ZyXEL Communications P-661H-D User Manual

P-661H-D Series

ADSL2+ 4-port Security Gateway

Support Notes

Version3.40

Mar. 2006

P-661H-D Series Support Notes

FAQ.................................................................................................................5

ZyNOS FAQ.................................................................................................5

1. What is ZyNOS?...................................................................................5

2. What’s Multilingual Embedded Web Configurator?...............................5

3. How do I access the P-661H-D Command Line Interface (CLI)?..........5

4. How do I update the firmware and configuration file?...........................5

5. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN?

.....................................................................................5

6. How do I restore P-661H-D configurations by using TFTP client program via LAN?

.....................................................................................6

7. What should I do if I forget the system password? ...............................6

8. How to use the Reset button?...............................................................6

9. What is SUA? When should I use SUA? ..............................................6

10. What is the difference between SUA and Full Feature NAT?.............7

11. Is it possible to access a server running behind SUA from the outside Internet? How can I do it?

.........................................................................7

12. When do I need select Full Feature NAT?..........................................8

13. What IP/Port mapping does Multi-NAT support?................................8

14. How many network users can the SUA/NAT support? .......................9

15. What are Device filters and Protocol filters?.......................................9

16. How can I protect against IP spoofing attacks?..................................9

Product FAQ...............................................................................................11

1. How can I manage P-661H-D?...........................................................11

2. What is the default password for Web Configurator?..........................11

3. What’s the difference between ‘Common User Account’ and ‘Administrator Account’?

.........................................................................11

4. How do I know the P-661H-D's WAN IP address assigned by the ISP?

................................................................................................................11

5. What is the micro filter or splitter used for?.........................................11

6. The P-661H-D supports Bridge and Router mode, what's the difference between them?

.......................................................................................12

7. How do I know I am using PPPoE?....................................................12

8. Why does my provider use PPPoE?...................................................12

9. What is DDNS?...................................................................................12

10. When do I need DDNS service?.......................................................13

11. What is DDNS wildcard? Does the P-661H-D support DDNS wildcard?

................................................................................................................13

12. Can the P-661H-D's SUA handle IPSec packets sent by the IPSec gateway?

................................................................................................13

13. How do I setup my P-661H-D for routing IPSec packets over SUA?13

14. What is Traffic Shaping? ...................................................................14

15. Why do we perform traffic shaping in the P-661H-D?.......................14

16. What do the parameters (PCR, SCR, MBS) mean?.........................15

P-661H-D Series Support Notes

17. What do the ATM QoS Types (CBR, UBR, VBR-nRT, VBR-RT) mean?

................................................................................................................15

18. What is content filter?.......................................................................15

ADSL FAQ .................................................................................................17

1. How does ADSL compare to Cable modems?....................................17

2. What is the expected throughput?......................................................17

3. What is the microfilter used for? .........................................................17

4. How do I know the ADSL line is up?...................................................17

5. How does the P-661H-D work on a noisy ADSL?...............................17

6. Does the VC-based multiplexing perform better than the LLC-based multiplexing?

...........................................................................................18

7. How do I know the details of my ADSL line statistics?........................18

8. What are the signaling pins of the ADSL connector?..........................18

9. What is triple play? .............................................................................18

Firewall FAQ .............................................................................................20

General...................................................................................................20

1. What is a network firewall?...................................................20

2. What makes P-661H-D secure?...........................................20

3. What are the basic types of firewalls?..................................20

4. What kind of firewall is the P-661H-D?.................................21

5. Why do you need a firewall when your router has packet filtering and NAT built-in?

.........................................................21

6. What is Denials of Service (DoS) attack?.............................21

7. What is Ping of Death attack?..............................................22

8. What is Teardrop attack? .....................................................22

9. What is SYN Flood attack?...................................................22

10. What is LAND attack? ........................................................22

11 What is Brute-force attack? .................................................23

12. What is IP Spoofing attack? ...............................................23

13. What are the default ACL firewall rules in P-661H-D?........23

Configuration ..........................................................................................23

1. How do I configure the firewall? ...........................................23

2. How do I prevent others from configuring my firewall?.........23

3. Why can't I configure my P-661H-D using Web Configurator/Telnet over WAN?

...............................................24

4. Why can't I upload the firmware and configuration file using FTP over WAN?

.......................................................................25

Log and Alert ..........................................................................................26

1. When does the P-661H-D generate the firewall log?............26

2. What does the log show to us? ............................................26

3. How do I view the firewall log? .............................................26

4. When does the P-661H-D generate the firewall alert? .........27

5. What is the difference between the log and alert?................27

VPN FAQ ...................................................................................................28

P-661H-D Series Support Notes

General FAQ...........................................................................................28

1. What is VPN?.......................................................................28

2. Why do I need VPN?............................................................28

3. What are most common VPN protocols?..............................28

4. What is PPTP?.....................................................................28

5. What is L2TP?......................................................................29

6. What is IPSec?.....................................................................29

7. What secure protocols does IPSec support?........................29

8. What are the differences between 'Transport mode' and 'Tunnel mode’?

.........................................................................29

9. What is SA?..........................................................................30

10. What is IKE?.......................................................................30

11. What is Pre-Shared Key?...................................................30

12. What are the differences between IKE and manual key VPN?

.................................................................................................30

13. What is Phase 1 ID for?......................................................30

14. What is FQDN? ..................................................................31

15. When should I use FQDN?.................................................31

Advanced FAQ .......................................................................................31

1. How do I configure VPN?.....................................................31

2. What kind of VPN protocols are supported on P-661H-D? 32

3. What types of encryption does P-661H-D VPN support?.....32

4. What types of authentication does P-661H-D VPN support?32

5. I am planning my P-661H-D VPN configuration. What do I

need to know?

..........................................................................32

6. Does P-661H-D support dynamic secure gateway IP?.........33

7. What VPN gateway has been tested with P-661H-D

successfully?

............................................................................33

8. What VPN software has been tested with P-661H-D

successfully?

...........................................................................34

11. How do I configure P-661H-D with NAT for internal servers?

.................................................................................................35

12. I am planning my P-661H-D behind a NAT router. What do I

need to know?

..........................................................................35

13. How can I keep a tunnel alive?...........................................35

14. Single, Range, Subnet, which types of IP address do

P-661H-D support in VPN/IPSec?

............................................36

15. Can P-661H-D support VPN passthrough?........................36

16. Can P-661H-D behave as a NAT router supporting IPSec

passthrough and an IPSec gateway simultaneously?

..............36

Application Notes.....................................................................................37

General Application Notes......................................................................37

1. Internet Access Using P-661H-D under Bridge mode ..........37

2. Internet Access Using P-661H-D under Routing mode ........39

P-661H-D Series Support Notes

3. Setup the P-661H-D as a DHCP Relay................................41

4. SUA Notes............................................................................42

5. Using Full Feature NAT........................................................51

6. Using the Dynamic DNS (DDNS) .........................................63

7. Network Management Using SNMP.....................................65

8. Using syslog.........................................................................68

9. Using IP Alias.......................................................................68

10. Using IP Policy Routing......................................................70

11. Using Call Scheduling ........................................................74

12. Using IP Multicast...............................................................76

13. Using Bandwidth Management...........................................77

14. Using Zero-Configuration ...................................................80

15. How could I configure triple play on P-661H-D?.................83

16. How to configure packet filter on P-661H-D? .....................83

IPSEC VPN Application Notes................................................................87

1. How to use P-661H-D to build VPN Tunnel with another VPN

Gateway/ Software?

2. How to build a VPN between Secure Gateway with Dynamic

WAN IP Address?

3. Configure NAT for internal servers.......................................95

4. VPN Routing between Branch Office through Headquarter..96

Support Tool...........................................................................................101

1. LAN/WAN Packet Trace ...................................................................101

Online Trace　 .......................................................................101

Offline Trace　 .......................................................................103

Capture the detailed logs by Hyper Terminal　 ......................104

2. Firmware/Configurations Uploading and Downloading using TFTP..106

•Using TFTP client software...................................................106

•Using TFTP command on Windows NT................................108

•Using TFTP command on UNIX ...........................................108

3. Using FTP to Upload the Firmware and Configuration Files.............109

CI Command Reference.........................................................................112

.................................................................87

.....................................................................93

P-661H-D Series Support Notes

FAQ

ZyNOS FAQ

1. What is ZyNOS?

ZyNOS is ZyXEL's proprietary Network Operating System. It is the platform on all Prestige routers that delivers network services and applications. It is designed in a modular fashion so it is easy for developers to add new features. New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available.

2. What’s Multilingual Embedded Web Configurator? Multilinggual Embedded Web Configurator means that it can display with 3

kinds of languanges: English, French, and German. By factory default it displays with English, and you can change it in Web GUI.

3. How do I access the P-661H-D Command Line Interface (CLI)?

The Command Line Interface is for the Administrator use only, and it could be accessed via telnet session.

Note: It is protected by super password, ‘1234’ by factory default.

4. How do I update the firmware and configuration file

You can do this if you access the P-661H-D as Administrator. You can upload the firmware and configuration file to Prestige from Web Condigurator, or using FTP or TFTP client software. You CAN NOT upload the firmware and configuration file via Telnet because the Telnet connection will be dropped during uploading the firmware. Please do not power off the router right after the FTP or TFTP uploading is finished, the router will upload the firmware to its flash at this moment.

Note: There may be firmware that could not be upgraded from Web Configurator. In this case, ZyXEL will prepare special Upload Software for you. Please read the firmware release note carefully when you want to upload a new fireware.

5. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN?

The P-661H-D allows you to transfer the firmware to P-661H-D using TFTP program via LAN. The procedure for uploading ZyNOS via TFTP is as follows.

a. Use the TELNET client program in your PC to login to your P-661H-D.

P-661H-D Series Support Notes

b. Enter CI command 'sys stdio 0' to disable Stdio idle timeout c. To upgrade firmware, use TFTP client program to put firmware in file

'ras' in the Prestige. After data transfer is finished, the P-661H-D will program the upgraded firmware into FLASH ROM and reboot itself.

d. To backup your firmware, use the TFTP client program to get file 'ras'

from the Prestige.

6. How do I restore P-661H-D configurations by using TFTP client program via LAN?

a. Use the TELNET client program in your PC to login to your P-661H-D. b. Enter CI command 'sys stdio 0' disable Stdio idle timeout c. To backup the P-661H-D configurations, use TFTP client program to

get file 'rom-0' from the P-661H-D.

d. To restore the P-661H-D configurations, use the TFTP client program to

put your configuration in file rom-0 in the P-661H-D.

7. What should I do if I forget the system password?

In case you forget the system password, you can erase the current configuration and restore factory defaults this way:

Use the RESET button on the rear panel of P-661H-D to reset the router. After the router is reset, the LAN IP address will be reset to '192.168.1.1', the common user password will be reset to 'user', the Administrator password will be reset to ‘1234’.

8. How to use the Reset button?

a. Turn your P-661H-D on. Make sure the POWER led is on (not blinking) b. Press the RESET button for longer than one second and shorter than

five seconds and release it. If the POWER LED begins to blink, the P-661H-D’s wireless auto security function-OTIST has been enabled.

c. Press the RESET button for six seconds and release it. If the POWER

LED begins to blink, the default configuration have been restored and the P-661H-D restarts.

9. What is SUA? When should I use SUA?

SUA (Single User Account) is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account.

When Prestige acting as SUA receives a packet from a local client destined for the outside Internet, it replaces the source address in the IP packet header

P-661H-D Series Support Notes

with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool. It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from Prestige using the IP address assigned by ISP. When reply packets from the external Internet are received by Prestige, the original IP source address and TCP/UDP source port numbers are written into the destination fields of the packet (since it is now moving in the opposite direction), the checksums are recomputed, and the packet is delivered to its true destination. This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it.

10. What is the difference between SUA and Full Feature NAT?

When you edit a remote node in Web Configurator, Advanced Setup, Network

-> Remote Node -> Edit, there will be three options for you:

• None

• SUA Only

• Full Feature

SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules: Many-to-One and Server. With SUA, 'visible' servers had to be mapped to different ports, since the servers share only one global IP.

The P-661H-D now has Full Feature NAT which supports five types of IP/Port mapping: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. You can make special application when you select Full Feature NAT. For example: With multiple global IP addresses, multiple severs using the same port (e.g., FTP servers using port 21/20) are allowed on the LAN for outside access.

The P-661H-D supports NAT sets on a remote node basis. They are reusable, but only one set is allowed for each remote node. The P-661H-D supports 8 sets since there are 8 remote nodes.

By fatory default, the NAT is select as SUA in Web Configurator, Advanced Setup, Network -> NAT -> General -> NAT Setup.

11. Is it possible to access a server running behind SUA from the outside Internet? How can I do it?

Yes, it is possible because P-661H-D delivers the packet to the local server by looking up to a SUA server table. Therefore, to make a local server accessible to the outside users, the port number and the inside IP address of the server

P-661H-D Series Support Notes

must be configured. (You can configure it in Web Configurator, Advanced Setup, Network -> NAT -> Port Forwarding).

12. When do I need select Full Feature NAT

• Make multiple local servers on the LAN accessible from outside with

multiple global IP addresses

With SUA, 'visible' servers had to be mapped to different ports, since the servers share only one global IP. But when you select Full Feature, you can make multiple local servers (mapping the same port or not) on the LAN accessible from outside with multiple global IP addresses.

• Support Non-NAT Friendly Applications

Some servers providing Internet applications such as some MIRC servers do not allow users to login using the same IP address. Thus, users on the same network can not login to the same server simultaneously. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address.

13. What IP/Port mapping does Multi-NAT support

Multi-NAT supports five types of IP/port mapping: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. The details of the mapping between ILA and IGA are described as below. Here we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA),

• One to One: In One-to-One mode, the P-661H-D maps one ILA to one IGA.

• Many to One: In Many-to-One mode, the P-661H-D maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA is optional in today's Prestige routers).

• Many to Many Overload: In Many-to-Many Overload mode, the P-661H-D maps the multiple ILA to shared IGA.

• Many One-to-One: In Many One-to-One mode, the P-661H-D maps each ILA to unique IGA.

• Server: In Server mode, the P-661H-D maps multiple inside servers to one global IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode.

P-661H-D Series Support Notes

The following table summarizes the five types.

NAT Type IP Mapping One-to-One ILA1<--->IGA1

Many-to-One (SUA/PAT)

ILA1<--->IGA1 ILA2<--->IGA1 ...

ILA1<--->IGA1

Many-to-Many Overload

ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ...

ILA1<--->IGA1

Many

ILA2<--->IGA2 ILA3<--->IGA3

One-to-One

ILA4<--->IGA4 ...

Server

Server 1 IP<--->IGA1 Server 2 IP<--->IGA1

14. How many network users can the SUA/NAT support?

The Prestige does not limit the number of the users but the number of the sessions. The P-661H-D supports 1024 sessions that you can use the

session'

command in CLI to see. You can also use ‘ip nat hashTable wanif0’

'ip nat

to view the current active NAT sessions.

15. What are Device filters and Protocol filters?

In ZyNOS, the filters have been separated into two groups. One group is called 'device filter group', and the other is called 'protocol filter group'. Generic filters belong to the 'device filter group', TCP/IP and IPX filters belong to the 'protocol filter group'. You can configure the filter rule in CLI.

Note: In ZyNOS, you can not mix different filter groups in the same filter set.

16. How can I protect against IP spoofing attacks?

The P-661H-D's filter sets provide a means to protect against IP spoofing attacks. The basic scheme is as follows:

For the input data filter:

• Deny packets from the outside that claim to be from the inside

P-661H-D Series Support Notes

• Allow everything that is not spoofing us

Filter rule setup:

• Filter type =TCP/IP Filter Rule

• Active =Yes

• Source IP Addr =a.b.c.d

• Source IP Mask =w.x.y.z

• Action Matched =Drop

• Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:

For the output data filters:

• Deny bounce back packet

• Allow packets that originate from us

Filter rule setup:

• Filter Type =TCP/IP Filter Rule

• Active =Yes

• Destination IP Addr =a.b.c.d

• Destination IP Mask =w.x.y.z

• Action Matched =Drop

• Action No Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask.

P-661H-D Series Support Notes

Product FAQ

1. How can I manage P-661H-D?

 Multilingual Embedded Web GUI for Local and Remote management  CLI (Command-line interface)  Telnet support (Administrator Password Protected ) for remote

configuration change and status monitoring

 FTP/ TFTP sever, firmware upgrade and configuration backup and

restore are supported(Administrator Password Protected)

2. What is the default password for Web Configurator?

There are two different accounts for P-661H-D Web Configurator: Common User Account and Administrator Account.

By factory default the password for the two accounts are:

• Common User Account: user

• Administrator Account: 1234.

You can change the password after you logging in the Web Configurator.

Please record your new password whenever you change it. The system will lock you out if you have forgotten your password.

3. What’s the difference between ‘Common User Account’ and ‘Administrator Account’?

For Common User Account, it can only access the status monitor of P-661H-D and check the current system status.

For Administrator Account, besides accessing the status monitor of P-661H-D, it can also access Winzard setup/ Advanced setup of P-661H-D:

Moreover, only with Administrator Password, you could manage the P-661H-D via FTP/TFTP or Telnet.

4. How do I know the P-661H-D's WAN IP address assigned by the ISP?

You can view "My WAN IP <from ISP> : x.x.x.x" shown in Web Configurator ‘Status->Device Information ->WAN Information’ to check this IP address.

5. What is the micro filter or splitter used for

P-661H-D Series Support Notes

do not interfere with your voice transmissions. For the details about how to connect the micro filter please refer to the user's manual.

6. The P-661H-D supports Bridge and Router mode, what's the difference between them?

When the ISP limits some specific computers to access Internet, that means only the traffic to/from these computers will be forwarded and the other will be filtered. In this case, we use bridge mode which works as an ADSL modem to connect to the ISP. The ISP will generally give one Internet account and limit only one computer to access the Internet.

For most Internet users having multiple computers want to share an Internet account for Internet access, they have to add another Internet sharing device, like a router. In this case, we use the router mode which works as a general Router plus an ADSL Modem.

7. How do I know I am using PPPoE? PPPoE requires a user account to login to the provider's server. If you need to

configure a user name and password on your computer to connect to the ISP you are probably using PPPoE. If you are simply connected to the Internet when you turn on your computer, you probably are not. You can also check your ISP or the information sheet given by the ISP. Please choose PPPoE as the encapsulation type in the P-661H-D if the ISP uses PPPoE.

8. Why does my provider use PPPoE?

PPPoE emulates a familiar Dial-Up connection. It allows your ISP to provide services using their existing network configuration over the broadband connections. Besides, PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management.

9. What is DDNS? The Dynamic DNS service allows you to alias a dynamic IP address to a static

hostname, allowing your computer to be more easily accessed from various locations on the Internet. To use the service, you must first apply an account from several free Web servers such as http://www.dyndns.org/.

Without DDNS, we always tell the users to use the WAN IP of the P-661H-D to reach our internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the P-661H-D, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server.

P-661H-D Series Support Notes

The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the P-661H-D.

When the ISP assigns the P-661H-D a new IP, the P-661H-D updates this IP to DDNS server so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS name for your web server (i.e., www.zyxel.com.tw) is still usable.

10. When do I need DDNS service? When you want your internal server to be accessed by using DNS name rather

than using the dynamic IP address we can use the DDNS service. The DDNS server allows to alias a dynamic IP address to a static hostname. Whenever the ISP assigns you a new IP, the P-661H-D sends this IP to the DDNS server for its updates.

11. What is DDNS wildcard? Does the P-661H-D support DDNS wildcard? Some DDNS servers support the wildcard feature which allows the hostname,

*.yourhost.dyndns.org, to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful when there are multiple servers inside and you want users to be able to use things such as www.yourhost.dyndns.org and still reach your hostname.

Yes, the P-661H-D supports DDNS wildcard that http://www.dyndns.org/ supports. When using wildcard, you simply enter yourhost.dyndns.org in the Host field in Menu 1.1 Configure Dynamic DNS.

12. Can the P-661H-D's SUA handle IPSec packets sent by the IPSec gateway?

Yes, the P-661H-D's SUA can handle IPSec ESP Tunneling mode. We know when packets go through SUA, SUA will change the source IP address and source port for the host. To pass IPSec packets, SUA must understand the ESP packet with protocol number 50, replace the source IP address of the IPSec gateway to the router's WAN IP address. However, SUA should not change the source port of the UDP packets which are used for key managements. Because the remote gateway checks this source port during connections, the port thus is not allowed to be changed.

13. How do I setup my P-661H-D for routing IPSec packets over SUA? For outgoing IPSec tunnels, no extra setting is required.

P-661H-D Series Support Notes

For forwarding the inbound IPSec ESP tunnel, A 'Default' server set is required. You could configure it in Web Configurator, Advanced Setup, Network -> NAT

-> Port Forwarding -> Default Server Setup:

It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we must specify the service port and the LAN IP of this server in Web configurator. Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the P-661H-D's WAN IP address. So, we have to configure the internal IPsec client as a default server (unspecified service port) when it acts a server gateway.

14. What is Traffic Shaping?

Traffic Shaping allocates the bandwidth to WAN dynamically and aims at boosting the efficiency of the bandwidth. If there are serveral VCs in the P-661H-D but only one VC activated at one time, the P-661H-D allocates all the Bandwidth to the VC and the VC gets full bandwidth. If another VCs are activated later, the bandwidth is yield to other VCs after ward.

15. Why do we perform traffic shaping in the P-661H-D? The P-661H-D must manage traffic fairly and provide bandwidth allocation for

different sorts of applications, such as voice, video, and data. All applications have their own natural bit rate. Large data transactions have a fluctuating natural bit rate. The P-661H-D is able to support variable traffic among different virtual connections. Certain traffic may be discarded if the virtual connection experiences congestion. Traffic shaping defines a set of actions taken by the P-661H-D to avoid congestion; traffic shaping takes measures to adapt to unpredictable fluctuations in traffic flows and other problems among virtual connections.

P-661H-D Series Support Notes

16. What do the parameters (PCR, SCR, MBS) mean?

Traffic shaping parameters (PCR, SCR, MBS) can be set in Web Configurator, Advanced Setup, Network -> Remote Node -> Edit -> ATM Setup:

Peak Cell Rate(PCR): The maximum bandwidth allocated to this connection. The VC connection throughput is limited by PCR. Sustainable Cell Rate(SCR): The least guaranteed bandwidth of a VC. When there are multi-VCs on the same line, the VC throughput is guaranteed by SCR. Maximum Burst Size(MBS): The amount of cells transmitted through this VC at the Peak Cell Rate before yielding to other VCs. Total bandwidth of the line is dedicated to single VC if there is only one VC on the line. However, as the other VC asking the bandwidth, the MBS defines the maximum number of cells transmitted via this VC with Peak Cell rate before yielding to other VCs.

The P-661H-D holds the parameters for shaping the traffic among its virtual channels. If you do not need traffic shaping, please set SCR = 0, MBS = 0 and PCR as the maximum value according to the line rate (for example, 2.3 Mbps line rate will result PCR as 5424 cell/sec.)

17. What do the ATM QoS Types (CBR, UBR, VBR-nRT, VBR-RT) mean?

Constant bit rate(CBR): An ATM bandwidth-allocation service that requires

the user to determine a fixed bandwidth requirement at the time the connection is set up so that the data can be sent in a steady stream. CBR service is often used when transmitting fixed-rate uncompressed video.

Unspecified bit rate(UBR): An ATM bandwidth-allocation service that does not guarantee any throughput levels and uses only available bandwidth. UBR is often used when transmitting data that can tolerate delays, such as e-mail.

Variable bit rate(VBR): An ATM bandwidth-allocation service that allows users to specify a throughput capacity (i.e., a peak rate) and a sustained rate but data is not sent evenly. You can select VBR for bursty traffic and bandwidth sharing with other applications. It contains two subclasses:

Variable bit rate nonreal time (VBR-nRT):

Variable bit rate real time (VBR-RT):

18. What is content filter?

Internet Content filter allows you to create and enforce Internet access policies tailored to your needs. Content filter gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for

P-661H-D Series Support Notes

when the P-661H-D performs content filtering. You can also specify trusted IP Addresses on LAN for which the P-661H-D will not perform content filtering. You can configure the details about it in Web Configurator, Advanced setup, Security -> Content Filter.

P-661H-D Series Support Notes

ADSL FAQ

1. How does ADSL compare to Cable modems?

ADSL provides a dedicated service over a single telephone line; cable modems offer a dedicated service over a shared media. While cable modems have greater downstream bandwidth capabilities (up to 30 Mbps), that bandwidth is shared among all users on a line, and will therefore vary, perhaps dramatically, as more users in a neighborhood get online at the same time. Cable modem upstream traffic will in many cases be slower than ADSL, either because the particular cable modem is inherently slower, or because of rate reductions caused by contention for upstream bandwidth slots. The big difference between ADSL and cable modems, however, is the number of lines available to each. There are no more than 12 million homes passed today that can support two-way cable modem transmissions, and while the figure also grows steadily, it will not catch up with telephone lines for many years. Additionally, many of the older cable networks are not capable of offering a return channel; consequently, such networks will need significant upgrading before they can offer high bandwidth services.

2. What is the expected throughput? In our test, we can get about 1.6Mbps data rate on 15Kft using the 26AWG

loop. The shorter the loop, the better the throughput is.

3. What is the microfilter used for?

Generally, the voice band uses the lower frequency ranging from 0 to 4KHz, while ADSL data transmission uses the higher frequency. The micro filter acts as a low-pass filter for your telephone set to ensure that ADSL transmissions do not interfere with your voice transmissions. For the details about how to connect the micro filter please refer to the user's manual.

4. How do I know the ADSL line is up? You can see the DSL LED Green on the P-661H-D's front panel is on when the

ADSL physical layer is up.

5. How does the P-661H-D work on a noisy ADSL? Depending on the line quality, the P-661H-D uses "Fall Back" and "Fall

Forward" to automatically adjust the date rate.

P-661H-D Series Support Notes

6. Does the VC-based multiplexing perform better than the LLC-based multiplexing?

Though the LLC-based multiplexing can carry multiple protocols over a single VC, it requires extra header information to identify the protocol being carried on the virtual circuit (VC). The VC-based multiplexing needs a separate VC for carrying each protocol but it does not need the extra headers. Therefore, the VC-based multiplexing is more efficient.

7. How do I know the details of my ADSL line statistics?

• You can use the following CI commands to check the ADSL line statistics. CI> wan adsl perfdata CI> wan adsl status CI> wan adsl linedata far CI> wan adsl linedata near

• You can also do it in Web Configurator, Advanced Setup,

Maintenance -> Diagnostic -> DSL Line -> DSL Status:

8. What are the signaling pins of the ADSL connector?

The signaling pins on the P-661H-D's ADSL connector are pin 3 and pin 4. The middle two pins for a RJ11 cable.

9. What is triple play?

P-661H-D Series Support Notes

More and more Telco/ISPs are providing three kinds of services (VoIP, Video and Internet) over one existing ADSL connection.

• The different services (such as video, VoIP and Internet access) require different Qulity of Service.

• The high priority is Voice (VoIP) data.

• The Medium priority is Video (IPTV) data.

• The low priority is internet access such as ftp etc …

Triple Play is a port-based policy to forward packets from different LAN port to different PVCs, thus you can configure each PVC separately to assign different QoS to different application.

P-661H-D Series Support Notes

Firewall FAQ

General

1. What is a network firewall?

A firewall is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms: One to block the traffic, and the other to permit traffic.

2. What makes P-661H-D secure? The P-661H-D is pre-configured to automatically detect and thwart Denial of

Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN. The P-661H-D supports Network Address Translation (NAT), which translates the private local addresses to one or multiple public addresses. This adds a level of security since the clients on the private LAN are invisible to the Internet.

3. What are the basic types of firewalls? Conceptually, there are three types of firewalls:

1. Packet Filtering Firewall

2. Application-level Firewall

3. Stateful Inspection Firewall

Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These headers information include the source, destination addresses and ports of the packets.

Application-level Firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform logging and auditing of traffic passing through them. A proxy server is an application gateway or circuit-level gateway that runs on top of general operating system such as UNIX or Windows NT. It hides valuable data by requiring users to communicate with secure systems by mean of a proxy. A key drawback of this device is performance.

Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP

P-661H-D Series Support Notes

address and protocol. They also 'inspect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support.

4. What kind of firewall is the P-661H-D?

1. The P-661H-D's firewall inspects packets contents and IP headers. It is applicable to all protocols, that understands data in the packet is intended for other layers, from network layer up to the application layer.

2. The P-661H-D's firewall performs stateful inspection. It takes into account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.

3. The P-661H-D's firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session.

4. The P-661H-D's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.

5. The P-661H-D's firewall provides email service to notify you for routine reports and when alerts occur.

5. Why do you need a firewall when your router has packet filtering and NAT built-in?

With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. Although packet filter and NAT restrict access to particular computers and networks, however, for the other companies this security may be insufficient, because packets filters typically cannot maintain session state. Thus, for greater security, a firewall is considered.

6. What is Denials of Service (DoS) attack? Denial of Service (DoS) attacks are aimed at devices and networks with a

connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

There are four types of DoS attacks:

P-661H-D Series Support Notes

1. Those that exploits bugs in a TCP/IP implementation such as Ping of Death and Teardrop.

2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND Attacks.

3. Brute-force attacks that flood a network with useless data such as Smurf attack.

4. IP Spoofing

7. What is Ping of Death attack? Ping of Death uses a 'PING' utility to create an IP packet that exceeds the

maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot.

8. What is Teardrop attack? Teardrop attack exploits weakness in the reassemble of the IP packet

fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

9. What is SYN Flood attack? SYN attack floods a targeted system with a series of SYN packets. Each

packet causes the targeted system to issue a SYN-ACK response, While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set a relatively long intervals) terminates the TCP three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

10. What is LAND attack? In a LAN attack, hackers flood SYN packets to the network with a spoofed

source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

P-661H-D Series Support Notes

11 What is Brute-force attack?

A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request packet, the resulting ICMP traffic will not only clog up the 'intermediary' network, but will also congest the network of the spoofed source IP address, known as the 'victim' network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible.

12. What is IP Spoofing attack? Many DoS attacks also use IP Spoofing as part of their attack. IP Spoofing

may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP Spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall.

13. What are the default ACL firewall rules in P-661H-D? There are two default ACLs pre-configured in the P-661H-D, one allows all

connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets.

Configuration

1. How do I configure the firewall?

You can use the Web Configurator to configure the firewall for P-661H-D. By factory default, if you connect your PC to the LAN Interface of P-661H-D, you can access Web Configurator via ‘http://192.168.1.1’.

Note: Don’t forget to type in the Administrator Password.

2. How do I prevent others from configuring my firewall?

There are several ways to protect others from touching the settings of your firewall.

P-661H-D Series Support Notes

1. Change the default Administrator password since it is required when setting up the firewall.

2. Limit who can access to your P-661H-D’s Web Configurator or CLI. You can enter the IP address of the secured LAN host in Web Configurator, Advanced Setup, Advanced -> Remote MGNT -> [Service]

->Secured Client IP to allow special access to your P-661H-D:

The default value in this field is 0.0.0.0, which means you do not care which host is trying to telnet your P-661H-D or access.the Web Configurator of

3. Why can't I configure my P-661H-D using Web Configurator/Telnet over WAN?

There are four reasons that WWW/Telnet from WAN is blocked.

(1) When the firewall is turned on, all connections from WAN to LAN are blocked by the default ACL rule. To enable Telnet from WAN, you must turn the firewall off, or create a firewall rule to allow WWW/Telnet connection from WAN. The WAN-to-LAN ACL summary will look like as shown below.

WWW (For accessing Web Configurator):

Source IP= Remote trusted host Destination IP= router' WAN IP Service= TCP/80 Action=Forward

TELNET (For accessing Command Line Interface): Source IP= Telnet Client host Destination IP= router' WAN IP Service= TCP/23 Action=Forward

(2)You have disabled WWW/Telnet service in Web Configurator, Advanced setup, Advanced -> Remote MGNT:

P-661H-D Series Support Notes

(3) WWW/Telnet service is enabled but your host IP is not the secured host entered in Web Configurator, Advanced setup, Advanced -> Remote MGNT:

(4)A filter set which blocks WWW/Telnet from WAN is applied to WAN node. You can check by command:

wan node index [index #] wan node display

4. Why can't I upload the firmware and configuration file using FTP over WAN?

(1) When the firewall is turned on, all connections from WAN to LAN are blocked by the default ACL rule. To enable FTP from WAN, you must turn the firewall off or create a firewall rule to allow FTP connection from WAN. The WAN-to-LAN ACL summary will look like as shown below.

Source IP= FTP host Destination IP= P-661H-D's WAN IP Service= FTP TCP/21, TCP/20 Action=Forward

P-661H-D Series Support Notes

(2) You have disabled FTP service in Web Configurator, Advanced setup, Advanced -> Remote MGNT.

(3) FTP service is enabled but your host IP is not the secured host entered in Web Configurator, Advanced setup, Advanced -> Remote MGNT.

(4) A filter set which blocks FTP from WAN is applied to WAN node. You can check by command:

wan node index [index #] wan node display

Log and Alert

1. When does the P-661H-D generate the firewall log?

The P-661H-D generates the firewall log immediately when the packet matches a firewall rule. The log for Default Firewall Policy (LAN to WAN, WAN to LAN, WAN to WAN) is generated automatically with factory default setting, but you can change it in Web Configurator.

2. What does the log show to us?

The log supports up to 128 entries. There are 5 columns for each entry. Please see the example shown below:

3. How do I view the firewall log?

All logs generated in P-661H-D, including firewall logs, IPSec logs, system logs are migrated to centralized logs. So you can view firewall logs in Centralized logs: Web Configurator, Advanced setup, Maintenance -> Logs

->View Log.

The log keeps 128 entries, the new entries will overwrite the old entries when the log has over 128 entries.

Before you can view firewall logs there are two steps you need to do: (1) Enable log function in Centralized logs setup via either one of the following methods,

P-661H-D Series Support Notes

• Web configuration: Advanced Setup, Maintenance -> Logs -> Log

Settings, check Access Control and Attacks options depending on

your real situation.

• CI command: sys logs category [access | attack]

(2) Enable log function in firewall default policy or in firewall rules.

After the above two steps, you can view firewall logs via

• Web Configurator: Advanced setup, Maintenance -> Logs ->View Log.

• View the log by CI command: sys logs disp

You can also view Centralized logs via mail or syslog, please configure mail server or Unix Syslog server in Web configuration: Advanced Setup,

Maintenance -> Logs -> Log Settings.

4. When does the P-661H-D generate the firewall alert?

The P-661H-D generates the alert when an attack is detected by the firewall and sends it via Email. So, to send the alert, you must configure the mail server and Email address using Web Configurator, Advanced Setup, Maintenance -> Logs -> Log Settings. You can also specify how frequently you want to receive the alert in it.

5. What is the difference between the log and alert?

A log entry is just added to the log inside the P-661H-D and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.

P-661H-D Series Support Notes

VPN FAQ

General FAQ

1. What is VPN?

A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

2. Why do I need VPN? There are some reasons to use a VPN. The most common reasons are

because of security and cost.

Security

1) Authentication With authentication, VPN receiver can verify the source of packets and guarantee the data integrity.

2) Encryption With encryption, VPN guarantees the confidentiality of the original user data.

Cost

1) Cut long distance phone charges Because users typically dial the their local ISP for VPN, thus, long distance phone charge is reduced than making a long direct connection to the remote office.

2) Reducing number of access lines

Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access and (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines.

3. What are most common VPN protocols? There are currently three major tunneling protocols for VPNs. They are

Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec).

4. What is PPTP?

P-661H-D Series Support Notes

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade.

5. What is L2TP? Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point

Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.

6. What is IPSec? IPSec is a set of IP extensions developed by IETF (Internet Engineering Task

Force) to provide security services compatible with the existing IP standard (IPv.4) and also the upcoming one (IPv.6). In addition, IPSec can protect any protocol that runs on top of IP, for instance TCP, UDP, and ICMP. The IPSec provides cryptographic security services. These services allow for authentication, integrity, access control, and confidentiality. IPSec allows for the information exchanged between remote sites to be encrypted and verified. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is truly the most extensible and complete network security solution.

7. What secure protocols does IPSec support? There are two protocols provided by IPSec, they are AH (Authentication

Header, protocol number 51) and ESP (Encapsulated Security Payload, protocol number 50).

8. What are the differences between 'Transport mode' and 'Tunnel mode’?

The IPSec protocols (AH and ESP) can be used to protect either an entire IP payload or only the upper-layer protocols of an IP payload. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability.

In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data.

+ 83 hidden pages