Go to page of
Similar user manuals
-
Network Router
ZyXEL Communications ZyXEL ZyWALL P1
72 pages 0.86 mb -
Network Router
ZyXEL Communications 2864I
156 pages 0.65 mb -
Network Router
ZyXEL Communications NBG4115
280 pages 4.73 mb -
Network Router
ZyXEL Communications ZyXEL G-1000 v2
198 pages 5.88 mb -
Network Router
ZyXEL Communications Prestige 645R
167 pages 0.96 mb -
Network Router
ZyXEL Communications ZyAIR B-500
209 pages 5.42 mb -
Network Router
ZyXEL Communications 10~100 Series
96 pages 2.39 mb -
Network Router
ZyXEL Communications 310
562 pages 12.82 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications P-661H-D, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications P-661H-D one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications P-661H-D. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of ZyXEL Communications P-661H-D should contain:
- informations concerning technical data of ZyXEL Communications P-661H-D
- name of the manufacturer and a year of construction of the ZyXEL Communications P-661H-D item
- rules of operation, control and maintenance of the ZyXEL Communications P-661H-D item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications P-661H-D alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications P-661H-D, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications P-661H-D.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications P-661H-D item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
P-661H-D Series ADSL2+ 4-port Security Gateway Support Notes Version3.40 Mar. 2006[...]
-
Page 2
P-661H-D Series Support Notes FAQ ................................................................................................................. 5 ZyNOS FAQ ................................................................................................. 5 1. What is ZyNOS? ........................................................................[...]
-
Page 3
P-661H-D Series Support Notes 17. What do the ATM QoS Types (C BR, UBR, VBR-nRT, VBR-RT) mean? ................................................................................................................ 15 18. What is content filter? ....................................................................... 15 ADSL FAQ ...........................[...]
-
Page 4
P-661H-D Series Support Notes General FAQ ........................................................................................... 28 1. What is VPN? ....................................................................... 28 2. Why do I need VPN? ............................................................ 28 3. What are most common VPN protocol[...]
-
Page 5
P-661H-D Series Support Notes 3. Setup the P-661H-D as a DHCP Relay ................................ 41 4. SUA Notes ............................................................................ 42 5. Using Full Feature NAT ........................................................ 51 6. Using the Dynamic DNS (DDNS) ...................................[...]
-
Page 6
P-661H-D Series Support Notes FAQ ZyNOS FAQ 1. What is ZyNOS? ZyNOS is ZyXEL's proprietary Network O perating System. It is the platform on all Prestige routers that delivers network services and applications. It is designed in a modular fashion so it is easy for developers to add new features. New ZyNOS software upgrades can be easil y downlo[...]
-
Page 7
P-661H-D Series Support Notes b. Enter CI command 'sys stdio 0' to disable Stdio idle timeout c. To upgrade firmware, use TFTP client program to put firmware in file 'ras' in the Prestige. After data transfe r is finished, the P-661H-D will program the upgraded firmware into FLASH ROM and reboot itself. d. To backup your firmwar[...]
-
Page 8
P-661H-D Series Support Notes with its own address and the source por t in the TCP or UDP header with another value chosen out of a local pool . It then recomputes the appropriate header checksums and forwards the packet to t he Internet as if it is originated from Prestige using the IP address assi gned by ISP. When reply packets from the external[...]
-
Page 9
P-661H-D Series Support Notes must be configured. (You can configure it in Web Configurator, Advanced Setup, Network -> NAT -> Port Forwarding ). 12. When do I need select Full Feature NAT ? • Make multiple local servers on th e LAN accessible from outside with multiple global IP addresses With SUA, 'visible' servers had to be map[...]
-
Page 10
P-661H-D Series Support Notes The following table summarizes the five types. NAT Type IP Mapping One-to-One ILA1<--->IGA1 Many-to-One (SUA/PAT) ILA1<--->IGA1 ILA2<--->IGA1 ... Many-to-Many Overload ILA1<--->IGA1 ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ... Many One-to-One ILA1<--->IGA1 ILA2<--->[...]
-
Page 11
P-661H-D Series Support Notes • Allow everything that is not spoofing us Filter rule setup: • Filter type =TCP/IP Filter Rule • Active =Yes • Source IP Addr =a.b.c.d • Source IP Mask =w.x.y.z • Action Matched =Drop • Action Not Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask: For the o[...]
-
Page 12
P-661H-D Series Support Notes Product FAQ 1. How can I manage P-661H-D? Multilingual Embedded Web GUI for Local and Remote management CLI (Command-line interface) Telnet support (Administrator Password Protected ) for remote configuration change and status monitoring FTP/ TFTP sever, firmware upgra de and configuration backup and re[...]
-
Page 13
P-661H-D Series Support Notes do not interfere with your voice transm issions. For the details about how to connect the micro filter please refer to the user's manual. 6. The P-661H-D supports Bridge and Router mode, what 's the difference between them? When the ISP limits some specific comput ers to access Inte rnet, that means only the [...]
-
Page 14
P-661H-D Series Support Notes The outside users can always a ccess the web server using the www.zyxel.com.tw regardless of the WAN IP of the P-661H-D. When the ISP assigns the P-661H-D a new IP, the P-661H-D updates this IP to DDNS server so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the [...]
-
Page 15
P-661H-D Series Support Notes For forwarding the inbound IPSec ESP tunnel, A 'Default' server set is required. You could configure it in Web Configurator, Advanced Setup, Network -> NAT -> Port Forwarding -> Default Server Setup: It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invis[...]
-
Page 16
P-661H-D Series Support Notes 16. What do the parameters (PCR, SCR, MBS) mean? Traffic shaping parameters ( PCR, SCR, MBS ) can be set in Web Configurator, Advanced Setup, Network -> Remote Node -> Edit -> ATM Setup : Peak Cell Rate(PCR): The maximum bandwidth allocated to this connection. The VC connection throughput is limited by PCR. Su[...]
-
Page 17
P-661H-D Series Support Notes when the P-661H-D performs content filter ing. You can also specify trusted IP Addresses on LAN for which the P-661H-D will not perform c ontent filtering. You can configure the deta ils about it in Web Conf igurator, Advanced setup, Security -> Content Filter. 16 All contents copyright © 2006 ZyXEL Communicati ons[...]
-
Page 18
P-661H-D Series Support Notes ADSL FAQ 1. How does ADSL compare to Cable modems? ADSL provides a dedicated service over a single telephone line; cable modems offer a dedicated service over a shared media. While cable modems have greater downstream bandwidth capa bilities (up to 30 Mbps), that bandwidth is shared among all users on a line, and will [...]
-
Page 19
P-661H-D Series Support Notes 6. Does the VC-based multiplexing perform better than the LLC-based multiplexing? Though the LLC-based multiplexing can carr y multiple protocols over a single VC, it requires extra header information to identify the prot ocol being carried on the virtual circuit (VC). The VC-bas ed multiplexing needs a separate VC for[...]
-
Page 20
P-661H-D Series Support Notes More and more Telco/ISPs are providing three kinds of services (VoIP, Video and Internet) over one existing ADSL connection. • The different services (such as vi deo, VoIP and Internet access) require different Qulity of Service. • The high priority is Voice (VoIP) data. • The Medium priority is Video (IPTV) data[...]
-
Page 21
P-661H-D Series Support Notes Firewall FAQ General 1. What is a network firewall? A firewall is a system or group of syst ems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms: One to blo ck the[...]
-
Page 22
P-661H-D Series Support Notes address and protocol. They also 'ins pect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control[...]
-
Page 23
P-661H-D Series Support Notes 1. Those that exploits bugs in a TCP/IP implementation such as Ping of Death and Teardrop. 2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND Attacks. 3. Brute-force attacks that flood a network with useless data such as Smurf attack. 4. IP Spoofing 7. What is Ping of Death attack?[...]
-
Page 24
P-661H-D Series Support Notes 11 What is Brute-force attack? A Brute-force attack, such as 'Smurf' attack, targets a f eature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the [...]
-
Page 25
P-661H-D Series Support Notes 1. Change the default Administrator pa ssword since it is required when setting up the firewall. 2. Limit who can access to your P-661H-D’s Web Configurator or CLI. You can enter the IP address of the secu red LAN host in Web Configurator, Advanced Setup, Advanced -> Remote MGNT -> [Service] ->Secured Client[...]
-
Page 26
P-661H-D Series Support Notes (3) WWW/Telnet service is enabled but your host IP is not the secured host entered in Web Configur ator, Advanced setup, Advanced -> Remote MGNT: (4)A filter set which blocks WWW/Telnet from WAN is applied to WAN node. You can check by command: wan node index [index #] wan node display 4. Why can't I upload the[...]
-
Page 27
P-661H-D Series Support Notes (2) You have disabled FTP service in Web Configurator, Advanced setup, Advanced -> Remote MGNT. (3) FTP service is enabled but your host IP is not the secured host entered in Web Configurator , Advanced setup, Advanced -> Remote MGNT. (4) A filter set which blocks FTP fr om WAN is applied to WAN node. You can che[...]
-
Page 28
P-661H-D Series Support Notes • Web configuration: Advanced Setup, Maintenance -> Logs -> Log Settings , check Access Control and Attacks options depending on your real situation. • CI command: sy s logs category [access | attack] (2) Enable log function in firewall def ault policy or in firewall rules. After the above two steps, you c an[...]
-
Page 29
P-661H-D Series Support Notes VPN FAQ General FAQ 1. What is VPN? A VPN gives users a secure link to acce ss corporate network over the Internet or other public or private networks without the expense of lease lines. A secure VPN is a combination of tunneling, enc ryption, authentication, access control and auditing technologies/services used to tr[...]
-
Page 30
P-661H-D Series Support Notes PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Inte rnet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Ne[...]
-
Page 31
P-661H-D Series Support Notes There is no restriction that the IPSec hosts and the security gateway must be separate machines. Both IPSec protocols, AH and ESP, can operate in either transport mode and tunnel mode. 9. What is SA? A Security Association (SA) is a cont ract between two parties indicating what security parameters, such as keys and alg[...]
-
Page 32
P-661H-D Series Support Notes IP address dynamically assigned from ISP, so P-661H-D needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there are local and peer ID field to achieve this. 14. What is FQDN? FQDN(Fully Qualified Domain Name), IKE standard takes it as one type o[...]
-
Page 33
P-661H-D Series Support Notes 2. What kind of VPN protocols are supported on P-661H-D? All P-661H-D series support IPSec VPN, in other words, we can build IPSec VPN on P-661H-D. And also note that P-661H-D is of VPN (IPSec, PPTP) passthrough supported NAT. 3. What types of encryption does P-661H-D VPN support? P-661H-D supports DES / 3DES /AES encr[...]
-
Page 34
P-661H-D Series Support Notes VPN Gateway behind NAT ESP Tunnel mode NAT in Transport mode None (3) Source IP/Destination IP -- Please do not number the LANs (local and remote) using the same range of privat e IP addresses. This will make VPN destination addresses and the local LAN addresses are indistinguishable, and VPN will not work. (4) Secure [...]
-
Page 35
P-661H-D Series Support Notes We have tested P-661H-D successfully with the following third party VPN gateway: • Cisco 1720 Router, IOS 12.2(2)XH, IP/ADSL/ FW/IDS PLUS IPSEC 3DES • NetScreen 5, ScreenOS 2.6.0r6 • SonicWALL SOHO 2 • WatchGuard Firebox II • Avaya VPN • Netopia VPN • III VPN 8. What VPN software has been test ed with P-6[...]
-
Page 36
P-661H-D Series Support Notes NAT * NAT in Transport mode None * The NAT router must support IPSec pass through. For example, for P-661H-D SUA/NAT routers, the default port and the client IP have to be specified in Web Configurator, Network -> NAT ->SUA Server Setup. 11. How do I configure P-661H-D with NAT for internal servers? Generally, wi[...]
-
Page 37
P-661H-D Series Support Notes disconnected either manually, by idle ti mer, or because of power cycle, packet triggering is still necessary to make the tunnel up. 14. Single, Range, Subnet, which types of IP address do P-661H-D support in VPN/IPSec? P-661H-D supports all of the types. In other words, you can specify a single PC, a range of PCs or e[...]
-
Page 38
P-661H-D Series Support Notes Application Notes General Application Notes 1. Internet Access Using P- 661H-D under Bridge mode • Setup your workstation • Setup your P-661H-D under bridge mode If the ISP limits some spec ific computers to access Internet, that means only the traffic to/from these computer s will be forwarded and the other will b[...]
-
Page 39
P-661H-D Series Support Notes Setup your P-661H-D under bridge mode The following procedure shows you how to configure your P-661H-D as bridge mode. We will use Web Conf igurator to guide you through the related menu. (1) Configure P-661H-D as bridge mode and configure Internet setup parameters in Web Configur ator, Advanced Setup, Network -> WA[...]
-
Page 40
P-661H-D Series Support Notes Internet Connection. Key Settings: Option Description Encapsulation Select the correct Encapsulation type that your ISP supports. For example, RFC 1483. Multiplexing Select the correct Multiplexing type that your ISP supports. For example, LLC. VPI & VCI number Specify a VPI (Virtual Path Ident ifier) and a VCI (Vi[...]
-
Page 41
P-661H-D Series Support Notes Connect the LAN ports of all computers to the LAN Interface of P-661H-D using Ethernet cable. (2) TCP/IP configuration Since the P-661H-D is set to DHCP se rver as default, so you need only to configure the workstations as the DHCP clients in the networking settings. In this case, the IP address of the com puter is ass[...]
-
Page 42
P-661H-D Series Support Notes Option Description Encapsulation Select the correct Encapsulation type that your ISP supports. For example, RFC 1483. Multiplexing Select the correct Multiplexing type that your ISP supports. For example, LLC. VPI & VCI number Specify a VPI (Virtual Path Ident ifier) and a VCI (Virtual Channel Identifier) given to [...]
-
Page 43
P-661H-D Series Support Notes 4. SUA Notes Tested SUA/NAT Applications (e.g ., Cu-SeeMe, ICQ, NetMeeting) Introduction Generally, SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outsi de users. However, some applications such as Cu-SeeMe, and ICQ will need to connect to the local user behind the P-661H[...]
-
Page 44
P-661H-D Series Support Notes mIRC None for Chat. For DCC, please set Default/Client IP . Windows PPTP None 1723/client IP ICQ 99a None for Chat. For DCC, please set: ICQ -> preference -> connections -> firewall and set the firewall time out to 80 seconds in firewall setting. Default/client IP ICQ 2000b None for Chat None for Chat ICQ Phon[...]
-
Page 45
P-661H-D Series Support Notes Network Time Protocol (NTP) None 123 /server IP Win2k Terminal Server None 3389/server IP Remote Anything None 3996 - 4000/client IP Virtual Network Computing (VNC) None 5500/client IP 5800/client IP 5900/client IP A IM (AOL Instant Messenge r) None for Chat and IM None for Chat and IM e-Donkey None 4661 - 4662/client [...]
-
Page 46
P-661H-D Series Support Notes Configure an Internal Server behind SUA Introduction If you wish, you can make internal serv ers (e.g., Web, ftp or mail server) accessible for outside users, even t hough SUA makes your LAN appear as a single machine to the outside world. A se rvice is identified by the port number. Also, since you need to specify the[...]
-
Page 47
P-661H-D Series Support Notes Setup, Network -> NAT -> Port Forwarding. The outside users can access the local server using the P-661H-D's WAN IP address which can be obtained from Web Configurator, Status -> WAN Information . For example: Configuring an internal Web server for outside access (suppose the Server IP Address is 192.168.[...]
-
Page 48
P-661H-D Series Support Notes FTP 21 Telnet 23 SMTP 25 DNS (Domain Name Server) 53 www-http (Web) 80 Configure a PPTP server behind SUA Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Inte rnet Protocol (IP) packets and forwarded over any IP network, including the Internet itself[...]
-
Page 49
P-661H-D Series Support Notes Window98 PPTP Client / Internet / NT RAS Server Protocol Stack PPTP appears as new modem type (Virt ual Private Networking Adapter) that can be selected when setting up a connection in the Dial-Up Networking folder. The VPN Adapter type does not appear el sewhere in the system. Since PPTP encapsulates its data stream i[...]
-
Page 50
P-661H-D Series Support Notes Example The following example shows how to dial to an ISP via the P-661H-D and then establish a tunnel to a private network . There will be three items that you need to set up for PPTP application, these are PPTP server (WinNT), PPTP client (Win9x) and the P-661H-D. (1) PPTP server setup (WinNT) • Add the VPN service[...]
-
Page 51
P-661H-D Series Support Notes Select service name as ‘PPTP’, fill in t he Server IP Address, then press button ‘Add’. When you have finished the above settings, you can ping to the remote Win9x client from WinNT. This ping comm and is used to demonstrate that remote the Win9x can be reached across the In ternet. If the Internet connection b[...]
-
Page 52
P-661H-D Series Support Notes 5. Using Full Feature NAT When P-661H-D is in Routing mode, you can select NAT Option as Full Feature in Network -> Remote Node -> Edit: Key Settings: Field Options Description Full Feature When you select this option you can select Address Mapping Set Number 1~8 in the pull-down menu on the right. None NAT is di[...]
-
Page 53
P-661H-D Series Support Notes The P-661H-D has 8 remote nodes and so allows you to configure 8 NAT Address Mapping Sets, You must specify which NAT Address Mapping Set (1~8) to use in the remote node when you select Full Feature NAT. You can edit 10 rules for each Address Mapping Set. You can edit the rules for Address Mapping Sets #1 in Web Conf i[...]
-
Page 54
P-661H-D Series Support Notes IP. Global End IP This is the ending global IP address (IGA). N/A Type This is the NAT mapping types. Many-to-One and Server Here we’ll guide you to confi gure Address Mapping Sets from Web Configurator and CLI . (Since in Web Configurator we can only edit the rules for Address Mapping Sets #1. The other Address Mapp[...]
-
Page 55
P-661H-D Series Support Notes The following table describes the fields in this screen. Field Description Option/Example Type You can select one of the fi ve mapping types from the pull-down menu 1. One-to-One 2. Many-to-One 3. Many-to-Many Overload 4. Many-to-Many No Overload 5. Server Start This is the starting lo cal IP address (ILA) 0.0.0.0 Loca[...]
-
Page 56
P-661H-D Series Support Notes Setp 3: Set NAT address mapping rule for t he Address Mapping Set you just configured (Set 2 in this example) by command ‘ ip nat addrmap rule [rule#] [insert | edit] [type] [local start IP] [l ocal end IP] [global start IP] [global end IP] [server set #] ’. Suppose we set a Many-to-One rule for set 2 by command ?[...]
-
Page 57
P-661H-D Series Support Notes server sets ip nat server save Save the NAT server set buffer into flash ip nat server clear [set#] Clear the server set [set#], must use “sav e” command to let it save into flash ip nat server edit [rule#] active Activate the rule [rule#], rule number is 1 to 24, the number 25-36 is for UP NP application ip nat se[...]
-
Page 58
P-661H-D Series Support Notes Please note that a server can support more than one service, e.g., a server can provide both FTP and Mail service, while another provides only Web service. The following procedures show how to configure a server behind NAT. Step 1: Login Web Configur ator, Advanced Setup, Network -> NAT -> Port Forwarding. Step 2[...]
-
Page 59
P-661H-D Series Support Notes In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP. You can just use the default SUA NAT , or you could select Full Feature NAT and select an Address Mapping Set with a Many-to-One Rule. See the following figure. (2) Internet Access with an Internal Server In thi[...]
-
Page 60
P-661H-D Series Support Notes below: (3) Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used) In this case we have 3 IGAs from the I SP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by[...]
-
Page 61
P-661H-D Series Support Notes Step 1: In this case, we need to map ILA to more than one IGA, therefore we must choose the Full Feature option from the NAT field in currently active remote node, and assign IGA3 to P- 661H-D’s WAN IP Address. Step 2: Go to Web Confi gurator, Advanced Setup, Network -> NAT -> Address Mapping to begin configuri[...]
-
Page 62
P-661H-D Series Support Notes Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3 (200.0.0.3). Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu Network -> NAT -> Address Mapping should look as follows now: 61 All contents copyright © 2006 ZyXEL Communicati ons Co[...]
-
Page 63
P-661H-D Series Support Notes Step 3: Now we configure a ll other incoming traffic to go to our web server and mail server from Web Conf igurator, Advanced Setup, Netw ork -> NAT -> Port Forwarding: (4) Support Non NAT Friendly Applications Some servers providing Internet applic ations such as some mIRC servers do not allow users to login usi[...]
-
Page 64
P-661H-D Series Support Notes One rule configured for using Many-to-Many No Overload mapping type is shown below. We can also do this by configure three One-to-One mapping type rules. 6. Using the Dynamic DNS (DDNS) • What is DDNS? The DDNS service, an IP Registry provides a public central database where information such as email addresses, hostn[...]
-
Page 65
P-661H-D Series Support Notes When the ISP assigns the P-661H-D a new IP, the P-661H-D must inform the DDNS server the change of this IP so t hat the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS name for your web server (i.e., www.zyxel.com.tw) is still usable. The DDNS servers the P-661H-D [...]
-
Page 66
P-661H-D Series Support Notes User Name Enter the user name that the DDNS server gives to you. Password Enter the password that the DDNS se rver gi ves to you. Enable Wildcard Enter the hostname for the w ildcard function that the WWW.DYNDNS.ORG supports. Note that Wildcard option is available only when the provider is http://www.dyn dns.org/ . 7. [...]
-
Page 67
P-661H-D Series Support Notes When receiving any SNMP get or se t requirement with wrong community, this trap is sent to the manager. 6. whyReboot (defined in ZYXEL-MIB) : When the system is going to restart (wa rmstart), the trap will be sent with the reason of restart before rebooting. (1) For intentional reboot : In some cases (download new file[...]
-
Page 68
P-661H-D Series Support Notes The SNMP related settings in P-661H-D are configured in Web Configurator, Advanced Setup, Advanced -> Remote MGNT -> SNMP The following steps describe a simple setup procedure for configuring all SNMP settings. Key Settings: Option Descriptions Get Community Enter the correct Get Community. Th is Get Community mu[...]
-
Page 69
P-661H-D Series Support Notes Trap Destination Enter the IP address of the NMS that you wish to send the traps to. If 0.0.0.0 is entered, the P-661H-DHW-DX will not send trap any NMS manager. Note: You may need to edit a fire wa ll rule to permit SNMP Packets. 8. Using syslog You can configure it in Web Configurator, Advanced Setup, Maintenance -&g[...]
-
Page 70
P-661H-D Series Support Notes The P-661H-D supports three virtual LAN interfaces via its single physical Ethernet interface. The first network can be configured in Web Configurator, Advanced Setup, Network -> LAN -> DHCP Setup . The second and third networks that we call 'IP Alias 1' and 'IP Alias 2' can be configured in N[...]
-
Page 71
P-661H-D Series Support Notes You can edit filter rule to accept or deny LAN packets from/to the IP alias 1/2 go through the P-661H-D by command in CLI : lan index [index number] Usage: index number =1 main LAN 2 I P A l i a s # 1 3 I P A l i a s # 2 lan filter <incoming|outgoing> <tcpip|generic> [set#] Usage: set#= the corresponding fi[...]
-
Page 72
P-661H-D Series Support Notes and remote node connections, we can rout e the Web packets to the Internet using one policy and route the FTP packets to the remote LAN using another policy. See the figure below. Use IPPR to distribute traf fic among multiple paths • Benefits Source-Based Routing - Network administrators can use policy-based routing[...]
-
Page 73
P-661H-D Series Support Notes The actions that can be taken include rout ing the packet to a different gateway (and hence the outgoing interface) and t he TOS and precedence fields in the IP header. IPPR follows the existing packet filtering facility of ZyNOS in style and in implementation. The policies are divided into sets, where related policies[...]
-
Page 74
P-661H-D Series Support Notes (Set the protocol ID as 6(TCP) for the rule) ip policyrouting set criteria serviceType 0 (Set the criteria type of servic e as don’t care for this rule) ip policyrouting set criteria precedence 8 (Set the precedence as don’t care for this rule) ip policyrouting set criteria packetlength 0 (Set the packet length as [...]
-
Page 75
P-661H-D Series Support Notes 11. Using Call Scheduling • What is Call Scheduling? Call scheduling enables the mechanism for the P-661H-D to run the remote node connection according to the pre-defi ned schedule. This feature is just like the scheduler ina video reco rder which records the pr ogram according to the specified time. Users can apply [...]
-
Page 76
P-661H-D Series Support Notes wan callsch oncedate 2005 12 27 (Set the schedule used just once, it works on 2005-12-27) wan callsch starttime 12 00 (Set the schedule start time as 12:00) wan callsch duration 16 00 (Set schedule duration time as 16 hours) wan callsch action 2 (Set action as dial-on-demand) wan callsch save (Save the current call sch[...]
-
Page 77
P-661H-D Series Support Notes • Time Service in P-661H-D There is no RTC (Real-Time Clock) chip so the P-661H-D should launch a mechanism to get current time and date from external server in boot time. Time service is implemented by the Daytime protocol(RFC-867) , Time protocol(RFC-868) , and NTP protocol(RFC-1305) . You have to assign an IP addr[...]
-
Page 78
P-661H-D Series Support Notes needs to be forwarded. At start up, the P- 661H-D queries all directly connected networks to gather group membership. After that, the P-661H-D updates the information by periodic queries. The P-661H-D implementation of IGMP is al so compatible with version 1. The multicast setting can be turned on or off on Ethernet an[...]
-
Page 79
P-661H-D Series Support Notes Fairness-Based is chosen, then the bandwidth is allocated by ratio. Which means if A class needs 300 kbps, B cla ss needs 600 kbps, then the ratio of A and B's actual bandwidth is 1: 2. So if we get 450 kbps in total, then A would get 150 kbps, B would get 300 kbps. We select Priority-Based in this example. Key Se[...]
-
Page 80
P-661H-D Series Support Notes Step 3 : You can modify the rule by clicking the button ‘Edit’ on the rule: Key Settings: RuleName Give this rule a name, for example, 'WWW' BW Budget Configure the bandwidth you would like to allocate to this rule Priority Enter a number between 0 and 7 to set the priority of this class. The higher the n[...]
-
Page 81
P-661H-D Series Support Notes Destination Subnet Mask Enter the destination subnet mask. Destination Port Enter the destination port number of the traffic. Source IP Address Enter the IP address of source that meat s this class. Note that for traffic from 'LAN to WAN' , since BWM is before NAT, you should use the IP address before NAT pro[...]
-
Page 82
P-661H-D Series Support Notes services of the line will be. After t hat, system will save back the correct VPI, VCI and also services (encapsulation) type into profile of WAN interface. • Configure the VC auto-hunt ing preconfigured table. (1) Display auto-haunting preconfigured table by using command from CLI : wan atm vchunt disp (2) Add items [...]
-
Page 83
P-661H-D Series Support Notes (3) Delete items from the auto-haunting preconfigur ed table by useing command: wan atm vchunt remove <remote node> <vpi> <vci> • Using Zero configuration. You can enable/disable Zero Configuration in Netw ork -> WAN -> Advanced Setup: (1) After configure the auto-haunting pr econfigured table[...]
-
Page 84
P-661H-D Series Support Notes (4) Basically the zero conf iguration only work on the VC that was preconigured in the auto-haunting preconfigured table. 15. How could I configure triple play on P-661H-D? The common triple play scenario is as follows: 0/32 Triple Play is a port-based policy to fo rward packets from different LAN port to different PVC[...]
-
Page 85
P-661H-D Series Support Notes The packet filter function on P-661H-D is the same as before, just that you could only configure the filter set and apply them by command in CLI. It’s very complex for common users to do it. So here’s the recommendation: (1) Usually if you want to block special packets, you could edit a firewall rule in Web Configu[...]
-
Page 86
P-661H-D Series Support Notes • Apply to LAN Interface: lan index [index#] Usage: index#=1 main LAN 2 I P A l i a s # 1 3 I P A l i a s # 2 lan filter <incoming|outgoing> <tcpip |generic> <set1#> <set2#> <set3#> <set4#> Usage: You can apply at mo st four filter sets to LAN Interface. lan save (3) If you are ver[...]
-
Page 87
P-661H-D Series Support Notes mask] the rule sys filter set destport [port#] [compare type = none|equal|notequal|less|greate r] Set the destination port and compare type (co mpare type could be 0(none)|1(eq ual)|2(not equal)|3(less)|4(greater) ) sys filter set srcip [address] [subnet mask] Set the source IP address and subnet mask sys filter set s [...]
-
Page 88
P-661H-D Series Support Notes IPSEC VPN Application Notes 1. How to use P-661H-D to build VPN Tunnel with another VPN Gateway/ Software? This page will guide you to setup a VPN connection between two Prestige routers. In addition to Prestige to Presti ge, Prestige can also talk to other VPN hardwards/softwares. The tested VPN hardwares are shown be[...]
-
Page 89
P-661H-D Series Support Notes The IP addresses we use in this example are as below. PC 1 Prestige A Prestige B PC 2 192.168.1.33 LAN: 192.168.1.1 WAN: 202.132.154.1 LAN: 192.168.2.1 WAN: 168.10.10.66 192.168.2.33 Note: The following configurations ar e supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, w[...]
-
Page 90
P-661H-D Series Support Notes (3) On the SUMMARY menu, select a policy to edit by clicking Edit . On P-661H-D, we can build at most 2 VPN Tunnels. Just make a click on the ‘ Edit ’ button in the table, we can begin to configure the VPN rule. (4) In the IPSEC Setup field, toggle Active check box and give a name, Test in the example to this polic[...]
-
Page 91
P-661H-D Series Support Notes (6) Fill in the VPN Gateway information in the Address Information field. My IP Address is the WAN IP of Prestige A , 202.132.154.1 in the example. Secure Gateway Address is the remote secure gateway, Prestige B’s WAN IP , 168.10.10.66 in the example. Local ID Type as IP , and Content as 0.0.0.0 in the example. Peer [...]
-
Page 92
P-661H-D Series Support Notes Note: If there’s a NAT router between the two VPN Secure Gateways, we should only choose ‘ ESP ’ VPN Protocol The minimum length of Pre-Shared Key is 8 . (8) A common VPN Rule has been completed, you can click ‘Apply’ to save it. But if you want to make more special configuration, you could click ‘Advanced?[...]
-
Page 93
P-661H-D Series Support Notes Secure Gateway Address is the remote secure gateway, Prestige A’s WAN IP , 202.132.154.1 in the example. (3) Local ID Type /Content should be the same as Prestige A’s Peer ID Type/Content , IP/0.0.0.1 in the example. Peer ID Type / Content should be the same as Prestige A’s Local ID Ty pe/ Content , IP/0.0.0.0 in[...]
-
Page 94
P-661H-D Series Support Notes Prestige> ipsec debug 1 IPSEC debug level 1 Prestige> catcher(): re cv pkt numPkt<1> get_hdr nxt_payload<1> exchMo de<2> m_id<0> len<80> f76af206 b187aae3 00000 000 00000000 0110 020 0 00000000 0000005 0 00000034 00000001 00000001 00 000028 010100 01 000 00020 01010000 80 010001 8002[...]
-
Page 95
P-661H-D Series Support Notes Most of the cases, static IP addre sses are used for VPN tunneling endpoints. But for SOHO users, generally, it is a dy namic case. In this case, this IP will not be available to be predefined in t he VPN box. There are some tips when configure Prestige in any dynamic case. • Prestige static WAN IP v.s. peer side dyn[...]
-
Page 96
P-661H-D Series Support Notes Step 1: In Prestige A, please register a DDNS account from http://www.dyndns.org or http://dynupdate.no-ip.com Setp 2: Enable DynDNS function on Prestige A via Web configurator, Advanced -> Dynamic DNS . And in VPN settings on Prestige A, please specify the IP address of My IP as 0.0.0.0 and Secure Gatewa y as 0.0.0[...]
-
Page 97
P-661H-D Series Support Notes internal server according to the se rvice port and private IP entered in SUA/NAT Server Table. However, if both NAT and IPSec is enabled in Prestige, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is r[...]
-
Page 98
P-661H-D Series Support Notes The IP addresses we use in this example are as shown below. Branch_A Headquarter Branch_B WAN:202.3.1.1 LAN:192.168.3.1 WAN:202.1.1.1 LAN:192.168.1.1 WAN:202.2.1.1 LAN:192.168.2.1 LAN of Branch_A LAN of Headquarter LAN of Branch_B 192.168.3.0/24 192.168.1.0/24 192.168.2.0/24 Setp 1: Setup VPN in branch office A Because[...]
-
Page 99
P-661H-D Series Support Notes Be very careful about the remote IP address in branch office B, because systems behind branch office B want to access systems behind branch office A and headquarter, we have to s pecify these two segments in Remote section. However if we include these two segm ents in one rule, the LAN segment of branch office B will b[...]
-
Page 100
P-661H-D Series Support Notes (2) My IP Address is the WAN IP of Prestige in Branch_B , 202.2.1.1 in the example. Secure Gateway Address is IP address of Headquarter , 202.1.1.1 in the example. (3) Suppose the pre-shared key is 01234567 , we should configure the same key in the corresponding rule in Headquarter VPN Gateway. (4) You can setup IKE ph[...]
-
Page 101
P-661H-D Series Support Notes Remote Address Type is Range Address and IP Address Start is 192.168.2.0 , IP Address End is 192.168.2.255 . This section covers the LAN segment of branch office B. (2) My IP Address is the IP Address of Headquarter , 202.1.1.1 in the example. Secure Gateway Address is WAN IP of Prestige in Branch_B , 202.2.1.1 in the [...]
-
Page 102
P-661H-D Series Support Notes Support Tool 1. LAN/WAN Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces. It is designed for us ers with technical backgrounds who are interested in the details of the packet fl ow on LAN or WAN end of Prestige. It is also very helpful for diagnostics if y ou have co[...]
-
Page 103
P-661H-D Series Support Notes (2) Trace WAN packet • Disable the capture of t he LAN packet by entering: sys trcp channel enet0 none • Enable to capture the WAN packet by entering: sys trcp chann el mpoa00 bothway • Enable the trace log by entering: sys trcp s w on & sys trcl sw on • Display the brief trac e online by entering: sys tr c[...]
-
Page 104
P-661H-D Series Support Notes • Offline Trace • Disable the capture of t he WAN packet by entering: sys trcp channel mpoa00 none • Enable the capture of t he LAN packet by entering: sys trcp channel enet0 bothway • Enable the trace log by entering: sys trcp s w on & sys trcl sw on • Wait for packet passing through the Prestige over LA[...]
-
Page 105
P-661H-D Series Support Notes • Capture the detailed l ogs by Hyper Terminal Step 1: Initiate a hyper terminal connection from your PC(suppose you connected to the LAN port of P-661H-D) Step 2: Click the ‘properties’ to configure parameters to telnet to the P-661H-D. 104 All contents copyright © 2006 ZyXEL Communicati ons Cor poration.[...]
-
Page 106
P-661H-D Series Support Notes Step 3: So that after you invoke the relevant commands, you could save the logs you’ve captured. 105 All contents copyright © 2006 ZyXEL Communicati ons Cor poration.[...]
-
Page 107
P-661H-D Series Support Notes 2. Firmware/Configurations Upload ing and Downloading using TFTP • Using TFTP client software • Upload/download ZyNOS via LAN • Upload/download Prestige c onfigurations via LAN (1) Using TFTP to upload/dow nload ZyNOS via LAN Step 1: TELNET to your Prestige first before running the TFTP software Step 2: Type the [...]
-
Page 108
P-661H-D Series Support Notes The 192.168.1.1 is the IP addr ess of the Prestige. The lo cal file is the source file of the ZyNOS firmware that is availa ble in your hard disk. The remote file is the file name that will be saved in Pres tige. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for fi le transfering[...]
-
Page 109
P-661H-D Series Support Notes The 192.168.1.1 is the IP address of the Prestige. The local file is the source file of y our configuration file that is available in your hard disk. The remote file is the file name that will be saved in Prestige. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode[...]
-
Page 110
P-661H-D Series Support Notes [cppwu@faelinux cppwu]$ tftp -I 192.168.1.1 put [local-ras] ras <- upload firmware 3. Using FTP to Upload the Firmware and Configuration Files In addition to upload the firmware and conf iguration file via the console port and TFTP client, you can also upload t he firmware and configuration files to the Prestige usi[...]
-
Page 111
P-661H-D Series Support Notes 'Binary' . Step 2: Press 'OK' to ignore the 'Username' prompt. Step 3: To upload the firmware file, we transfer the local 'ras' file to overwrite the remote 'ras' file. To upload the configurati on file, we transfer the local 'rom-0' to overwrite the remote &a[...]
-
Page 112
P-661H-D Series Support Notes Step 4: The Prestige reboots automatica lly after the uploading is finished. Please do not power off the router at this moment. 111 All contents copyright © 2006 ZyXEL Communicati ons Cor poration.[...]
-
Page 113
P-661H-D Series Support Notes CI Command Reference Command Syntax and General User Interface CI has the following command syntax: command < iface | device > subcommand [ param ] command subcommand [ param ] command ? | help command subcommand ? | help General user interface: 1. ? Shows the following commands and all major (sub)commands 2. exi[...]