access point to another as they move between the coverage areas. This is roaming. As the
wireless station moves from place to place, it is responsible for choosing the most appropriate
access point depending on the signal strength, network utilization or other factors.
The roaming feature on the access points allows the access points to relay information about
the wireless stations to each other. When a wireless station moves from a coverage area to
another, it scans and uses the channel of a new access point, which then informs the access
points on the LAN about the change. The new information is then propagated to the other
access points on the LAN. An example is shown in
ZyAIR G-2000 Plus User’s Guide
see Figure 26.
If the roaming feature is not enabled on the access points, information is not communicated
between the access points when a wireless station moves between coverage areas. The
wireless station may not be able to communicate with other wireless stations on the network
and vice versa.
Figure 26 Roaming Example
The steps below describe the roaming process.
Chapter 6 Wireless Configuration and Roaming84
ZyAIR G-2000 Plus User’s Guide
1 As wireless station Y moves from the coverage area of access point P1 to that of access
point
2 P2, it scans and uses the signal of access point P2.
3 Access point P2 acknowledges the presence of wireless station Y and relays this
information to access point P1 through the wired LAN.
4 Access point P1 updates the new position of wireless station.
5 Wireless station Y sends a request to access point P2 for re-authentication.
6.4.1 Requirements for Roaming
The following requirements must be met in order for wireless stations to roam between the
coverage areas.
1 All the access points must be on the same subnet and configured with the same ESSID.
2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point,
the new access point must have the user profile for the wireless station.
3 The adjacent access points should use different radio channels when their coverage areas
overlap.
4 All access points must use the same port number to relay roaming information.
5 The access points must be connected to the Ethernet and be able to get IP addresses from
a DHCP server if using dynamic IP address assignment.
To enable roaming on your ZyAIR, click the WIRELESS link under ADVANCED and then
the Roaming tab. The screen appears as shown.
85 Chapter 6 Wireless Configuration and Roaming
Figure 27 Roaming
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 21 Roaming
LABELDESCRIPTION
Active
Select Yes from the drop-down list box to enable roaming on the ZyAIR if you have
two or more ZyAIRs on the same subnet.
Note: All APs on the same subnet and the wireless stations must
have the same ESSID to allow roaming.
Port
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
Enter the port number to communicate roaming information between APs. The port
number must be the same on all APs. The default is 3517. Make sure this port is not
used by other services.
Chapter 6 Wireless Configuration and Roaming86
ZyAIR G-2000 Plus User’s Guide
87 Chapter 6 Wireless Configuration and Roaming
Wireless Security
This Chapter describes how to use the MAC Filter, 802.1x, Roaming and RADIUS to
configure wireless security on your ZyAIR.
7.1 Wireless Security Overview
Wireless security is vital to your network to protect wireless communication between wireless
stations, access points and the wired network.
The figure below shows the possible wireless security levels on your ZyAIR. EAP (Extensible
Authentication Protocol) is used for authentication and utilizes dynamic WEP key exchange. It
requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server
either on the WAN or your LAN to provide authentication service for wireless stations.
ZyAIR G-2000 Plus User’s Guide
CHAPTER 7
Figure 28 ZyAIR Wireless Security Levels
If you do not enable any wireless security on your ZyAIR, your network is accessible to any
wireless networking device that is within range.
Select No Security to allow wireless stations to communicate with the access points without
any data encryption.
Chapter 7 Wireless Security88
ZyAIR G-2000 Plus User’s Guide
Figure 29 Wireless: No Security
The following table describes the labels in this screen.
Table 22 Wireless No Security
LABELDESCRIPTION
SecurityChoose from one of the security features listed in the drop-down box.
•No Security
•Static WEP
•WPA-PSK
•WPA
•802.1x + Dynamic WEP
•802.1x + Static WEP
•802.1x + No WEP
Enable
Breathing LED
PreambleSelect a preamble type from the drop-down list menu. Choices are Long, Short and
802.11 ModeSelect 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
Select this check box to enable the Breathing LED, also known as the ZyAIR LED.
The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data is
being transmitted to/from its wireless stations.
Clear the check box to turn this LED off even when the ZyAIR is on and data is being
transmitted/received.
Dynamic.
See the section on preamble for more information.
associate with the ZyAIR.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR.
Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices
to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.
89 Chapter 7 Wireless Security
7.2 Security Parameters Summary
Refer to this table to see what other security parameters you should configure for each
Authentication Method/ key management protocol type. You enter manual keys by first
selecting 64-bit WEP or 128-bit WEP from the WEP Encryption field and then typing the
keys (in ASCII or hexadecimal format) in the key text boxes. MAC address filters are not
dependent on how you configure these security features.
Table 23 Wireless Security Relational Matrix
ZyAIR G-2000 Plus User’s Guide
AUTHENTICATION METHOD/
KEY MANAGEMENT
PROTOCOL
Open NoneNoDisable
OpenWEPNoEnable with Dynamic WEP Key
SharedWEP NoEnable with Dynamic WEP Key
WPA WEPNoEnable
WPA TKIPNoEnable
WPA-PSK WEPYesEnable
WPA-PSK TKIPYe sEnable
7.3 WEP Overview
ENCRYPTION
METHOD
ENTER
MANUAL KEY
YesEnable without Dynamic WEP
YesDisable
YesEnable without Dynamic WEP
YesDisable
IEEE 802.1X
Key
Key
WEP (Wired Equivalent Privacy) as specified in the IEEE 802.11 standard provides methods
for both data encryption and wireless station authentication.
7.3.1 Data Encryption
WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the
wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyAIR allows
you to configure up to four 64-bit or 128-bit WEP keys, but only one key can be enabled at
any one time.
7.3.1.1 Authentication
Three different methods can be used to authenticate wireless stations to the network: Open
System, Shared Key, and Auto. The following figure illustrates the steps involved.
Chapter 7 Wireless Security90
ZyAIR G-2000 Plus User’s Guide
Figure 30 WEP Authentication Steps
Open system authentication involves an unencrypted two-message procedure. A wireless
station sends an open system authentication request to the AP, which will then automatically
accept and connect the wireless station to the network. In effect, open system is not
authentication at all as any station can gain access to the network.
Shared key authentication involves a four-message procedure. A wireless station sends a
shared key authentication request to the AP, which will then reply with a challenge text
message. The wireless station must then use the AP’s default WEP key to encrypt the
challenge text and return it to the AP, which attempts to decrypt the message using the AP’s
default WEP key. If the decrypted message matches the challenge text, the wireless station is
authenticated.
When your ZyAIR's authentication method is set to open system, it will only accept open
system authentication requests. The same is true for shared key authentication. However,
when it is set to auto authentication, the ZyAIR will accept either type of authentication
request and the ZyAIR will fall back to use open authentication if the shared key does not
match.
7.4 Configuring WEP Encryption
In order to configure and enable WEP encryption; click the WIRELESS link under
ADVANCED to display the Wireless screen. Select Static WEP from the Security list.
91 Chapter 7 Wireless Security
Figure 31 Wireless: Static WEP Encryption
ZyAIR G-2000 Plus User’s Guide
The following table describes the wireless LAN security labels in this screen.
Table 24 Wireless: Static WEP Encryption
LABELDESCRIPTION
PassphraseEnter a Passphrase (up to 32 printable characters) and click Generate. The ZyAIR
WEP
Encryption
Authentication
Method
ASCII
Hex
automatically generates a WEP key.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
This field is activated when you select 64-bit WEP or 128-bit WEP in the WEP Encryption field.
Select Auto, Open System or Shared Key from the drop-down list box.
Select this option in order to enter ASCII characters as the WEP keys.
Select this option in order to enter hexadecimal characters as the WEP keys.
The preceding "0x", that identifies a hexadecimal key, is entered automatically.
Chapter 7 Wireless Security92
ZyAIR G-2000 Plus User’s Guide
Table 24 Wireless: Static WEP Encryption
LABELDESCRIPTION
Key 1 to Key 4The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations
must use the same WEP key for data transmission.
If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal
characters ("0-9", "A-F").
If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal
characters ("0-9", "A-F").
You must configure all four keys, but only one key can be activated at any one time.
The default key is key 1.
Enable
Breathing LED
PreambleSelect a preamble type from the drop-down list menu. Choices are Long, Short and
802.11 ModeSelect 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
Select this check box to enable the Breathing LED, also known as the ZyAIR LED.
The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data is
being transmitted to/from its wireless stations.
Clear the check box to turn this LED off even when the ZyAIR is on and data is being
transmitted/received.
Dynamic.
See the section on preamble for more information.
associate with the ZyAIR.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR.
Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices
to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.
7.5 Introduction to WPA
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Key differences between WPA and WEP are user authentication and improved data
encryption.
7.5.1 User Authentication
WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate
wireless clients using
page 114 for for more information on authentication of Trusted User’s. See later in this
chapter and the appendices for more information on IEEE 802.1x, RADIUS, EAP and PEAP.
If you don’t have an external RADIUS server you should use WPA-PSK (WPA -Pre-Shared
Key) that only requires a single (identical) password entered into each access point, wireless
gateway and wireless client. As long as the passwords match, a client will be granted access to
a WLAN.
an external RADIUS database. See “Internal RADIUS Server” on
93 Chapter 7 Wireless Security
7.5.2 Encryption
WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message
Integrity Check (MIC) and IEEE 802.1x.
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and
distributed by the authentication server. It includes a per-packet key mixing function, a
Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with
sequencing rules, and a re-keying mechanism.
TKIP regularly changes and rotates the encryption keys so that the same encryption key is
never used twice.
AP that then sets up a key hierarchy and management system, using the pair-wise key to
dynamically generate unique data encryption keys to encrypt every data packet that is
wirelessly communicated between the AP and the wireless clients. This all happens in the
background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data
packets, altering them and resending them. The MIC provides a strong mathematical function
in which the receiver and the transmitter each compute and then compare the MIC. If they do
not match, it is assumed that the data has been tampered with and the packet is dropped.
ZyAIR G-2000 Plus User’s Guide
The RADIUS server distributes a Pairwise Master Key (PMK) key to the
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi
network than WEP, making it difficult for an intruder to break into the network.
The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference
between the two is that WPA-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA-PSK susceptible to brute-force
password-guessing attacks but it’s still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password.
7.5.3 WPA-PSK Application Example
A WPA-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters (including spaces and
symbols).
2 The AP checks each client’s password and (only) allows it to join the network if it
matches its password.
3 The AP derives and distributes keys to the wireless clients.
4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged
between them.
Chapter 7 Wireless Security94
ZyAIR G-2000 Plus User’s Guide
Figure 32 WPA - PSK Authentication
7.6 Configuring WPA-PSK Authentication
In order to configure and enable WPA-PSK Authentication; click the WIRELESS link under
ADVANCED to display the Wireless screen. Select WPA-PSK from the Security list.
95 Chapter 7 Wireless Security
Figure 33 Wireless: WPA-PSK
ZyAIR G-2000 Plus User’s Guide
The following table describes the labels in this screen.
Table 25 Wireless: WPA-PSK
LABELDESCRIPTION
Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only
ReAuthentication
Timer (in seconds)
difference between the two is that WPA-PSK uses a simple common password,
instead of user-specific credentials.
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including
spaces and symbols).
Specify how often wireless stations have to reenter usernames and passwords in
order to stay connected. Enter a time interval between 10 and 9999 seconds. The
default time interval is 1800 seconds (30 minutes).
Note: If wireless station authentication is done using a RADIUS
server, the reauthentication timer on the RADIUS server has
priority.
Idle TimeoutThe ZyAIR automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the username and
password again before access to the wired network is allowed. The default time
interval is 3600 seconds (or 1 hour).
WPA Group Key
Update Timer
The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK key management) or RADIUS server (if using WPA key management) sends
a new group key out to all clients. The re-keying process is the WPA equivalent of
automatically changing the WEP key for an AP and all stations in a WLAN on a
periodic basis. Setting of the WPA Group Key Update Timer is also supported in WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).
Chapter 7 Wireless Security96
ZyAIR G-2000 Plus User’s Guide
Table 25 Wireless: WPA-PSK
LABELDESCRIPTION
Enable Breathing
LED
PreambleSelect a preamble type from the drop-down list menu. Choices are Long, Short
802.11 ModeSelect 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
Select this check box to enable the Breathing LED, also known as the ZyAIR LED.
The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data
is being transmitted to/from its wireless stations.
Clear the check box to turn this LED off even when the ZyAIR is on and data is
being transmitted/received.
and Dynamic.
See the section on preamble for more information.
associate with the ZyAIR.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR.
Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN
devices to associate with the ZyAIR. The transmission rate of your ZyAIR might be
reduced.
7.7 Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the
wireless client how to use WPA. At the time of writing, the most widely available supplicant is
the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data
Communications' AEGIS client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.
The Funk Software's Odyssey client is bundled free (at the time of writing) with the client
wireless adaptor(s).
7.7.1 WPA with RADIUS Application Example
You need the IP address of the RADIUS server, its port number (default is 1812), and the
RADIUS shared secret. A WPA application example with an external RADIUS server looks
as follows. “A” is the RADIUS server. “DS” is the distribution system.
1 The AP passes the wireless client’s authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then
sets up a key hierarchy and management system, using the pair-wise key to dynamically
generate unique data encryption keys to encrypt every data packet that is wirelessly
communicated between the AP and the wireless clients.
97 Chapter 7 Wireless Security
Figure 34 WPA with RADIUS Application Example
ZyAIR G-2000 Plus User’s Guide
7.8 Configuring WPA Authentication
In order to configure and enable WPA Authentication; click the WIRELESS link under
ADVANCED to display the Wireless screen. Select WPA from the Security list.
Chapter 7 Wireless Security98
ZyAIR G-2000 Plus User’s Guide
Figure 35 Wireless: WPA
The following table describes the labels in this screen.
Table 26 Wireless: WPA
LABELDESCRIPTION
ReAuthentication
Timer (in seconds)
Specify how often wireless stations have to reenter usernames and passwords in
order to stay connected. Enter a time interval between 10 and 9999 seconds. The
default time interval is 1800 seconds (30 minutes).
Note: If wireless station authentication is done using a RADIUS
server, the reauthentication timer on the RADIUS server has
priority.
Idle TimeoutThe ZyAIR automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the username and
password again before access to the wired network is allowed. The default time
interval is 3600 seconds (or 1 hour).
99 Chapter 7 Wireless Security
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.