ZyXEL Communications P-660HW-TX User Manual

P-660HW-Tx v2 Series

802.11g Wireless ADSL2+ 4-port Gateway

Support Notes

Version3.40

Mar. 2006

P-660HW-Tx v2 Series Support Notes

FAQ.................................................................................................................6

ZyNOS FAQ.................................................................................................6

1. What is ZyNOS?...................................................................................6

2. What’s Multilingual Embedded Web Configurator?...............................6

3. How do I access the P-660HW-Tx v2 Command Line Interface (CLI)? 6

4. How do I update the firmware and configuration file?...........................6

5. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN?

.....................................................................................6

6. How do I restore P-660HW-Tx v2 configurations by using TFTP client program via LAN?

.....................................................................................7

7. What should I do if I forget the system password? ...............................7

8. How to use the Reset button?...............................................................7

9. What is SUA? When should I use SUA? ..............................................8

10. What is the difference between SUA and Full Feature NAT?.............8

11. Is it possible to access a server running behind SUA from the outside Internet? If possible, how?

........................................................................9

12. When do I need select Full Feature NAT?..........................................9

13. What IP/Port mapping does Multi-NAT support?................................9

14. How many network users can the SUA/NAT support? .....................10

15. What are Device filters and Protocol filters?.....................................10

16. How can I protect against IP spoofing attacks?................................11

Product FAQ.............................................................................................12

1. How can I manage P-660HW-Tx v2? .................................................12

2. What is the default password for Web Configurator?..........................12

3. What’s the difference between ‘Common User Account’ and ‘Administrator Account’?

.........................................................................12

4. How do I know the P-660HW-Tx v2's WAN IP address assigned by the

........................................................................................................12

ISP?

5. What is the micro filter or splitter used for?.........................................13

6. The P-660HW-Tx v2 supports Bridge and Router mode, what's the

difference between them?

......................................................................13

7. How do I know I am using PPPoE?....................................................13

8. Why does my provider use PPPoE?...................................................13

9. What is DDNS?...................................................................................13

10. When do I need DDNS service?.......................................................14

11. What is DDNS wildcard? Does the P-660HW-Tx v2 support DDNS

wildcard?

................................................................................................14

12. Can the P-660HW-Tx v2's SUA handle IPSec packets sent by the

IPSec gateway?

......................................................................................14

13. How do I setup my P-660HW-Tx v2 for routing IPSec packets over

SUA?

......................................................................................................15

14. What is Traffic Shaping? ...................................................................15

15. Why do we perform traffic shaping in the P-660HW-Tx v2? .............15

16. What do the parameters (PCR, SCR, MBS) mean?.........................16

P-660HW-Tx v2 Series Support Notes

17. What do the ATM QoS Types (CBR, UBR, VBR-nRT, VBR-RT) mean?

................................................................................................................16

18. What is content filter?.......................................................................17

ADSL FAQ.................................................................................................18

1. How does ADSL compare to Cable modems?....................................18

2. What is the expected throughput?......................................................18

3. What is the microfilter used for? .........................................................18

4. How do I know the ADSL line is up?...................................................18

5. How does the P-660HW-Tx v2 work on a noisy ADSL?.....................18

6. Does the VC-based multiplexing perform better than the LLC-based

multiplexing?

...........................................................................................19

7. How do I know the details of my ADSL line statistics?........................19

8. What are the signaling pins of the ADSL connector?..........................19

9. What is triple play? .............................................................................19

Firewall FAQ .............................................................................................21

General...................................................................................................21

1. What is a network firewall?...................................................21

2. What makes P-660HW-Tx v2 secure? .................................21

3. What are the basic types of firewalls?..................................21

4. What kind of firewall is the P-660HW-Tx v2? .......................22

5. Why do you need a firewall when your router has packet filtering and NAT built-in?

.........................................................22

6. What is Denials of Service (DoS) attack?.............................22

7. What is Ping of Death attack?..............................................23

8. What is Teardrop attack? .....................................................23

9. What is SYN Flood attack?...................................................23

10. What is LAND attack? ........................................................23

11 What is Brute-force attack? .................................................24

12. What is IP Spoofing attack? ...............................................24

13. What are the default ACL firewall rules in P-660HW-Tx v2?

.................................................................................................24

Configuration ..........................................................................................24

1. How do I configure the firewall? ...........................................24

2. How do I prevent others from configuring my firewall?.........24

3. Why can't I configure my P-660HW-Tx v2 using Web

Configurator/Telnet over WAN?

...............................................25

4. Why can't I upload the firmware and configuration file using

FTP over WAN?

.......................................................................26

Log and Alert ..........................................................................................27

1. When does the P-660HW-Tx v2 generate the firewall log?..27

2. What does the log show to us? ............................................27

3. How do I view the firewall log? .............................................27

4. When does the P-660HW-Tx v2 generate the firewall alert?28

5. What is the difference between the log and alert?................28

P-660HW-Tx v2 Series Support Notes

Wireless FAQ............................................................................................29

General FAQ...........................................................................................29

1. What is a Wireless LAN?......................................................29

2. What are the advantages of Wireless LAN?.........................29

3. What is the disadvantage of Wireless LAN?.........................29

4. Where can you find 802.11 wireless networks? ...................30

5. What is an Access Point?.....................................................30

6. What is IEEE 802.11? ..........................................................30

7. What is 802.11b?..................................................................30

8. How fast is 802.11b?............................................................30

9. What is 802.11a?..................................................................30

10. What is 802.11g?................................................................31

11. Is it possible to use products from a variety of vendors?....31

12. What is Wi-Fi?....................................................................31

13. What types of devices use the 2.4GHz Band? ...................31

14. Does the 802.11 interfere with Bluetooth device? ..............31

15. Can radio signals pass through wall? ................................31

16. What are potential factors that may causes interference

among WLAN products?

..........................................................32

17. What's the difference between a WLAN and a WWAN?.....32

18. Can I manually swap the wireless module without damage

any hardware?

..........................................................................32

19. Does P-660HW-Tx v2 support WEP?.................................32

20. What wireless standard does P-660HW-Tx v2 support?....32

21. Does P-660HW-Tx v2 support MAC filtering? ....................32

22. Does P-660HW-Tx v2 support auto rate adaption?............33

Advanced FAQ .......................................................................................33

1. What is Ad Hoc mode?.........................................................33

2. What is Infrastructure mode? ...............................................33

3. How many Access Points are required in a given area?. .....33

4. What is Direct-Sequence Spread Spectrum Technology –

(DSSS)?

...................................................................................33

5. What is Frequency-hopping Spread Spectrum Technology –

(FHSS)?

...................................................................................33

6. Do I need the same kind of antenna on both sides of a link?

.................................................................................................33

7. Why the 2.4 Ghz Frequency range?.....................................34

8. What is Server Set ID (SSID)? ............................................34

9. What is an ESSID? ..............................................................34

Security FAQ ..........................................................................................34

1. How do I secure the data across the P-660HW-Tx v2 Access

Point's radio link?

.....................................................................34

2. What is WEP? ......................................................................34

3. What is WPA? ......................................................................35

P-660HW-Tx v2 Series Support Notes

4. What is the difference between 40-bit and 64-bit WEP?. .....35

5. What is a WEP key?.............................................................35

6. Will 128-bit WEP communicate with 64-bit WEP?................35

7. Can the SSID be encrypted?................................................36

8. By turning off the broadcast of SSID, can someone still sniff

the SSID?

.................................................................................36

9. What are Insertion Attacks?. ................................................36

10. What is Wireless Sniffer?. ..................................................36

11. What is OTIST? How do I use it? .......................................36

Application Notes.....................................................................................37

General Application Notes...................................................................37

1. Internet Access Using P-660HW-Tx v2 under Bridge mode.37

2. Internet Access Using P-660HW-Tx v2 under Routing mode

.................................................................................................39

3. Setup the P-660HW-Tx v2 as a DHCP Relay.......................41

4. SUA Notes............................................................................42

5. Using Full Feature NAT........................................................51

6. Using the Dynamic DNS (DDNS) .........................................63

7. Network Management Using SNMP.....................................65

8. Using syslog.........................................................................68

9. Using IP Alias.......................................................................68

10. Using IP Policy Routing......................................................70

11. Using Call Scheduling ........................................................74

12. Using IP Multicast...............................................................76

13. Using Bandwidth Management...........................................77

14. Using Zero-Configuration ...................................................80

15. How could I configure triple play on P-660HW-Tx v2? .......83

16. How to configure packet filter on P-660HW-Tx v2?............83

Wireless Application Notes..................................................................87

1. Configure a Wireless Client to Ad hoc mode........................87

2. Configuring Infrastructure mode...........................................91

3. MAC Filter ............................................................................95

4. Setup WEP (Wired Equivalent Privacy)................................97

5. Site Survey.........................................................................102

6. Configure 802.1x and WPA................................................105

Support Tool...........................................................................................110

1. LAN/WAN Packet Trace ...................................................................110

　 Online Trace.................................................................110

　 Offline Trace.................................................................112

　 Capture the detailed logs by Hyper Terminal................113

2. Firmware/Configurations Uploading and Downloading using TFTP..115

　 Using TFTP client software...........................................115

　 Using TFTP command on Windows NT........................117

　 Using TFTP command on UNIX ...................................117

P-660HW-Tx v2 Series Support Notes

3. Using FTP to Upload the Firmware and Configuration Files.............118

CI Command Reference.........................................................................121

P-660HW-Tx v2 Series Support Notes

FAQ

ZyNOS FAQ

1. What is ZyNOS?

ZyNOS is ZyXEL's proprietary Network Operating System. It is the platform on all Prestige routers that delivers network services and applications. It is designed in a modular fashion so it is easy for developers to add new features. New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available.

2. What’s Multilingual Embedded Web Configurator? Multilinggual Embedded Web Configurator means that it can display with 3

kinds of languanges: English, French, and German. By factory default it displays with English, and you can change it in Web Configurator.

3. How do I access the P-660HW-Tx v2 Command Line Interface (CLI)?

The Command Line Interface is for the Administrator use only, and it could be accessed via telnet session.

Note: It is protected by super password, ‘1234’ by factory default.

4. How do I update the firmware and configuration file

You can do this if you access the P-660HW-Tx v2 as Administrator. You can upload the firmware and configuration file to Prestige from Web Condigurator, or using FTP or TFTP client software. You CAN NOT upload the firmware and configuration file via Telnet because the Telnet connection will be dropped during uploading the firmware. Please do not power off the router right after the FTP or TFTP uploading is finished, the router will upload the firmware to its flash at this moment.

Note: There may be firmware that could not be upgraded from Web Configurator. In this case, ZyXEL will prepare special Upload Software for you. Please read the firmware release note carefully when you want to upload a new fireware.

5. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN?

The P-660HW-Tx v2 allows you to transfer the firmware to P-660HW-Tx v2 using TFTP program via LAN. The procedure for uploading ZyNOS via TFTP is as follows.

P-660HW-Tx v2 Series Support Notes

a. Use the TELNET client program in your PC to login to your

P-660HW-Tx v2. b. Enter CI command 'sys stdio 0' to disable Stdio idle timeout c. To upgrade firmware, use TFTP client program to put firmware in file

'ras' in the Prestige. After data transfer is finished, the P-660HW-Tx v2

will program the upgraded firmware into FLASH ROM and reboot itself. d. To backup your firmware, use the TFTP client program to get file 'ras'

from the Prestige.

6. How do I restore P-660HW-Tx v2 configurations by using TFTP client program via LAN?

a. Use the TELNET client program in your PC to login to your

P-660HW-Tx v2. b. Enter CI command 'sys stdio 0' disable Stdio idle timeout c. To backup the P-660HW-Tx v2 configurations, use TFTP client program

to get file 'rom-0' from the P-660HW-Tx v2. d. To restore the P-660HW-Tx v2 configurations, use the TFTP client

program to put your configuration in file rom-0 in the P-660HW-Tx v2.

7. What should I do if I forget the system password?

In case you forget the system password, you can erase the current configuration and restore factory defaults this way:

Use the RESET button on the rear panel of P-660HW-Tx v2 to reset the router. After the router is reset, the LAN IP address will be reset to '192.168.1.1', the common user password will be reset to 'user', the Administrator password will be reset to ‘1234’.

8. How to use the Reset button?

a. Turn your P-660HW-Tx v2 on. Make sure the POWER led is on (not

blinking) b. Press the RESET button for longer than one second and shorter than

five seconds and release it. If the POWER LED begins to blink, the

P-660HW-Tx v2’s wireless auto security function-OTIST has been

enabled. c. Press the RESET button for six seconds and release it. If the POWER

LED begins to blink, the default configuration has been restored and the

P-660HW-Tx v2 restarts.

P-660HW-Tx v2 Series Support Notes

9. What is SUA? When should I use SUA?

SUA (Single User Account) is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account.

When Prestige acting as SUA receives a packet from a local client destined for the outside Internet, it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool. It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from Prestige using the IP address assigned by ISP. When reply packets from the external Internet are received by Prestige, the original IP source address and TCP/UDP source port numbers are written into the destination fields of the packet (since it is now moving in the opposite direction), the checksums are recomputed, and the packet is delivered to its true destination. This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it.

10. What is the difference between SUA and Full Feature NAT?

When you edit a remote node in Web Configurator, Advanced Setup, Network

-> Remote Node -> Edit, there will be three options for you:

• None

• SUA Only

• Full Feature

SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules: Many-to-One and Server. With SUA, 'visible' servers had to be mapped to different ports, since the servers share only one global IP.

The P-660HW-Tx v2 now has Full Feature NAT which supports five types of IP/Port mapping: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. You can make special application when you select Full Feature NAT. For example: With multiple global IP addresses, multiple severs using the same port (e.g., FTP servers using port 21/20) are allowed on the LAN for outside access.

The P-660HW-Tx v2 supports NAT sets on a remote node basis. They are reusable, but only one set is allowed for each remote node. The P-660HW-Tx v2 supports 8 sets since there are 8 remote nodes.

By fatory default, the NAT is select as SUA in Web Configurator, Advanced Setup, Network -> NAT -> General -> NAT Setup.

P-660HW-Tx v2 Series Support Notes

11. Is it possible to access a server running behind SUA from the outside Internet? If possible, how?

Yes, it is possible because P-660HW-Tx v2 delivers the packet to the local server by looking up to a SUA server table. Therefore, to make a local server accessible to the outside users, the port number and the inside IP address of the server must be configured. (You can configure it in Web Configurator, Advanced Setup, Network -> NAT -> Port Forwarding).

12. When do I need select Full Feature NAT

• Make multiple local servers on the LAN accessible from outside with

multiple global IP addresses

With SUA, 'visible' servers had to be mapped to different ports, since the servers share only one global IP. But when you select Full Feature, you can make multiple local servers (mapping the same port or not) on the LAN accessible from outside with multiple global IP addresses.

• Support Non-NAT Friendly Applications

Some servers providing Internet applications such as some MIRC servers do not allow users to login using the same IP address. Thus, users on the same network can not login to the same server simultaneously. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address.

13. What IP/Port mapping does Multi-NAT support

Multi-NAT supports five types of IP/port mapping: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. The details of the mapping between ILA and IGA are described as below. Here we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA),

• One to One: In One-to-One mode, the P-660HW-Tx v2 maps one ILA

to one IGA.

• Many to One: In Many-to-One mode, the P-660HW-Tx v2 maps

multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port

address translation), ZyXEL's Single User Account feature that previous

ZyNOS routers supported (the SUA is optional in today's Prestige

routers).

• Many to Many Overload: In Many-to-Many Overload mode, the

P-660HW-Tx v2 maps the multiple ILA to shared IGA.

P-660HW-Tx v2 Series Support Notes

• Many One-to-One: In Many One-to-One mode, the P-660HW-Tx v2

maps each ILA to unique IGA.

• Server: In Server mode, the P-660HW-Tx v2 maps multiple inside

servers to one global IP address. This allows us to specify multiple

servers of different types behind the NAT for outside access. Note, if

you want to map each server to one unique IGA please use the

One-to-One mode.

The following table summarizes the five types.

NAT Type IP Mapping One-to-One ILA1<--->IGA1

Many-to-One (SUA/PAT)

ILA1<--->IGA1 ILA2<--->IGA1 ...

ILA1<--->IGA1

Many-to-Many Overload

ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ...

ILA1<--->IGA1

Many

ILA2<--->IGA2 ILA3<--->IGA3

One-to-One

ILA4<--->IGA4 ...

Server

Server 1 IP<--->IGA1 Server 2 IP<--->IGA1

14. How many network users can the SUA/NAT support?

The Prestige does not limit the number of the users but the number of the NAT sessions. The P-660HW-Tx v2 supports 1024 sessions that you can use the

'ip nat session' command in CLI to see. You can also use ‘ip nat hashTable wanif0’ to view the current active NAT sessions.

15. What are Device filters and Protocol filters?

In ZyNOS, the filters have been separated into two groups. One group is called 'device filter group', and the other is called 'protocol filter group'. Generic filters belong to the 'device filter group', TCP/IP and IPX filters belong to the 'protocol filter group'. You can configure the filter rule in CLI.

Note: In ZyNOS, you can not mix different filter groups in the same filter set.

P-660HW-Tx v2 Series Support Notes

16. How can I protect against IP spoofing attacks?

The P-660HW-Tx v2's filter sets provide a means to protect against IP spoofing attacks. The basic scheme is as follows:

For the input data filter:

• Deny packets from the outside that claim to be from the inside

• Allow everything that is not spoofing us

Filter rule setup:

• Filter type =TCP/IP Filter Rule

• Active =Yes

• Source IP Addr =a.b.c.d

• Source IP Mask =w.x.y.z

• Action Matched =Drop

• Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:

For the output data filters:

• Deny bounce back packet

• Allow packets that originate from us

Filter rule setup:

• Filter Type =TCP/IP Filter Rule

• Active =Yes

• Destination IP Addr =a.b.c.d

• Destination IP Mask =w.x.y.z

• Action Matched =Drop

• Action No Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask.

P-660HW-Tx v2 Series Support Notes

Product FAQ

1. How can I manage P-660HW-Tx v2?

 Multilingual Embedded Web GUI for Local and Remote management  CLI (Command-line interface)  Telnet support (Administrator Password Protected ) for remote

configuration change and status monitoring

 FTP/ TFTP sever, firmware upgrade and configuration backup and

restore are supported(Administrator Password Protected)

2. What is the default password for Web Configurator?

There are two different accounts for P-660HW-Tx v2 Web Configurator: Common User Account and Administrator Account.

By factory default the password for the two accounts are:

• Common User Account: user

• Administrator Account: 1234.

You can change the password after you logging in the Web Configurator.

Please record your new password whenever you change it. The system will lock you out if you have forgotten your password.

3. What’s the difference between ‘Common User Account’ and ‘Administrator Account’?

For Common User Account, it can only access the status monitor of P-660HW-Tx v2 and check the current system status.

For Administrator Account, besides accessing the status monitor of P-660HW-Tx v2, it can also access Winzard setup / Advanced setup of P-660HW-Tx v2.

Moreover, only with Administrator Password, you could manage the P-660HW-Tx v2 via FTP/TFTP or Telnet.

4. How do I know the P-660HW-Tx v2's WAN IP address assigned by the ISP?

You can view "My WAN IP <from ISP> : x.x.x.x" shown in Web Configurator ‘Status->Device Information ->WAN Information’ to check this IP address.

P-660HW-Tx v2 Series Support Notes

5. What is the micro filter or splitter used for?

Generally, the voice band uses the lower frequency ranging from 0 to 4KHz, while ADSL data transmission uses the higher frequency. The micro filter acts as a low-pass filter for your telephone set to ensure that ADSL transmissions do not interfere with your voice transmissions. For the details about how to connect the micro filter please refer to the user's manual.

6. The P-660HW-Tx v2 supports Bridge and Router mode, what's the difference between them?

When the ISP limits some specific computers to access Internet, that means only the traffic to/from these computers will be forwarded and the other will be filtered. In this case, we use bridge mode which works as an ADSL modem to connect to the ISP. The ISP will generally give one Internet account and limit only one computer to access the Internet.

For most Internet users having multiple computers want to share an Internet account for Internet access, they have to add another Internet sharing device, like a router. In this case, we use the router mode which works as a general Router plus an ADSL Modem.

7. How do I know I am using PPPoE? PPPoE requires a user account to login to the provider's server. If you need to

configure a user name and password on your computer to connect to the ISP you are probably using PPPoE. If you are simply connected to the Internet when you turn on your computer, you probably are not. You can also check your ISP or the information sheet given by the ISP. Please choose PPPoE as the encapsulation type in the P-660HW-Tx v2 if the ISP uses PPPoE.

8. Why does my provider use PPPoE?

PPPoE emulates a familiar Dial-Up connection. It allows your ISP to provide services using their existing network configuration over the broadband connections. Besides, PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management.

9. What is DDNS? The Dynamic DNS service allows you to alias a dynamic IP address to a static

hostname, allowing your computer to be more easily accessed from various

P-660HW-Tx v2 Series Support Notes

locations on the Internet. To use the service, you must first apply an account from several free Web servers such as http://www.dyndns.org/.

Without DDNS, we always tell the users to use the WAN IP of the P-660HW-Tx v2 to reach our internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the P-660HW-Tx v2, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the P-660HW-Tx v2.

When the ISP assigns the P-660HW-Tx v2 a new IP, the P-660HW-Tx v2 updates this IP to DDNS server so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS name for your web server (i.e., www.zyxel.com.tw) is still usable.

10. When do I need DDNS service? When you want your internal server to be accessed by using DNS name rather

than using the dynamic IP address we can use the DDNS service. The DDNS server allows to alias a dynamic IP address to a static hostname. Whenever the ISP assigns you a new IP, the P-660HW-Tx v2 sends this IP to the DDNS server for its updates.

11. What is DDNS wildcard? Does the P-660HW-Tx v2 support DDNS wildcard?

Some DDNS servers support the wildcard feature which allows the hostname, *.yourhost.dyndns.org, to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful when there are multiple servers inside and you want users to be able to use things such as www.yourhost.dyndns.org and still reach your hostname.

Yes, the P-660HW-Tx v2 supports DDNS wildcard that http://www.dyndns.org/ supports. When using wildcard, you simply enter yourhost.dyndns.org in the Host field in Menu 1.1 Configure Dynamic DNS.

12. Can the P-660HW-Tx v2's SUA handle IPSec packets sent by the IPSec gateway?

Yes, the P-660HW-Tx v2's SUA can handle IPSec ESP Tunneling mode. We know when packets go through SUA, SUA will change the source IP address and source port for the host. To pass IPSec packets, SUA must understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the router's WAN IP address. However, SUA should not change the source port of the UDP packets which are used for key

P-660HW-Tx v2 Series Support Notes

managements. Because the remote gateway checks this source port during connections, the port thus is not allowed to be changed.

13. How do I setup my P-660HW-Tx v2 for routing IPSec packets over SUA?

For outgoing IPSec tunnels, no extra setting is required.

For forwarding the inbound IPSec ESP tunnel, A 'Default' server set is required. You could configure it in Web Configurator, Advanced Setup, Network -> NAT

-> Port Forwarding -> Default Server Setup:

It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we must specify the service port and the LAN IP of this server in Web configurator. Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the P-660HW-Tx v2's WAN IP address. So, we have to configure the internal IPsec client as a default server (unspecified service port) when it acts a server gateway.

14. What is Traffic Shaping?

Traffic Shaping allocates the bandwidth to WAN dynamically and aims at boosting the efficiency of the bandwidth. If there are serveral VCs in the P-660HW-Tx v2 but only one VC activated at one time, the P-660HW-Tx v2 allocates all the Bandwidth to the VC and the VC gets full bandwidth. If another VCs are activated later, the bandwidth is yield to other VCs after ward.

15. Why do we perform traffic shaping in the P-660HW-Tx v2? The P-660HW-Tx v2 must manage traffic fairly and provide bandwidth

allocation for different sorts of applications, such as voice, video, and data. All applications have their own natural bit rate. Large data transactions have a

P-660HW-Tx v2 Series Support Notes

fluctuating natural bit rate. The P-660HW-Tx v2 is able to support variable traffic among different virtual connections. Certain traffic may be discarded if the virtual connection experiences congestion. Traffic shaping defines a set of actions taken by the P-660HW-Tx v2 to avoid congestion; traffic shaping takes measures to adapt to unpredictable fluctuations in traffic flows and other problems among virtual connections.

16. What do the parameters (PCR, SCR, MBS) mean?

Traffic shaping parameters (PCR, SCR, MBS) can be set in Web Configurator, Advanced Setup, Network -> Remote Node -> Edit -> ATM Setup:

Peak Cell Rate(PCR): The maximum bandwidth allocated to this connection. The VC connection throughput is limited by PCR. Sustainable Cell Rate(SCR): The least guaranteed bandwidth of a VC. When there are multi-VCs on the same line, the VC throughput is guaranteed by SCR. Maximum Burst Size(MBS): The amount of cells transmitted through this VC at the Peak Cell Rate before yielding to other VCs. Total bandwidth of the line is dedicated to single VC if there is only one VC on the line. However, as the other VC asking the bandwidth, the MBS defines the maximum number of cells transmitted via this VC with Peak Cell rate before yielding to other VCs.

The P-660HW-Tx v2 holds the parameters for shaping the traffic among its virtual channels. If you do not need traffic shaping, please set SCR = 0, MBS = 0 and PCR as the maximum value according to the line rate (for example, 2.3 Mbps line rate will result PCR as 5424 cell/sec.)

17. What do the ATM QoS Types (CBR, UBR, VBR-nRT, VBR-RT) mean? Constant bit rate(CBR): An ATM bandwidth-allocation service that requires

the user to determine a fixed bandwidth requirement at the time the connection is set up so that the data can be sent in a steady stream. CBR service is often used when transmitting fixed-rate uncompressed video.

Unspecified bit rate(UBR): An ATM bandwidth-allocation service that does not guarantee any throughput levels and uses only available bandwidth. UBR is often used when transmitting data that can tolerate delays, such as e-mail.

Variable bit rate(VBR): An ATM bandwidth-allocation service that allows users to specify a throughput capacity (i.e., a peak rate) and a sustained rate but data is not sent evenly. You can select VBR for bursty traffic and bandwidth sharing with other applications. It contains two subclasses:

Variable bit rate nonreal time (VBR-nRT) and Variable bit rate real time (VBR-RT).

P-660HW-Tx v2 Series Support Notes

18. What is content filter?

Internet Content filter allows you to create and enforce Internet access policies tailored to your needs. Content filter gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the P-660HW-Tx v2 performs content filtering. You can also specify trusted IP Addresses on LAN for which the P-660HW-Tx v2 will not perform content filtering. You can configure the details about it in Web Configurator, Advanced setup, Security -> Content Filter.

P-660HW-Tx v2 Series Support Notes

ADSL FAQ

1. How does ADSL compare to Cable modems?

ADSL provides a dedicated service over a single telephone line; cable modems offer a dedicated service over a shared media. While cable modems have greater downstream bandwidth capabilities (up to 30 Mbps), that bandwidth is shared among all users on a line, and will therefore vary, perhaps dramatically, as more users in a neighborhood get online at the same time. Cable modem upstream traffic will in many cases be slower than ADSL, either because the particular cable modem is inherently slower, or because of rate reductions caused by contention for upstream bandwidth slots. The big difference between ADSL and cable modems, however, is the number of lines available to each. There are no more than 12 million homes passed today that can support two-way cable modem transmissions, and while the figure also grows steadily, it will not catch up with telephone lines for many years. Additionally, many of the older cable networks are not capable of offering a return channel; consequently, such networks will need significant upgrading before they can offer high bandwidth services.

2. What is the expected throughput? In our test, we can get about 1.6Mbps data rate on 15Kft using the 26AWG

loop. The shorter the loop, the better the throughput is.

3. What is the microfilter used for?

4. How do I know the ADSL line is up? You can see the DSL LED Green on the P-660HW-Tx v2's front panel is on

when the ADSL physical layer is up.

5. How does the P-660HW-Tx v2 work on a noisy ADSL? Depending on the line quality, the P-660HW-Tx v2 uses "Fall Back" and "Fall

Forward" to automatically adjust the date rate.

P-660HW-Tx v2 Series Support Notes

6. Does the VC-based multiplexing perform better than the LLC-based multiplexing?

Though the LLC-based multiplexing can carry multiple protocols over a single VC, it requires extra header information to identify the protocol being carried on the virtual circuit (VC). The VC-based multiplexing needs a separate VC for carrying each protocol but it does not need the extra headers. Therefore, the VC-based multiplexing is more efficient.

7. How do I know the details of my ADSL line statistics?

• You can use the following CI commands to check the ADSL line

statistics.

CI> wan adsl perfdata

CI> wan adsl status

CI> wan adsl linedata far

CI> wan adsl linedata near

• You can also do it in Web Configurator, Advanced Setup,

Maintenance -> Diagnostic -> DSL Line -> DSL Status:

8. What are the signaling pins of the ADSL connector?

The signaling pins on the P-660HW-Tx v2's ADSL connector are pin 3 and pin

4. The middle two pins for a RJ11 cable.

9. What is triple play?

P-660HW-Tx v2 Series Support Notes

More and more Telco/ISPs are providing three kinds of services (VoIP, Video and Internet) over one existing ADSL connection.

• The different services (such as video, VoIP and Internet access) require

different Qulity of Service.

• The high priority is Voice (VoIP) data.

• The Medium priority is Video (IPTV) data.

• The low priority is internet access such as ftp etc …

Triple Play is a port-based policy to forward packets from different LAN port to different PVCs, thus you can configure each PVC separately to assign different QoS to different application.

P-660HW-Tx v2 Series Support Notes

Firewall FAQ

General

1. What is a network firewall?

A firewall is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms: One to block the traffic, and the other to permit traffic.

2. What makes P-660HW-Tx v2 secure? The P-660HW-Tx v2 is pre-configured to automatically detect and thwart

Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN. The P-660HW-Tx v2 supports Network Address Translation (NAT), which translates the private local addresses to one or multiple public addresses. This adds a level of security since the clients on the private LAN are invisible to the Internet.

3. What are the basic types of firewalls? Conceptually, there are three types of firewalls:

1. Packet Filtering Firewall

2. Application-level Firewall

3. Stateful Inspection Firewall

Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These headers information include the source, destination addresses and ports of the packets.

Application-level Firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform logging and auditing of traffic passing through them. A proxy server is an application gateway or circuit-level gateway that runs on top of general operating system such as UNIX or Windows NT. It hides valuable data by requiring users to communicate with secure systems by mean of a proxy. A key drawback of this device is performance.

P-660HW-Tx v2 Series Support Notes

Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also 'inspect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support.

4. What kind of firewall is the P-660HW-Tx v2?

1. The P-660HW-Tx v2's firewall inspects packets contents and IP

headers. It is applicable to all protocols, that understands data in the

packet is intended for other layers, from network layer up to the

application layer.

2. The P-660HW-Tx v2's firewall performs stateful inspection. It takes into

account the state of connections it handles so that, for example, a

legitimate incoming packet can be matched with the outbound request

for that packet and allowed in. Conversely, an incoming packet

masquerading as a response to a nonexistent outbound request can be

blocked.

3. The P-660HW-Tx v2's firewall uses session filtering, i.e., smart rules,

that enhance the filtering process and control the network session

rather than control individual packets in a session.

4. The P-660HW-Tx v2's firewall is fast. It uses a hashing function to

search the matched session cache instead of going through every

individual rule for a packet.

5. The P-660HW-Tx v2's firewall provides email service to notify you for

routine reports and when alerts occur.

5. Why do you need a firewall when your router has packet filtering and NAT built-in?

With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. Although packet filter and NAT restrict access to particular computers and networks, however, for the other companies this security may be insufficient, because packets filters typically cannot maintain session state. Thus, for greater security, a firewall is considered.

6. What is Denials of Service (DoS) attack? Denial of Service (DoS) attacks are aimed at devices and networks with a

connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

P-660HW-Tx v2 Series Support Notes

There are four types of DoS attacks:

1. Those that exploits bugs in a TCP/IP implementation such as Ping of

Death and Teardrop.

2. Those that exploits weaknesses in the TCP/IP specification such as

SYN Flood and LAND Attacks.

3. Brute-force attacks that flood a network with useless data such as

Smurf attack.

4. IP Spoofing

7. What is Ping of Death attack? Ping of Death uses a 'PING' utility to create an IP packet that exceeds the

maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot.

8. What is Teardrop attack? Teardrop attack exploits weakness in the reassemble of the IP packet

fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

9. What is SYN Flood attack? SYN attack floods a targeted system with a series of SYN packets. Each

packet causes the targeted system to issue a SYN-ACK response, While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set a relatively long intervals) terminates the TCP three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

10. What is LAND attack? In a LAN attack, hackers flood SYN packets to the network with a spoofed

source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

P-660HW-Tx v2 Series Support Notes

11 What is Brute-force attack?

A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request packet, the resulting ICMP traffic will not only clog up the 'intermediary' network, but will also congest the network of the spoofed source IP address, known as the 'victim' network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible.

12. What is IP Spoofing attack? Many DoS attacks also use IP Spoofing as part of their attack. IP Spoofing

may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP Spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall.

13. What are the default ACL firewall rules in P-660HW-Tx v2? There are two default ACLs pre-configured in the P-660HW-Tx v2, one allows

all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets.

Configuration

1. How do I configure the firewall?

You can use the Web Configurator to configure the firewall for P-660HW-Tx v2. By factory default, if you connect your PC to the LAN Interface of P-660HW-Tx v2, you can access Web Configurator via ‘http://192.168.1.1’.

Note: Don’t forget to type in the Administrator Password.

2. How do I prevent others from configuring my firewall?

There are several ways to protect others from touching the settings of your firewall.

P-660HW-Tx v2 Series Support Notes

1. Change the default Administrator password since it is required when

setting up the firewall.

2. Limit who can access to your P-660HW-Tx v2’s Web Configurator or

CLI. You can enter the IP address of the secured LAN host in Web

Configurator, Advanced Setup, Advanced -> Remote MGNT ->

[Service] ->Secured Client IP to allow special access to your

P-660HW-Tx v2:

The default value in this field is 0.0.0.0, which means you do not care which host is trying to telnet your P-660HW-Tx v2 or access.the Web Configurator of

3. Why can't I configure my P-660HW-Tx v2 using Web Configurator/Telnet over WAN?

There are four reasons that WWW/Telnet from WAN is blocked.

(1) When the firewall is turned on, all connections from WAN to LAN are blocked by the default ACL rule. To enable Telnet from WAN, you must turn the firewall off, or create a firewall rule to allow WWW/Telnet connection from WAN. The WAN-to-LAN ACL summary will look like as shown below.

WWW (For accessing Web Configurator):

Source IP= Remote trusted host Destination IP= router' WAN IP Service= TCP/80 Action=Forward

TELNET (For accessing Command Line Interface): Source IP= Telnet Client host Destination IP= router' WAN IP Service= TCP/23 Action=Forward

P-660HW-Tx v2 Series Support Notes

(2)You have disabled WWW/Telnet service in Web Configurator, Advanced setup, Advanced -> Remote MGNT:

(3) WWW/Telnet service is enabled but your host IP is not the secured host entered in Web Configurator, Advanced setup, Advanced -> Remote MGNT:

(4)A filter set which blocks WWW/Telnet from WAN is applied to WAN node. You can check by command:

wan node index [index #] wan node display

4. Why can't I upload the firmware and configuration file using FTP over WAN?

(1) When the firewall is turned on, all connections from WAN to LAN are blocked by the default ACL rule. To enable FTP from WAN, you must turn the firewall off or create a firewall rule to allow FTP connection from WAN. The WAN-to-LAN ACL summary will look like as shown below.

Source IP= FTP host Destination IP= P-660HW-Tx v2's WAN IP

P-660HW-Tx v2 Series Support Notes

Service= FTP TCP/21, TCP/20 Action=Forward

(2) You have disabled FTP service in Web Configurator, Advanced setup, Advanced -> Remote MGNT.

(3) FTP service is enabled but your host IP is not the secured host entered in Web Configurator, Advanced setup, Advanced -> Remote MGNT.

(4) A filter set which blocks FTP from WAN is applied to WAN node. You can check by command:

wan node index [index #] wan node display

Log and Alert

1. When does the P-660HW-Tx v2 generate the firewall log?

The P-660HW-Tx v2 generates the firewall log immediately when the packet matches a firewall rule. The log for Default Firewall Policy (LAN to WAN, WAN to LAN, WAN to WAN) is generated automatically with factory default setting, but you can change it in Web Configurator.

2. What does the log show to us?

The log supports up to 128 entries. There are 5 columns for each entry. Please see the example shown below:

3. How do I view the firewall log?

All logs generated in P-660HW-Tx v2, including firewall logs, IPSec logs, system logs are migrated to centralized logs. So you can view firewall logs in Centralized logs: Web Configurator, Advanced setup, Maintenance -> Logs

->View Log.

The log keeps 128 entries, the new entries will overwrite the old entries when the log has over 128 entries.

Before you can view firewall logs there are two steps you need to do:

P-660HW-Tx v2 Series Support Notes

(1) Enable log function in Centralized logs setup via either one of the following methods,

• Web configuration: Advanced Setup, Maintenance -> Logs -> Log

Settings, check Access Control and Attacks options depending on

your real situation.

• CI command: sys logs category [access | attack]

(2) Enable log function in firewall default policy or in firewall rules.

After the above two steps, you can view firewall logs via

• Web Configurator: Advanced setup, Maintenance -> Logs ->View

Log.

• View the log by CI command: sys logs disp

You can also view Centralized logs via mail or syslog, please configure mail server or Unix Syslog server in Web configuration: Advanced Setup,

Maintenance -> Logs -> Log Settings.

4. When does the P-660HW-Tx v2 generate the firewall alert?

The P-660HW-Tx v2 generates the alert when an attack is detected by the firewall and sends it via Email. So, to send the alert, you must configure the mail server and Email address using Web Configurator, Advanced Setup, Maintenance -> Logs -> Log Settings. You can also specify how frequently you want to receive the alert in it.

5. What is the difference between the log and alert?

A log entry is just added to the log inside the P-660HW-Tx v2 and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.

P-660HW-Tx v2 Series Support Notes

Wireless FAQ

General FAQ

1. What is a Wireless LAN?

Wireless LANs provide all the functionality of wired LANs, without the need for physical connections (wires). Data is modulated onto a radio frequency carrier and transmitted through the ether. Typical bit-rates are 11Mbps and 54Mbps, although in practice data throughput is half of this. Wireless LANs can be formed simply by equipping PC's with wireless NICs. If connectivity to a wired LAN is required an Access Point (AP) is used as a bridging device. AP's are typically located close to the centre of the wireless client population.

2. What are the advantages of Wireless LAN? Mobility: Wireless LAN systems can provide LAN users with access to

real-time information anywhere in their organization. This mobility supports productivity and service opportunities not possible with wired networks.

Installation Speed and Simplicity: Installing a wireless LAN system can be fast and easy and can eliminate the need to pull cable through walls and ceilings.

Installation Flexibility: Wireless technology allows the network to go where wire cannot go.

Reduced Cost-of-Ownership: While the initial investment required for wireless LAN hardware can be higher than the cost of wired LAN hardware, overall installation expenses and life-cycle costs can be significantly lower. Long-term cost benefits are greatest in dynamic environments requiring frequent moves and changes.

Scalability: Wireless LAN systems can be configured in a variety of topologies to meet the needs of specific applications and installations. Configurations are easily changed and range from peer-to-peer networks suitable for a small number of users to full infrastructure networks of thousands of users that enable roaming over a broad area.

3. What is the disadvantage of Wireless LAN?

The speed of Wireless LAN is still relative slower than wired LAN. The most popular wired LAN is operated in 100Mbps, which is almost 10 times of that of Wireless LAN (10Mbps). A faster wired LAN standard (1000Mbps), which is 100 times faster, becomes popular as well. The setup cost of Wireless LAN is relative high because the equipment cost including access point and PCMCIA Wireless LAN card is higher than hubs and CAT 5 cables.

+ 92 hidden pages