Version
May
Copyright
Federal Communications Commission (FCC) Interference Statement
ZyXEL Limited Warranty
Customer Support
Page
Table of Contents
Page
Chapter 8 WAN Screens
Chapter 9 Single User Account (SUA) / Network Address Translation (NAT)
FIREWALL AND REMOTE MANAGEMENT
Chapter 12 Firewall Screens
Chapter 14 UPnP Screen
Chapter 15 Logs Screens
Chapter 16 Maintenance
Chapter 17 Introducing the SMT
Chapter 18 General and WAN Setup
Chapter 20 Internet Access
Chapter 21 Remote Node Configuration
Chapter 25 SNMP Configuration
Chapter 26 System Security
FTP
Web
Table of
Contents
APPENDICES
A-1
Appendix B Brute-ForcePassword Guessing Protection
B-1
C-1
List of Figures
Page
Page
Page
Page
Page
Page
List of Tables
Page
Page
Preface
Control Panels
Modem
User Guide Feedback
Page
Part I:
OVERVIEW
Page
1.1Introducing the ZyAIR Wireless Gateway Series
1.2ZyAIR Features
4-PortSwitch
10/100M Auto-negotiatingEthernet/Fast Ethernet Interface
10/100M Auto-crossoverEthernet/Fast Ethernet Interface
10/100 Mbps Ethernet WAN
Reset Button
ZyAIR LED
802.11b Wireless LAN Standard
Output Power Management
Limit the number of Client Connections
SSL Passthrough
Wi-FiProtected Access
Firewall
IEEE 802.1x Network Security
Wireless LAN MAC Address Filtering
Universal Plug and Play (UPnP)
PPTP Encapsulation
Network Address Translation (NAT)
NAT for Single-IP-addressInternet Access
DHCP (Dynamic Host Configuration Protocol)
Multicast
SNMP
Full Network Management
Logging and Tracing
Diagnostics Capabilities
Embedded FTP and TFTP Servers
1.3Application for the ZyAIR
1.3.1 Internet Access Application
Page
2.1Web Configurator Overview
2.2Accessing the ZyAIR Web Configurator
2.3Resetting the ZyAIR
2.3.1 Procedure to Use the Reset Button
2.3.2 Uploading a Configuration File via Console Port
2.4Navigating the ZyAIR Web Configurator
3.1Wizard Setup Overview
3.1.1 Channel
3.1.2 ESS ID
3.1.3 WEP Encryption
3.2Wizard Setup: General Setup
3.3Wizard Setup: Wireless LAN Setup
Figure 3-2Wizard 2: Wireless LAN Setup
Table 3-2Wizard 2: Wireless LAN Setup
3.4Wizard Setup: ISP Parameters
3.4.1 Ethernet
Figure 3-3Wizard 3: Ethernet Encapsulation
Table 3-3Wizard 3: Ethernet Encapsulation
3.4.2 PPTP Encapsulation
Figure 3-4Wizard 3: PPTP Encapsulation
Table 3-4Wizard 3: PPTP Encapsulation
3.4.3 PPPoE Encapsulation
Figure 3-5Wizard 3: PPPoE Encapsulation
Table 3-5Wizard 3: PPPoE Encapsulation
3.5Wizard Setup: WAN and DNS
3.5.1 WAN IP Address Assignment
3.5.2 IP Address and Subnet Mask
3.5.3 DNS Server Address Assignment
3.5.4 WAN MAC Address
Figure 3-6Wizard 4: WAN and DNS
Table 3-8Wizard 4: WAN and DNS
Page
3.6Basic Setup Complete
Figure 3-7Setup Complete
Page
Part II:
SYSTEM, LAN AND WIRELESS
Page
4.1System Overview
4.2Configuring General Setup
4.3Dynamic DNS
4.3.1 DYNDNS Wildcard
4.4Configuring Dynamic DNS
Figure 4-2DDNS
Table 4-2DDNS
4.5Configuring Password
4.6Configuring Time Setting
Figure 4-4Time Setting
Table 4-4Time Setting
Page
5.1LAN Overview
5.2LANs and WANs
5.2.1 LANs, WANs and the ZyAIR
5.3DHCP Setup
5.4Factory LAN Defaults
5.5RIP Setup
5.6Multicast
5.7Configuring the LAN IP Screens
Figure 5-2IP
Table 5-1IP
Page
Page
the
screen
6.1Wireless LAN Overview
6.1.1 IBSS
6.1.2 BSS
6.1.3 ESS
6.2Wireless LAN Basics
6.2.1 RTS/CTS
6.2.2 Fragmentation Threshold
6.3Configuring Wireless
Figure 6-5Wireless
Table 6-1Wireless
If you are configuring the ZyAIR from a computer connected to
the wireless LAN and you change the ZyAIR’s ESSID or WEP
settings, you will lose your wireless connection when you press
Apply to confirm. You must then change the wireless settings of
6.4Configuring Roaming
6.4.1 Requirements for Roaming
Table 6-2Roaming
All APs on the same subnet and the wireless stations must have
7.1Wireless Security Overview
7.2WEP Overview
7.2.1 Data Encryption
7.2.2 Authentication
7.3Configuring WEP Encryption
Figure 7-3Wireless
Table 7-1Wireless : WEP Fields
7.4MAC Filter
Figure 7-4MAC Address Filter
7.5802.1x Overview
7.6Dynamic WEP Key Exchange
7.7Introduction to WPA
7.7.1 User Authentication
7.7.2 Encryption
7.8WPA-PSKApplication Example
7.9WPA with RADIUS Application Example
7.10 Security Parameters Summary
7.11 Wireless Client WPA Supplicants
7.12 Configuring 802.1x and WPA
7.12.1 Authentication Required:
Figure 7-8Wireless LAN: 802.1x/WPA for 802.1x Protocol
Table 7-5Wireless LAN: 802.1x/WPA for 802.1x Protocol
If wireless station authentication is done using a RADIUS
server, the reauthentication timer on the RADIUS server has
7.12.2 Authentication Required: WPA
Figure 7-9Wireless LAN: 802.1x/WPA for WPA Protocol
The following table describes the labels not previously discussed
Table 7-6Wireless LAN: 802.1x/WPA for WPA Protocol
7.12.3 Authentication Required: WPA-PSK
7.13 Introduction to Local User Database
7.14 Configuring Local User Database
Figure 7-11Local User Database
7.15 Introduction to RADIUS
•Authentication
•Accounting
Types of RADIUS Messages
•Access-Request
7.15.1 EAP Authentication Overview
7.16 Configuring RADIUS
Table 7-9RADIUS
Part III:
WAN
Page
8.1WAN Overview
8.2Configuring WAN ISP
8.2.1 Ethernet Encapsulation
Service Type
8.2.2 PPPoE Encapsulation
Figure 8-3PPPoE Encapsulation
Table 8-3PPPoE Encapsulation
8.2.3 PPTP Encapsulation
Figure 8-4PPTP Encapsulation
Table 8-4PPTP Encapsulation
8.3TCP/IP Priority (Metric)
8.4Configuring WAN IP
Page
Page
8.5Configuring WAN MAC
Page
Part IV:
SUA/NAT AND STATIC ROUTE
Page
ZyAIR
9.1NAT Overview
9.1.1 NAT Definitions
9.1.2 What NAT Does
9.1.3 How NAT Works
9.1.4 NAT Application
9.1.5 NAT Mapping Types
9.1.6 SUA (Single User Account) Versus NAT
9.2SUA Server
Default Server IP Address
9.2.1 Port Forwarding: Services and Port Numbers
9.2.2 Configuring Servers Behind SUA (Example)
9.3Configuring SUA Server
Figure 9-4SUA/NAT Setup
Table 9-4SUA/NAT Setup
9.4Configuring Address Mapping
Figure 9-5Address Mapping
Table 9-5Address Mapping
9.4.1 Configuring Address Mapping Rule
Page
10.1 Static Route Overview
10.2 Configuring IP Static Route
Figure 10-2IP Static Route Summary
Table 10-1IP Static Route Summary
10.2.1 Configuring Route Entry
Page
Part V:
FIREWALL AND REMOTE MANAGEMENT
Page
11.1 Firewall Overview
11.2 Types of Firewalls
11.2.1 Packet Filtering Firewalls
11.2.2 Application-levelFirewalls
11.2.3 Stateful Inspection Firewalls
11.3 Introduction to ZyXEL’s Firewall
11.4 Denial of Service
11.4.1 Basics
11.4.2 Types of DoS Attacks
SYN Attack
Figure 11-3SYN Flood
LAND Attack
brute-force
Figure 11-4Smurf Attack
Table 11-2ICMP Commands That Trigger Alerts
Table 11-3Legal NetBIOS Commands
11.5 Stateful Inspection
Figure 11-5Stateful Inspection
12.1 Access Methods
12.2 Firewall Policies Overview
12.3 Rule Logic Overview
12.3.1 Rule Checklist
12.3.2 Security Ramifications
12.3.3 Key Fields For Configuring Rules
12.4 Guidelines For Enhancing Security With Your Firewall
12.5 Connection Direction Examples
12.5.1 LAN to WAN Rules
12.5.2 WAN to LAN Rules
12.6 Enabling Firewall
Figure 12-3Firewall Settings
Table 12-1Firewall Settings
12.6.1 Configuring Content Filtering
Page
Table 12-2Firewall Filter
12.6.2 Configuring Firewall Services
Table 12-3Creating/Editing A Firewall Rule
12.6.3 Predefined Services
Page
Page
Page
13.1 Remote Management Overview
13.1.1 Remote Management Limitations
13.1.2 Remote Management and NAT
13.1.3 System Timeout
13.2 Telnet
13.3 Configuring TELNET
13.4 Configuring FTP
13.5 Configuring WWW
13.6 Configuring SNMP
Figure 13-5SNMP Management Model
13.6.1 Supported MIBs
13.6.2 SNMP Traps
13.6.3 REMOTE MANAGEMENT: SNMP
13.7 Configuring DNS
13.8 Configuring Security
Figure 13-8Security
Table 13-8Security
Page
Page
Part VI:
UPNP AND LOGS
Page
14.1 Universal Plug and Play Overview
14.1.1 How Do I Know If I'm Using UPnP
14.1.2 NAT Traversal
14.1.3 Cautions with UPnP
14.2 UPnP and ZyXEL
14.3 Configuring UPnP
Figure 14-1Configuring UPnP
Table 14-1Configuring UPnP
14.4 Installing UPnP in Windows Example
14.4.1 Installing UPnP in Windows Me
14.4.2 Installing UPnP in Windows XP
Click
14.5 Using UPnP in Windows XP Example
14.5.1 Auto-discoverYour UPnP-enabledNetwork Device
Step 3. In the Internet Connection Properties
Add
14.5.2 Web Configurator Easy Access
Control
Panel
Connections
Step 3. Select My Network Places under
Other Places
Page
15.1 Using the View Log Screen
Figure 15-1View Log
Table 15-1View Log
15.2 Configuring Log Settings
Figure 15-2Log Settings
Table 15-2Log Settings
15.3 Configuring Reports
Page
15.3.1 Viewing Protocol/Port
Figure 15-4Protocol/Port Report
Table 15-4Protocol/Port Report
15.3.2 Viewing LAN IP Address
15.3.3 Reports Specifications
Page
Part VII:
MAINTENANCE
Page
16.1 Maintenance Overview
16.2 System Status Screen
16.2.1 System Statistics
Figure 16-2Status: Show Statistics
Table 16-2Status: Show Statistics
16.3 DHCP Table Screen
16.4 Association List
16.5 Channel Usage
Table 16-5Channel Usage (ZyAIR B-2000)
Figure 16-6Channel Usage
Table 16-6Channel Usage
16.6 F/W Upload Screen
Table 16-7Firmware Upload
Do not turn off the device while firmware upload is in progress
Firmware Upload in Process
Figure 16-8Firmware Upload In Process
Figure 16-9Network Temporarily Disconnected
16.7 Configuration Screen
16.7.1 Backup Configuration
16.7.2 Restore Configuration
16.7.3 Back to Factory Defaults
16.8 Restart Screen
Part VIII:
SMT GETTING STARTED MENUS
Page
17.1 Connect to your ZyAIR Using Telnet
17.2 Connect to Your ZyAIR Using the Console Port
17.2.1 Initial Screen
17.2.2 Entering Password
17.3 Changing the System Password
17.4 ZyAIR SMT Menu Overview Example
Figure 17-4ZyAIR B-2000v.2 SMT Menu Overview Example
17.5 Navigating the SMT Interface
17.5.1 System Management Terminal Interface Summary
Page
Page
18.1 General Setup
18.1.1 Dynamic DNS
18.1.2 Procedure To Configure Menu
Figure 18-1Menu 1 General Setup
Table 18-1Menu 1 General Setup
18.1.3 Procedure to Configure Dynamic DNS
Page
18.2 WAN Setup
Page
19.1 LAN Setup
19.1.1 General Ethernet Port Filter Setup
19.2 TCP/IP Ethernet and DHCP Setup
Table 19-1Menu 3.2 DHCP Ethernet Setup
Table 19-2Menu3.2 TCP/IP Ethernet Setup
SPACE BAR
19.3 IP Alias
19.3.1 IP Alias Setup
19.4 Wireless LAN Setup
Figure 19-8Menu 3.5 Wireless LAN Setup
Table 19-4Menu 3.5 Wireless LAN Setup
Page
19.4.1 Configuring MAC Address Filter
Figure 19-10Menu 3.5.1 WLAN MAC Address Filter
Table 19-5Menu 3.5.1 WLAN MAC Address Filter
19.4.2 Configuring Roaming on the ZyAIR
Table 19-6Menu 3.5.2 Roaming Configuration
20.1 Internet Access Configuration
20.2 Internet Access Setup
Refer to the System Security chapter for the wireless LAN security setup
Page
Part IX:
SMT ADVANCED APPLICATION MENUS
Page
21.1 Remote Node Profile
21.1.1 Encapsulation Scenarios
Figure 21-1Menu 11.1 Remote Node Profile
Menu 11.1 – Remote Node Profile
Table 21-1Menu 11.1 Remote Node Profile
Page
21.1.2 Outgoing Authentication Protocol
21.1.3 Remote Node Setup
Edit IP
Remote Node Network Layer Options
Figure 21-2Menu 11.3 Remote Node Network Layer Options
The next table explains the fields in this menu
Table 21-2Menu 11.3 Remote Node Network Layer Options
21.2 Remote Node Filter
21.2.1 IP Static Route Setup
Configuration
Static Route Setup
Figure 21-5Menu 12.1 IP Static Route Setup
Step 2. Now, type the route number of a static route you want to configure
Figure 21-6Menu 12.1 Edit IP Static Route
Page
Page
22.1 Dial-inUser Setup
Table 22-1Menu 14.1- Edit Dial-inUser
23.1 Introduction
23.1.1 Applying NAT
23.2 NAT Setup
23.2.1 Address Mapping Sets
Figure 23-5Menu 15.1.255 SUA Address Mapping Rules
The following table explains the fields in this menu
Table 23-2Menu 15.1.255 SUA Address Mapping Rules
User-DefinedAddress Mapping Sets
Select Rule
Set Name
Figure 23-6Menu 15.1.1 Address Mapping Rules
The table below describes the fields for configuration in this menu
23.2.2 Configuring Individual Rule
23.3 Port Forwarding Setup - NAT Server Sets
23.3.1 Configuring a Server behind NAT
23.4 General NAT Examples
23.4.1 Example 1: Internet Access Only
Figure 23-9NAT Example
Figure 23-10Menu 4 Internet Access Setup
Network Address Translation
23.4.2 Example 2: Internet Access with an Inside Server
23.4.3 Example 3: Multiple Public IP Addresses With Inside Servers
1 :
Many :
Server
Figure 23-13NAT Example
Menu 15.1 - Address Mapping Sets
Figure 23-14Menu 11.3 Remote Node Network Layer Options
Edit Action
Start IP
Figure 23-15Menu 15.1.1.1 Address Mapping Rule
Step 7. When finished, menu 15.1.1 should look like as shown next
Figure 23-16Menu 15.1.1 Address Mapping Rules
Menu 15.2 – Port Forwarding Setup
Example 3: Menu 15.2 Port Forwarding Setup
23.4.4 Example 4: NAT Unfriendly Application Programs
23.5 Trigger Port Setup
Two Points To Remember About Trigger Ports
Menu 15.3 — Trigger Port Setup
Figure 23-21Menu 15.3 Trigger Port Setup
Table 23-6Menu 15.3 Trigger Port Setup
Page
Part X:
SMT ADVANCED MANAGEMENT MENUS
Page
24.1 About Filtering
Execute
Figure 24-2Filter Rule Process
24.2 Configuring a Filter Set
Figure 24-4NetBIOS_WAN Filter Rules Summary
Figure 24-5NetBIOS_LAN Filter Rules Summary
Figure 24-6TEL_FTP_WEB_WAN Filter Rules Summary
24.2.1 Filter Rules Summary Menus
24.3 Configuring a Filter Rule
24.3.1 TCP/IP Filter Rule
Figure 24-7Menu 21.1.1 TCP/IP Filter Rule
The following table describes how to configure your TCP/IP filter rule
Table 24-3Menu 21.1.1 TCP/IP Filter Rule
Page
The following figure illustrates the logic flow of an IP filter
Figure 24-8Executing an IP Filter
24.3.2 Generic Filter Rule
24.4 Filter Types and NAT
24.5 Example Filter
TCP/IP Filter Rule
Figure 24-12Sample Filter - Menu
24.6 Applying Filters and Factory Defaults
24.6.1 Ethernet Traffic
24.6.2 Remote Node Filters
24.7 Firewall Setup
Page
25.1 SNMP Configuration
Page
26.1 System Security
26.1.1 System Password
26.1.2 Configuring External RADIUS Server
Figure 26-3Menu 23.2 System Security : RADIUS Server
Table 26-1Menu 23.2 System Security : RADIUS Server
26.1.3 IEEE802.1x
Figure 26-5Menu 23.4 System Security : IEEE802.1x
Table 26-2Menu 23.4 System Security : IEEE802.1x
Page
Page
27.1 System Status
Figure 27-2Menu 24.1 System Maintenance : Status
Table 27-1Menu 24.1 System Maintenance : Status
27.2 System Information
27.2.1 System Information
27.2.2 Console Port Speed
27.3 Log and Trace
27.3.1 Viewing Error Log
27.3.2 Syslog Logging
27.3.3 Call-TriggeringPacket
27.4 Diagnostic
28.1 Filename Conventions
28.2 Backup Configuration
28.2.1 Backup Configuration
28.2.2 Using the FTP Command from the Command Line
28.2.3 Example of FTP Commands from the Command Line
28.2.4 GUI-basedFTP Clients
28.2.5 TFTP and FTP over WAN Management Limitations
28.2.6 Backup Configuration Using TFTP
28.2.7 TFTP Command Example
28.2.8 GUI-basedTFTP Clients
28.2.9 Backup Via Console Port (only for ZyAIR B-2000)
28.3 Restore Configuration
28.3.1 Restore Using FTP
28.3.2 Restore Using FTP Session Example
28.3.3 Restore Via Console Port (only for ZyAIR B-2000)
28.4 Uploading Firmware and Configuration Files
28.4.1 Firmware File Upload
28.4.2 Configuration File Upload
28.4.3 FTP File Upload Command from the DOS Prompt Example
28.4.4 FTP Session Example of Firmware File Upload
28.4.5 TFTP File Upload
28.4.6 TFTP Upload Command Example
28.4.7 Uploading Via Console Port (only for ZyAIR B-2000)
28.4.8 Uploading Firmware File Via Console Port (only for ZyAIR B-2000)
28.4.9 Example Xmodem Firmware Upload Using HyperTerminal
28.4.11Example Xmodem Configuration Upload Using HyperTerminal
Figure 28-19Example Xmodem Upload
29.1 Command Interpreter Mode
29.2 Call Control Support
29.2.1 Budget Management
29.2.2 Call History
29.3 Time and Date Setting
Figure 29-6Menu 24.10 System Maintenance : Time and Date Setting
Table 29-3Menu 24.10 System Maintenance : Time and Date Setting
29.3.1 Resetting the Time
30.1 Telnet
30.2 FTP
30.3 Web
30.4 Remote Management
30.4.1 Remote Management Setup
30.4.2 Remote Management Limitations
30.5 Remote Management and NAT
30.6 System Timeout
31.1 Introduction
To delete a schedule set, enter the set number and press [SPACE BAR] and then
[ENTER] (or delete) in the Edit Name field
Edit Name
Menu 26.1 - Schedule Set Setup
Figure 31-2Menu 26.1 Schedule Set Setup
Main Menu
PPPoE
PPTP
Figure 31-3Applying Schedule Set(s) to a Remote Node (PPTP)
Part XI:
APPENDICES
Page
Problems Starting Up the ZyAIR
Problems with the Password
Problems with the Ethernet Interface
Problems with the WAN Interface
Problems with Internet Access
Problems with Telnet
Problems with the WLAN Interface
Appendix B
Brute-ForcePassword Guessing
Protection
Chart B-1 Brute-ForcePassword Guessing Protection Commands
Brute-ForcePassword Guessing Protection
Page
Windows 95/98/Me
If you need the adapter:
If you need TCP/IP:
If you need Client for Microsoft Networks:
C-2
C-3
Windows 2000/NT/XP
C-5
C-6
C-7
Macintosh OS 8/9
C-9
Macintosh OS
Check your TCP/IP properties in the Network window
C-11
Page
Benefits of a Wireless LAN
Ad-hocWireless LAN Configuration
Infrastructure Wireless LAN Configuration
Diagram D-2ESS Provides Campus-WideCoverage
Page
Security Flaws with IEEE
Deployment Issues with IEEE
Advantages of the IEEE
Diagram E-1Sequences for EAP MD5–ChallengeAuthentication
EAP-MD5 (Message-DigestAlgorithm 5)
EAP-TLS(Transport Layer Security)
EAP-TTLS(Tunneled Transport Layer Service)
PEAP (Protected EAP)
Comparison of EAP Authentication Types
Antenna Characteristics
Frequency
Radiation Pattern
Antenna Gain
Types of Antennas For WLAN
Positioning Antennas
Connector Type
PPPoE in Action
Benefits of PPPoE
Traditional Dial-upScenario
How PPPoE Works
ZyAIR as a PPPoE Client
What is PPTP
PPTP and the ZyAIR
PPTP Protocol Overview
Control & PPP connections
Call Connection
PPP Data Connection
Page
IP Addressing
IP Classes
Subnet Masks
Subnetting
Example: Two Subnets
Page
Example: Four Subnets
Example Eight Subnets
Subnetting With Class A and Class B Networks
J-8
Command Syntax
Command Usage
Page
Introduction
Display NetBIOS Filter Settings
NetBIOS Filter Configuration
Appendix M
Boot Commands
Diagram M-1Option to Enter Debug Mode
Diagram M-2Boot Module Commands
M-2
The Ideal Setup
The “Triangle Route” Problem
The “Triangle Route” Solutions
IP Aliasing
Gateways on the WAN Side
Page
Appendix O
Log Descriptions
Chart O-1System Error Logs
Chart O-2System Maintenance Logs
Log Descriptions
Chart O-3UPnP Logs
Chart O-4ICMP Notes
O-2
O-3
Log Commands
Log Command Example
Page
Appendix P
Power Adaptor Specifications
Power Adaptor Specifications
P-1
P-2
3-11
D-2
Alternative Subnet Mask Notation
.................. J-3
Appendix Q
Index
29-3
Maximum Number of Schedule Sets
Precedence Example
13-10
3-3, 3-12, 9-6
DoS
Basics
Types
Frequency-HoppingSpread Spectrum
...........D-2
4-2, 5-2, 9-6, 13-1, 13-4
Restrictions
13-1
Management Information Base (MIB)
See NAT
Many to One
Message Digest Algorithm 5
See MD5
Remote Node Profile
5-2, 19-3
Roaming
6-3
12-1
TFTP and FTP over WAN Will Not Work
When…
TFTP Restrictions
TKIP
See Temporal Key Integrity Protocol
