186 | ZyXEL Communications wireless n gigbit router zyxel instruction

Chapter 13 Firewall

Table 64 Security > Firewall > Services > Adding a Rule

LABEL		DESCRIPTION
End IP Address		Enter the ending IP address in a range here. This field is only available
		when IP Range is selected as the Address Type.

IP Pool List		Add an IP address from the IP Pool List to the Selected IP List by
		highlighting an IP address and clicking Add. To delete an IP address
		from the Selected IP List highlight an IP address and click the Remove
		button. These fields are only available when IP Pool is selected as the
		Address Type.
		The IP Pool list gathers its IPs from entries in the ARP table. The ARP
		table contains the IP addresses and MAC addresses of the devices that
		have sent traffic to the NBG-460N.

Service Setup

Available		This is a list of pre-defined services (ports) you may prohibit your LAN
Services		computers from using. Select the port you want to block using the drop-
		down list and click Add to add the port to the Blocked Services field.

Blocked		This is a list of services (ports) that will be inaccessible to computers on
Services		your LAN once you enable service blocking.

Custom Port		A custom port is a service that is not available in the pre-defined
		Available Services list and you must define using the next two fields.

Type		Choose the IP port (TCP or UDP) that defines your customized port
		from the drop down list box.

Port Number		Enter the port number range that defines the service. For example, if
		you want to define the Gnutella service, then select TCP type and enter
		a port range from 6345 to 6349.

Add		Select a service from the Available Services drop-down list and then
		click Add to add a service to the Blocked Services.

Delete		Select a service from the Blocked Services list and then click Delete
		to remove this service from the list.

Clear All		Click Clear All to empty the Blocked Services.

Schedule to Block

Day to Block:		Select a check box to configure which days of the week (or everyday)
		you want service blocking to be active.

Time of Day to		Select the time of day you want service blocking to take effect.
Block (24-Hour		Configure blocking to take effect all day by selecting All Day. You can
Format)		also configure specific times by selecting From and entering the start
		time in the Start (hour) and Start (min) fields and the end time in
		the End (hour) and End (min) fields. Enter times in 24-hour format,
		for example, "3:00pm" should be entered as "15:00".

Log

Active (Log		Select this to log packets that match this rule. Go to the Log Settings
packets match		page and select the Access Control logs category to have the NBG-
this rule)		460N record these logs.

Misc setting

Bypass Triangle		Select this check box to have the NBG-460N firewall ignore the use of
Route		triangle route topology on the network.

186

NBG-460N User’s Guide

Image 186

ZyXEL Communications wireless n gigbit router zyxel manual 186, Address Type, Click Clear All to empty the Blocked Services

Contents

NBG-460N Page Related Documentation About This Users GuideIntended Audience User Guide Feedback About This Users Guide Document Conventions Syntax Conventions NBG-460N Computer Server Telephone Switch Router ModemIcons Used in Figures Dslam Safety Warnings Safety Warnings NBG-460N User’s Guide Contents Overview Contents Overview NBG-460N User’s Guide Table of Contents Chapter Connection Wizard Part II Network WAN 177 Part IV Management 235 Part V Maintenance and Troubleshooting 261 Part VI Appendices and Index Table of Contents NBG-460N User’s Guide Part Page Getting to Know Your NBG-460N OverviewApplications LAN Wireless ApplicationsRouter Mode NBG460N AP Mode 3 AP + Bridge Bridge AP + Bridge Application Bridge Application Bridge Loop Two Bridges Connected to Hub Ways to Manage the NBG-460N Features Available in Router Mode vs. AP ModeFeature Router AP Mode Bridge Router vs. AP vs. Bridge LEDs PowerGood Habits for Managing the NBG-460N Front Panel LEDs WAN Wireless LAN Off Wireless LAN is not ready or has failedThis feature Off Device is in normal power mode Wlan Getting to Know Your NBG-460N NBG-460N User’s Guide WPS Button WPS Button NBG-460N User’s Guide Introducing the Web Configurator Web Configurator OverviewAccessing the Web Configurator Change Password Screen Resetting the NBG-460N Navigating the Web ConfiguratorProcedure to Use the Reset Button Status Screen in Router Mode Status Screen Icon KeyIcon Description Label Description DhcpScheduler Is enabled and N/A when the Wlan is disabled Wlan is disabledWhen the line is disconnected Memory Usage Link TAB Function Navigation PanelScreens Summary LAN VPN NATDdns Mgmt Summary Bandwidth Management Monitor Mode As a Router or a Access Point LanguageSummary Any IP Table Logs View Log Summary Dhcp Table Summary BW Mgmt Monitor Summary Packet Statistics Host Name field Stop Click Stop to stop refreshing statistics Summary VPN MonitorIntervals field This is the security association index number Association Time Summary Wireless Station StatusThis is the index number of an associated wireless station NBG-460N’s Wlan network Introducing the Web Configurator NBG-460N User’s Guide Wizard Setup Connection Wizard Connection Wizard System Information System Name Domain Name Underscores are accepted This option is only available if WPS is not enabled Connection Wizard Wireless LANUse the same Ssid in order to access the network Ssid Basic WEP Security Wizard Basic WEP Security Ascii Extend WPA-PSK or WPA2-PSK SecurityWEP HEX Key Connection Wizard Internet ConfigurationPre-Shared Do this Connection Description Type Ethernet ConnectionPPPoE Connection Pptp ISP Parameter for Internet Access Pptp Connection ISP Parameters for Internet Access Wizard Pptp Connection Use fixed IP address Your IP AddressWAN IP Address Assignment Provided by your ISP IP Address and Subnet Mask Private IP Address Ranges10.0.0.0 172.16.0.0 192.168.0.0 DNS Server Address Assignment WAN IP and DNS Server Address Assignment WAN MAC Address WAN IP Address AssignmentChoose an IP address Connection Wizard Bandwidth management Wizard WAN MAC Address Connection Wizard Complete Wizard Bandwidth Management Connection Wizard Complete Connection Wizard NBG-460N User’s Guide How to Connect to the Internet from an AP TutorialsInternet Push Button Configuration NBG460N Example WPS Process PIN Method WPA-PSK SSIDExample3Channel Security Pre-Shared Key ThisismyWPA-PSKpre-sharedkey Configure Your Notebook Tutorial Status AP Mode Connecting a Wireless Client to a Wireless Network Using AP + Bridge Mode and WDS Link Status Configuring Your Bridge Mode Settings WPA2-PSK Pre-Shared Key ThisismyWPA2-PSKpre-sharedkey Site-To-Site VPN Tunnel Settings Setting BOB’S NBG-460N JACK’S NBG-460NSite-To-Site VPN Tunnel Tutorial Configuring Bob’s NBG-460N VPN Settings Tutorial Property Configuring Jack’s NBG-460N VPN Settings Tutorial Authentication Method Tutorial Property Tutorial Authentication Method Checking the VPN Connection Pinging Jack’s Local IP Address Configuring Bandwidth Management by Application Bandwidth Management for your Network Configuring Bandwidth Management by Custom Application Configuring Bandwidth Allocation by IP or IP Range Fields Services Real Audio Rtsp VDO Live FTP Refer to Appedix F on the Bandwidth Mgnt AP Mode Setting your NBG-460N to AP Mode Status AP Mode Status Screen This shows the LAN port’s Dhcp role Client or None Display Network Wireless LAN WPS screenSystem Setting Configuration Mode Schedules Menu AP Mode Or connected Reset the factory defaults to your NBG-460N Maintenance System GeneralSetting Logs View Log Mask or to get the LAN IP address from a Dhcp server Configuring Your Settings LAN SettingsSys OP General Wlan and Maintenance Settings Table below describes the labels in the screen Logging in to the Web Configurator in AP Mode Network Page Wireless LAN Example of a Wireless Network Wireless Security Overview What You Can DoWhat You Should Know Ssid 100 Types of Encryption for Each Type of AuthenticationNo Authentication Radius Server Weakest Stronges t General Wireless LAN Screen Printable 7-bit Ascii characters for the wireless LAN101 WPA-PSK and WPA2-PSK are available in this field No Security102 Select Static WEP , WPA-PSK , WPA , WPA2-PSK or WPA2 to add WEP Encryption 103 Select 64-bit WEP or 128-bit WEP to enable data encryption 104WEP keys and displays them in the Key fields below Correct WEP key 105AP or peer computer Hex 106 Server, the reauthentication timer on the Radius server hasSecurity Mode field Priority 4 WPA/WPA2 107 Server, the reauthentication timer on the Radius server 108Has priority MAC Filter Screen 109 110 MAC 111 Wireless LAN Advanced ScreenQuality of Service QoS Screen RTS/CTS WMM QoS Policy 112On page 123 for more information You want to apply WMM QoS Application Priority Configuration Configuration screen113 114 MailUser-Defined WPS Screen 115 116 WPS Station ScreenScheduling Screen Push Button Following times fields 117Whole day Day WDS Screen 118 Security Mode Static WEP Between the NBG-460N and any wireless clients119 120 ASCII/HEX Roaming Security Mode WPA2-PSKTechnical Reference 121 122 Roaming Example Quality of Service 123 124 WiFi Protected SetupIPod Touch Web Configurator WMM QoS Priorities Login Screen 125 System Status 126 127 WAN connection is not working 128 MBM WPS in Progress Port Forwarding129 130 Rule is turned onTurn the rule OFF Accessing the iPod Touch Web Configurator Accessing the iPod Touch Web Configurator131 132 133 LAN and WAN Configuring Your Internet Connection What You Need To Know134 Multicast 135WAN MAC Address Iptv STB Port 136 You have two STBs 137You have one STB 192.168.1.20 NetBIOS over TCP/IP Auto-Bridge138 Internet Connection Ethernet Encapsulation139 Defined changes to None after you click Apply 140Address WAN MAC 141 Setting or upload a different ROM filePPPoE Encapsulation Select Clone the computers MAC address IP Address and enter All of the LANs computers will have access 142 Computer’s 143DNS Servers First DNS Different ROM file Pptp Encapsulation 144 145 Pptp connection Advanced WAN Screen 146Select Clone the computers MAC address IP Address 147 Select Igmp V-1,IGMP V-2 or None Igmp When the NBG-460N gets a WAN IP address that is notTo be in Router Mode for the Iptv STB port to work 148 LAN 149 LAN TCP/IP IP Pool SetupLAN IP Screen 150 LAN IP Alias 151LAN TCP/IP 152 Any IP SetupAdvanced LAN Screen IP address that you assign. Unless you are implementing LANs, WANs and the ZyXEL Device 153 Any IP 154 155 156 Dhcp 157 Dhcp General Screen Dhcp Advanced Screen158 Select the Enable Dhcp Server check box. When you clear Must have their DNS server addresses manually configured159 160 NBG-460Ns system DNS server configured in the WAN InternetClient List Screen Select DNS Relay to have the NBG-460N act as a DNS proxy. Host names. After you click Apply, the MAC address and IP 161This is the index number of the host computer Them 162 Network Address Translation NAT 163 Default Server Setup Enable NetworkSelect the check box to enable NAT General NAT Screen NAT Application Screen 165 166 Wake On LAN is enabled 167Fields under Add Application Rule Configuring Servers Behind Port Forwarding Example Game List Example168 NAT Advanced Screen 169 Users may not be able to access the Internet 170Can establish through the NBG-460N 171 LAN that requested the serviceTrigger Port Forwarding Example Traffic to a server on the WAN Two Points To Remember About Trigger Ports 172 Dynamic DNS DynDNS Wildcard173 Enable Dynamic Select this check box to use dynamic DNS Dynamic DNS Screen174 175 WAN IP address 176 Part 177 178 Firewall 179 About the NBG-460N Firewall Triangle Routes180 Triangle Routes and IP Alias 181 Services Screen General Firewall Screen182 183 Icmp 184 Add Firewall Rule screen Pool Add Firewall Rule Screen185 Single IP is selected as the Address Type Click Clear All to empty the Blocked Services 186Address Type 187 188 Content Filtering Content Filtering Profiles189 Keyword Blocking URL Checking Restrict Web Features190 Days and Times Filter Screen 191 Web Proxy 192Cookies Allowed 193 Which content filtering will be enforcedSchedule Screen Not affected Domain Name or IP Address URL Checking Customizing Keyword Blocking URL Checking194 Full Path URL Checking IPSec VPN 195 IKE SA IKE Phase 1 Overview 196 IP Addresses of the NBG-460N and Remote IPSec Router IPSec SA IKE Phase 2 Overview197 Local Network and Remote Network General Screen 198 VPN Rule Setup Basic 199 Feature to work 200 Enabled 201Secure Gateway Address field set to 202 Your computer in the Local Content field. The NBG-460N 203With dynamic WAN IP addresses 204 Address field refer to the Secure Gateway Address field VPN Rule Setup Advanced 205 Security VPN General Rule Setup IKE Advanced 206 Select No to disable it 207 208 209 210 211 212 VPN Rule Setup Manual 213Each IPSec SA. It is more secure but takes more time Security VPN General Rule Setup Manual 214 215 216 217 SecureSPI SA Monitor Screen 218Trailing spaces are truncated VPN and Remote Management IKE SA Proposal219 Diffie-Hellman DH Key Exchange 220 221 AuthenticationVPN Example Matching ID Type and Content Remote Ipsec Router Negotiation Mode VPN Example Mismatching ID Type and Content222 15.6.6 VPN, NAT, and NAT Traversal 223 IPSec Protocol Encapsulation224 225 IPSec SA Proposal and Perfect Forward SecrecyAdditional IPSec VPN Topics SA Life Time Encryption and Authentication Algorithms 226Private DNS Server 227 Private DNS Server Example 228 Management 229 230 Static Route 231Lanwan IP Static Route Screen 232 Static Route Setup Screen 233 234 FTP Bandwidth Management235 Chat, Email General Configuration Screen 236 237 Management check boxMbps Connected to the WAN port has an upstream speed of 10 Mbps Advanced Configuration238 Wlan Bandwidth 239 Low Wlan to WAN Rule Configuration with the Pre-defined Service240 To Wlan Rule Configuration User Defined Service Rule Configuration 241 Monitor Screen 242 Service Description Predefined Bandwidth Management ServicesMedia Bandwidth Management Setup Services Technical References 244 Default Bandwidth Management Classes and PrioritiesBandwidth Management Priority with Default Classes Class Type Priority Bandwidth Management Priorities 245Bandwidth Management Priorities 246 Remote Management 247 Remote Management and NAT System TimeoutRemote Management Limitations 248 249 Specify to access the NBG-460N using this serviceWWW Screen Remote management Telnet Screen FTP Screen250 DNS Screen 251 252 You specify to send DNS queries to the NBG-460N Universal Plug-and-Play UPnP NAT Traversal253 UPnP Screen 254 Using UPnP in Windows XP Example 255 256 Network Connections Internet Connection Properties Advanced Settings 257 Web Configurator Easy Access 258 259 Network Connections My Network Places 260 Network Connections My Network Places Properties Example Maintenance Troubleshooting 261 262 System System General Screen263 264 Time Setting Screen 265 266 Select User Defined Time Server Address and enter the IP 267 268 Logs 269 270 Log categories that you selected in the Log SettingsView Log Screen Display Log Settings 271Time and date Mail Log Settings Mail Server 272Messages will not be sent via e-mail 273 Sent via e-mailSmtp 274 System Maintenance LogsLog Descriptions LOG Message Description System Error Logs 275 276 Access Control LogsTCP Reset Logs Firewall Attack Alerts screen 277 Packet Filter Logs 278 Icmp Logs Content Filtering Logs 279UPnP packets can pass through the firewall 280 Attack Logs 281 IPSec Logs 282 IKE Logs 283 284 285 PKI Logs802.1X Logs Packet Direction Description ACL Setting Notes286 Type Code Description 287 Icmp NotesSyslog Logs 288 RFC-2408 Isakmp Payload TypesLOG Display Payload Type Tools Firmware Upload Screen289 Maintenance Tools Firmware 290 Upload Error Message Network Temporarily Disconnected Restore Configuration Configuration ScreenBackup Configuration Maintenance Restore Configuration Configuration Restore Successful 293 Back to Factory Defaults Restart Screen294 Green Indicate either Ready or MAC Address errorWake On LAN 295 Maintenance Tools Green 296 Configuration Mode 297 Advanced Configuration Options 298Category Link TAB Sys Op Mode 299 300 Router Maintenance Sys OP Mode General 301 302 Firewall or bandwidth management Language Language Screen303 304 Troubleshooting Power, Hardware Connections, and LEDs305 NBG-460N Access and Login 306 307 Advanced Suggestions Internet Access 308 309 Internet connection is slow or intermittent Resetting the NBG-460N to Its Factory Defaults 310 Wireless Router/AP Troubleshooting 311 Advanced Features 312 313 Product Specifications and Wall- Mounting InstructionsHardware Features PWR, LAN1-4, WAN, WLAN, WPS Bluetooth enabled devices, and other wireless LANs Firmware FeaturesSuch as microwave ovens, wireless phones 314 315 316 Feature SpecificationsFeature Specification Standards Supported Wall-mounting Instructions 317Protocol MBM Media Bandwidth Management 318 Masonry Plug and M4 Tap Screw Appendices Index 319 320 Disable pop-up Blockers Internet Explorer Pop-up Blockers321 Enable pop-up Blockers with Exceptions 322 Select Settings…to open the Pop-up Blocker Settings screen 323 JavaScripts 324 325 Internet Options Security Java Permissions 326 327 Java Sun 328 Java Sun Introduction to IP Addresses Structure329 Subnet Mask Identifying Network Number Subnet Masks330 1ST 2ND 3RD 4TH Octet Subnet Masks 331Network Size Binary 1ST 2ND 3RD 4TH Decimal Octet Maximum Host Numbers Notation332 Alternative Subnet Mask Notation Subnetting 333 Example Four Subnets 334 335 IP/SUBNET Mask Network Number Last Octet BIT Value Example Eight Subnets Subnet Planning336 16-bit Network Number Subnet Planning Configuring IP Addresses337 NO. Borrowed Subnet Mask NO. Hosts PER Host Bits Subnets 338 Private IP Addresses Setting up Your Computer’s IP Address 339 Installing Components Windows 95/98/Me340 Configuring 341 Verifying Settings 342 Windows 2000/NT/XP 343 344 Windows XP Control Panel 345 Windows XP Local Area Connection Properties 346 Windows XP Internet Protocol TCP/IP Properties 347 Windows XP Advanced TCP/IP Properties 348 Macintosh OS 8/9 349 350 Macintosh OS 8/9 TCP/IP Macintosh OS 351 Using the K Desktop Environment KDE Linux352 353 Red Hat 9.0 KDE Ethernet Device General Using Configuration Files 354 Red Hat 9.0 Static IP Address Setting in ifconfig-eth0 Red Hat 9.0 DNS Settings in resolv.conf Verifying Settings 356 Wireless LAN Topologies Ad-hoc Wireless LAN Configuration357 Basic Service Set 358 Channel 359 360 RTS/CTS Preamble Type Ieee 802.11g Wireless LANFragmentation Threshold 361 Ieee 802.11g Ieee362 Data Rate Modulation Mbps Types of Radius Messages Types of Authentication363 EAP-MD5 Message-Digest Algorithm EAP-TLS Transport Layer Security EAP-TTLS Tunneled Transport Layer Service364 Peap Protected EAP 365 Comparison of EAP Authentication TypesWPA2 Encryption User Authentication 366 27.0.2 WPA2-PSK Application Example 27.0.3 WPA2 with Radius Application Example367 Security Parameters Summary Wireless Security Relational MatrixAuthentication Encryptio Enter METHOD/ KEY 368 Services 369 Examples of Services 370Name Protocol Ports Description 371 372 373 CopyrightCertifications Disclaimer 374 FCC Radiation Exposure Statement ZyXEL Limited Warranty 375Viewing Certifications 376 Registration Classes and priorities Index377 CTS Clear to Send 378 EssidEncapsulating Security Payload. See ESP Ethernet PPPoE. see also PPP over Ethernet 379IKE SA Language Link type 40 380 MACMbssid QoS QoS priorities Quality of Service QoS 381Radius Wireless security 98 overview 382 383 Xbox Live ZyNOS 39 384