Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications HS100/HS100W Appendix K Triangle Route, Ideal Setup, Triangle Route Problem

Models: HS100/HS100W

1 357

Download 357 pages 54.31 Kb

Page 351

HomeSafe User’s Guide

Appendix K

Triangle Route

The Ideal Setup

When the firewall is on, your HomeSafeacts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the HomeSafeto protect your LAN against attacks.

Diagram K-1 Ideal Setup

The “Triangle Route” Problem

A traffic route is a path for sending or receiving data packets between two Ethernet devices. Some companies have more than one alternate route to one or more ISPs. If the LAN and ISP(s) are in the same subnet, the “triangle route” problem may occur. The steps below describe the “triangle route” problem.

Step 1. A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.

Step 2. The HomeSafereroutes the SYN packet through Gateway B on the LAN to the WAN.

Step 3. The reply from the WAN goes directly to the computer on the LAN without going through the HomeSafe.

As a result, the HomeSaferesets the connection, as the connection has not been acknowledged.

Diagram K-2 “Triangle Route” Problem

The “Triangle Route” Solutions

This section presents you two solutions to the “triangle route” problem.

IP Aliasing

IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your HomeSafesupports up to three logical LAN interfaces with the HomeSafebeing the gateway for each logical network. By putting your LAN and Gateway B in different subnets, all returning network traffic must pass through the HomeSafeto your LAN. The following steps describe such a scenario.

Triangle Route

K-1

Image 351

ZyXEL Communications HS100/HS100W Appendix K Triangle Route, Ideal Setup, Triangle Route Problem, Triangle Route Solutions

Contents

Version 10/2005 HS-100 / HS-100W Copyright 2004 by ZyXEL Communications Corporation DisclaimerTrademarks Certifications Information for Canadian Users Online Registration ZyXEL Limited Warranty Customer Support Table of Contents III 11-1 Viii 27.1 Page List of Figures Xiv List of Figures 10-1 Xvi List of Figures Xvii Xviii List of Figures List of Tables List of Tables 20-3 Xxii List of Tables Related Documentation User’s Guide Feedback¾ ZyXEL Glossary and Web Site Syntax Conventions Graphics Icons KeyDslam HomeSafe User’s Guide Preface Xxv Part Page Getting to Know Your HomeSafe HomeSafe FeaturesPhysical Features Non-Physical Features Firewall Content FilteringBrute-Force Password Guessing Protection 802.11b Wireless LAN Standard HS-100W only PPPoE Packet FilteringUniversal Plug and Play UPnP Call Scheduling Traffic Redirect Dhcp Dynamic Host Configuration ProtocolUpgrade HomeSafe Firmware via LAN Network Address Translation NAT HomeSafe Parental Control Gateway Secure Broadband Internet Access via Cable or DSL ModemWireless Association List HS-100W only Applications for the HomeSafe Wireless LAN Application Example Wireless LAN Application Introducing the Web Configurator Web Configurator OverviewAccessing the HomeSafe Web Configurator Following table describes the fields in this screen System Administrator Password SetupWlan Setup Set up your wireless LAN using the second wizard screen Wlan Setup Basic Security Access screenEssid Ascii Wlan Setup Extended SecurityFollowing table describes the labels in this screen WEP Refer to the chapter on wireless LAN for more information Internet Configuration Setup Internet Access Setup Internet Configuration Setup ISP Parameters Dhcp Internet Access Static IP Address Setup Parental Control Wizard Internet Configuration Setup Complete Wizard Parental Control Wizard Parental Control Time Setup Parental Control Create or Edit a Profile 10 Wizard Parental Control Time Setup 11 Wizard Create or Edit a Profile Parental Control Profile Information 12 Wizard Parental Control Profile Information Parental Control User Group 13 Wizard Parental Control User Group Administrator can decide each group’sAccess rights Parental Control Time Allowance Parental Control Application Blocking Parental Control Account Summary 15 Wizard Parental Control Application BlockingAllowance screen 16 Wizard Parental Control Summary Parental Control Register for Content Filter Checking Content Filtering Activation Content Filtering with an External Server Content Filter Service Activation If you click Register Later you will proceed to FigureFollowing screen appears after you click Activate in Figure Content Filter Setup Complete Accessing the Internet via the HomeSafe Gateway 25 Password Screen Navigation Panel Resetting the HomeSafeProcedure To Use The Reset Button HomeSafe Main Menu Link TAB Function 17 Screens Summary FTP MaintenanceFirewall Remote Mgmt TelnetPage Domain Name Connection Wizard General Setup and System NameChapter Connection Wizard Connection Wizard Overview Connection Wizard Screen Connection Wizard General Setup Connection Wizard Wireless LAN Setup Basic Security Ethernet Connection Wizard Wireless LAN Setup Extend Security Connection Wizard Ethernet Encapsulation PPPoE Encapsulation Connection Wizard PPPoE Encapsulation Connection Wizard Pptp Encapsulation Pptp Encapsulation Private IP Address Ranges WAN IP Address Assignment IP Address and Subnet Mask DNS Server Address AssignmentWAN MAC Address ISP Connection Wizard WAN Setup Connection Wizard Finish Basic Setup Complete 10 Connection Wizard Problems HomeSafe User’s Guide Connection Wizard System, LAN, Wlan and WAN Click System to open the General screen Configuring General SetupChapter System Screens System Overview Configuring Dynamic DNS Dynamic DNSDynDNS Wildcard System Ddns Configuring Time Setting Configuring Password System Time Setting Daylight Savings Dhcp Setup Chapter LAN ScreensLAN Overview Multicast Any IP Any IP Example Application How Any IP Works Click LAN to open the IP screen Configuring IP LAN TCP/IP LAN Static Dhcp Configuring Static Dhcp LAN IP Alias Configuring IP Alias LAN IP Alias 2 BSS Wireless Configuration and RoamingWireless LAN Overview Ibss 3 ESS Basic Service set 1 RTS/CTS Wireless LAN Basics Fragmentation Threshold Configuring Wireless RTS/CTS Configuring Roaming Roaming Example Requirements for Roaming Wireless stations must have the same Essid to All APs on the same subnetAllow roaming Page Wireless Security Overview Chapter Wireless Security WPA WPA-PSK WEP Overview AuthenticationWireless Security Relational Matrix Security Parameters Summary Preamble Type WEP Authentication Steps Encryption field Configuring WEP Encryption User Authentication Introduction to WPAEncryption WPA-PSK application looks as follows WPA-PSK Application Example Timer on the Radius server has priority Configuring WPA-PSK AuthenticationIf wireless station authentication is done Using a Radius server, the reauthentication WPA with Radius Application Example Wireless Client WPA Supplicants WPA with Radius Application Example Configuring WPA Authentication 802.1x Overview Wlan Wireless WPA Configuring 802.1x and Dynamic WEP Key Exchange Dynamic WEP Key ExchangeEAP-MD5 cannot be used with Dynamic WEP Key Exchange Configuring 802.1x and Static WEP Key Exchange Wlan Wireless 802.1x and Static WEP 10 Wlan Wireless 802.1x and Static WEP Wlan Wireless 802.1x and Static WEP Reset Configuring MAC Filter Following table describes the labels in this menu Wlan MAC Address FilterMAC Active Select this option to activate the user profile Configuring Local User DatabaseIntroduction to Local User Database 10 Wlan Local User Database Introduction to Radius EAP Authentication Overview Configuring Radius 11 Wlan Radius 15 Wlan Radius HomeSafe User’s Guide Page TCP/IP Priority Metric Configuring RouteChapter WAN Screens WAN Overview Configuring WAN ISP Ethernet EncapsulationScreen shown next is for Ethernet encapsulation PPPoE Encapsulation WAN ISP PPPoE Encapsulation WAN ISP Pptp Encapsulation WAN IP Address Assignment Configuring WAN IP Choose Both, None, In Only or Out Only WAN IPSelected Use Fixed IP Address Server Configuring WAN MAC Choose RIP-1 , RIP-2B or RIP-2MRIP-1 Traffic Redirect Traffic Redirect WAN Setup WAN Traffic Redirect Configuring Traffic Redirect WAN Traffic Redirect SUA/NAT and Static Route Page What NAT Does Chapter Network Address Translation NAT ScreensNAT Overview NAT Definitions NAT Application How NAT Works Following table summarizes these types NAT Mapping Types NAT Mapping Types Using NATSUA Server SUA Single User Account Versus NAT Services Port Number Port Forwarding Services and Port NumbersDefault Server IP Address Services and Port Numbers Configuring Servers Behind SUA Example Configuring SUA Server SUA/NAT Setup Configuring Address Mapping One-to-One and Server mapping types Address Mapping Configuring Address Mapping Trigger Port ForwardingMany-to-One and Server mapping types Following is an example of trigger port forwarding Configuring Trigger Port ForwardingTrigger Port Forwarding Example Two Points To Remember About Trigger Ports Only one LAN computer can use a trigger port range at a time Page Click Static Route to open the screen as shown next Configuring IP Static RouteChapter Static Route Screens Static Route Overview Static Route Edit Configuring Route Entry NAT Screens 10-3 UPnP, Parental Control and Firewall UPnP and ZyXEL How Do I Know If Im Using UPnP?Chapter UPnP Universal Plug and Play Overview Configuring UPnP Installing UPnP in Windows ExampleClick UPnP to display the screen shown next Follow the steps below to install UPnP in Windows XP Installing UPnP in Windows MeInstalling UPnP in Windows XP Follow the steps below to install UPnP in Windows Me Auto-discover Your UPnP-enabled Network Device Using UPnP in Windows XP Example Internet Connection Properties Connections Select My Network Places under Other Places Web Configurator Easy Access UPnP 11-7 Page Parental Control Overview Parental Control LoginsInitial Configuration Chapter Parental Control Parental Control Application Parental Administrator log HomeSafe Parental Control Wireless Gateway Application Configuring Parental Control Parental Control Web page. It may take up to another ten minutes For content filtering to be activated. See CheckingContent filtering activation Web site displays a registration successful Content Filtering with an External Server Reset Click Reset to start configuring this screen againParental Control Group Edit Filter Parental Control Group Edit Configuration Parental Control Filter Parental Control 12-9 12-10 Parental Control Parental Control 12-11 HomeSafe checks How to set how much of the URLSee the Customizing Keyword Blocking URL Checking section for Parental Control Edit Customizing Keyword Blocking URL Checking Service Description Services REALAUDIOTCP7070 RLOGINTCP513PPTPTUNNELGRE0 RCMDTCP512 Parental Control Edit Check box Access, you should select the unrestrictedUser access will be denied after the End If you want to allow twenty-four hour Weekdays or Weekend boxes Parental Control Bypass List Parental Control 12-19 Page Chapter Firewall IntroductionGuidelines For Enhancing Security With Your Firewall Firewall Settings Firewall Settings Screen Log All log all LAN to WAN packets Firewall, NAT and Remote ManagementLAN-to-WAN rules No Log WAN-to-LAN rules Services Firewall Service Click Clear All to empty the Blocked Service Remote Management Page Remote Management Limitations Only LAN only Neither DisableChapter Remote Management Screens Remote Management Overview Configuring WWW System TimeoutRemote Management and NAT Telnet Configuration on a TCP/IP Network Configuring Telnet Remote Management Telnet Configuring FTP Remote Management FTP Snmp Snmp Management Model Snmp is only available if TCP/IP is configured Snmp Traps Configuring SnmpSupported MIBs Snmp Traps Remote Management Snmp Remote Management DNS Configuring DNS Icmp Configuring Security Remote Management Screens 14-11 Page HomeSafe User’s Guide VPN Screens 14-1 Logs and Maintenance View Log Chapter Centralized Logs Settings, see section Log Settings Log Settings Hourly When Log is FullDaily Weekly Chapter Maintenance Maintenance OverviewStatus Screen System Statistics Maintenance System Statistics Dhcp Table Screen Maintenance Dhcp Table Association List Any IP Table 16.6 F/W Upload Screen Maintenance Firmware Upload Upload Warning Configuration Screen Backup Configuration Restore ConfigurationMaintenance Restore Configuration 11 Configuration Restore Successful Back to Factory Defaults Restart Screen 14 Factory Defaults SMT General Configuration Page SMT Introduction Chapter Introducing the SMT Enter Main Menu CommandsNavigating the SMT Interface Operation Keystroke Description Menu Title Description System Management Terminal Interface SummaryMain Menu Summary ? or ChangeMe Menu 23 System Password Changing the System Password Field Description Example Chapter Menu 1 General SetupGeneral Setup Procedure To Configure Menu Select Yes to configure Menu 1.1 Configure Dynamic DNS Procedure to Configure Dynamic DNS Yes DynamicDNSUser Specified IP Address field From the main menu, enter 2 to open menu Chapter Menu 2 WAN SetupWAN Setup Introduction to WANPage 20.3 TCP/IP Ethernet Setup and Dhcp Chapter Menu 3 LAN SetupLAN Setup Protocol Dependent Ethernet Setup Menu 3.2 Dhcp Ethernet Setup Fields Menu 3.2 TCP/IP and Dhcp Ethernet Setup RIP-1,RIP-2B or RIP-2M Menu 3.2 LAN TCP/IP Setup FieldsBoth RIP-1 Physical Network & Partitioned Logical Networks IP Alias Setup Wireless LAN Setup Both, In Only, Out Only or NoneField Description Example Essid Auto DisableCH06 2437MHz RTS Mixed Configuring MAC Address Filter Menu 3.5.1 Wlan MAC Address Filter Configuring Roaming on the HomeSafe Menu 3.5.2 Roaming Configuration 10 Menu 3.5.2 Roaming ConfigurationPage Ethernet Encapsulation Chapter Internet AccessIntroduction to Internet Access Setup Menu 4 Internet Access Setup Ethernet Configuring the Pptp Client New Fields in Menu 4 PPPoE screen Configuring the PPPoE ClientDefault New Fields in Menu 4 Pptp Screen 21-4 Internet Access Chapter Remote Node Configuration Introduction to Remote Node SetupRemote Node Profile Setup Layer Options EthernetAlias Press Enter to go to Menu 11.3 Remote Node Network Nailed-Up Connection Outgoing Authentication Protocol CHAP/PAP Fields in Menu 11.1 PPPoE Encapsulation Specific Dynamic Edit IPMenu 11.1 Remote Node Profile for Pptp Encapsulation Remote Node Network Layer Options RIP-1/RIP-2B/RIP-2M or None Remote Node FilterSUA Only Many-to-One and Server Menu 11.5 Remote Node Filter Ethernet Encapsulation Traffic Redirect Setup 22-8 Remote Node Configuration IP Static Route Setup Chapter Static Route Setup 23-2 Static Route Setup Dial-in User Setup Chapter Dial-in User SetupPage Applying NAT Menu 4 Applying NAT for Internet Access NAT NAT SetupFull Feature Applying NAT in Menus 4 Menu 15.1.255 is read-only SUA Address Mapping Rules Address Mapping SetsSUA Address Mapping Set Following table explains the fields in this menu Ordering Your Rules User-Defined Address Mapping Sets Select Rule item Menu 15.1.1 First SetField Desription Example Edit Configuring a Server behind NAT Follow these steps to configure a server behind NATOne-to-One,Many-to-One and Server types Example 1 Internet Access Only Following are some examples of NAT configurationGeneral NAT Examples Example 2 Internet Access with an Inside Server Example 3 Multiple Public IP Addresses With Inside ServersDynamic Inside Global Address is assigned by the ISP Then enter 15 from the main menu Enter 1 to configure the Address Mapping SetsFollowing figures show how to configure the first rule Address Translation field in menu 4 or menu 11.3 Enter 2 in Menu 15 NAT Setup Example 3 Menu Example 4 NAT Unfriendly Application Programs 20 Example 4 Menu 15.1.1 Address Mapping Rules Menu 15.3 Trigger Port Setup Page Enabling the Firewall Access MethodsChapter Enabling the Firewall Remote Management and the Firewall SMT Advanced Management Chapter Filter Configuration Introduction to FiltersFilter Structure of the HomeSafe Execute Abbreviations Used in the Filter Rules Summary Menu Configuring a Filter Set Abbreviation Description Configuring a Filter RuleConfiguring a TCP/IP Filter Rule Rule Abbreviations Used Equal TCP/IP Filter RuleField Description Options Less Following figure illustrates the logic flow of an IP filter Executing an IP Filter Configuring a Generic Filter Rule Generic Filter Rule Menu Fields HomeSafe User’s Guide Generic Filter Rule Menu Fields Example Filter 10 Example Filter Menu Filter Types and NAT Applying Remote Node Filters Firewall Versus FiltersApplying a Filter Applying LAN Filters 14 Filtering Remote Node Traffic Page About Snmp Chapter Snmp Configuration Snmp Configuration Following table describes the Snmp configuration parametersSupported MIBs Snmp Traps Ports and Permanent Virtual CircuitsPort PVC Permanent Virtual Circuit Page System Security System PasswordConfiguring External Radius Server Chapter System Security Enter 4 to display Menu 23.4 System Security IEEE802.1x 29.1.3 Menu 23.4 System Security IEEE802.1x No Access Allowed Management Protocol is selected PSKGroup Data Privacy field Mode System Status System Information and Diagnosis System Maintenance Status Menu Fields Menu 24.1 System Maintenance Status To get to the System Information Menu 1 General SetupSystem Information System Information Syslog Logging Menu 24.3.2 System Maintenance Syslog and AccountingLog and Trace Console Port Speed System Information and Diagnosis 30-5 Call-Triggering Packet Diagnostic WAN Dhcp System Maintenance Menu Diagnostic 30-8 System Information and Diagnosis File Type Internal Name External Name Description Chapter Firmware and Configuration File MaintenanceFilename Conventions Filename Conventions Follow the instructions as shown in the next screen Backup ConfigurationUsing the FTP Command from the Command Line Example of FTP Commands from the Command Line GUI-based FTP Clients Backup Configuration Using TftpGeneral Commands for GUI-based FTP Clients Command Description Following is an example Tftp command Restore ConfigurationTftp Command Example Restore Using FTP Restore Using FTP Session Example Uploading Firmware and Configuration Files Configuration File Upload You see the following screen when you telnet into menuFirmware File Upload FTP File Upload Command from the DOS Prompt Example FTP Session Example of Firmware File UploadTftp File Upload Tftp Upload Command Example Command Usage Chapter System MaintenanceCommand Interpreter Mode Command Syntax Budget Management Call Control Support Call History Fields Call History Time and Date Setting Time and Date Setting FieldsNTP RFC-1305 the default, is similar to Time RFC-868 Daylight Saving field Resetting the TimePage Remote Management Chapter Remote Management LAN Only Introduction to Call Scheduling Chapter Call Scheduling Once Menu 26.1 Schedule Set Setup Applying Schedule Sets to a Remote Node PPPoE Appendices and Index Page Troubleshooting Problem Corrective ActionAppendix a Control Group Edit screen Traditional Dial-up Scenario Appendix B PPPoEPPPoE in Action Benefits of PPPoE HomeSafeas a PPPoE Client Diagram B-2 The HomeSafeas a PPPoE Client Pptp and the HomeSafe What is PPTP?Diagram C-1 Transport PPP frames over Ethernet Appendix C Control & PPP connections Diagram C-2 Pptp Protocol OverviewDiagram C-3 Example Message Exchange between PC and an ANT Pptp Protocol Overview Pptp Page LOG Message Description Chart 1 System Error LogsChart 2 System Maintenance Logs Appendix D Log Descriptions Chart 3 UPnP Logs Chart 4 Content Filtering LogsID content Type Code Description Chart 5 Icmp Type and Code Explanations Configuring What You Want the HomeSafe to Log Log Commands Displaying Logs Page Appendix E Setting up Your Computer’s IP Address Windows 95/98/MeIf you need TCP/IP If you need Client for Microsoft Networks Checking/Modifying Your Computer’s IP Address Windows 2000/NT/XP Click Advanced to go to the Advanced TCP/IP HomeSafe User’s Guide Turn on your HomeSafeand restart your computer if prompted Macintosh OS 8/9 Select Ethernet built-in from the Connect via listClose the TCP/IP Control Panel Macintosh OS Check your TCP/IP properties in the Network windowSelect Built-in Ethernet from the Show list Page Ieee Appendix F Wireless LAN and IeeeBenefits of a Wireless LAN Ad-hoc Wireless LAN Configuration Diagram F-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration Diagram F-2 ESS Provides Campus-Wide Coverage Page Advantages of the Ieee Appendix G Wireless LAN With IeeeDeployment Issues with Ieee Security Flaws with Ieee Diagram G-1 Sequences for EAP MD5-Challenge Authentication EAP-TLS Transport Layer Security Appendix H Types of EAP AuthenticationEAP-TTLS Tunneled Transport Layer Service EAP-MD5 Message-Digest Algorithm Dynamic Key Difficulty Wireless SecurityCertificate Client Certificate Server Antenna Characteristics Appendix Antenna Selection and Positioning RecommendationTypes of Antennas For Wlan Positioning Antennas Appendix J Brute-Force Password Guessing Protection Chart 6 Brute-Force Password Guessing Protection CommandsExample Page Appendix K Triangle Route Ideal SetupTriangle Route Problem Triangle Route Solutions Gateways on the WAN Side How To Configure Triangle RouteDiagram K-3 IP Alias Diagram K-4 Gateways on the WAN Side BSS Appendix L Index Ibss See NAT See Ttls Wlan