ZyXEL ZyWALL 2WG User Guide
ZyXEL ZyWALL 2WG Manual
 |
View all ZyXEL ZyWALL 2WG manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL ZyWALL 2WG manual content summary:
- ZyXEL ZyWALL 2WG | User Guide - Page 1
ZyWALL 2 Plus Internet Security Appliance User's Guide Version 4.04 2/2008 Edition 1 www.zyxel.com - ZyXEL ZyWALL 2WG | User Guide - Page 2
- ZyXEL ZyWALL 2WG | User Guide - Page 3
. " It is recommended you use the web configurator to configure the ZyWALL. • Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all - ZyXEL ZyWALL 2WG | User Guide - Page 4
information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL 2 Plus may be referred to as the "ZyWALL", the "device" or the "system" in this User's Guide. • Product labels, screen names, field labels and field choices - ZyXEL ZyWALL 2WG | User Guide - Page 5
Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL 2 Plus User's Guide 5 - ZyXEL ZyWALL 2WG | User Guide - Page 6
repair the power adaptor or cord. Contact your local vendor to order a new one. • Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. This product is recyclable. Dispose of it properly. 6 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 7
ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 Bridge Screens ...143 WAN Screens ...151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens - ZyXEL ZyWALL 2WG | User Guide - Page 8
Setup 475 WAN and Dial Backup Setup 481 LAN Setup ...491 Internet Access ...497 DMZ Setup ...501 Wireless Setup ...505 Remote Node Setup ...509 IP Static Route Setup ...519 Network Address Translation (NAT 521 Introducing the ZyWALL Firewall 539 Filter Configuration ...541 SNMP Configuration - ZyXEL ZyWALL 2WG | User Guide - Page 9
The Reset Button 51 2.3.2 Uploading a Configuration File Via Console Port 51 2.4 Navigating the ZyWALL Web Configurator 52 2.4.1 Title Bar ...52 2.4.2 Main Window ...52 2.4.3 HOME Screen: Router Mode 53 2.4.4 HOME Screen: Bridge Mode 55 2.4.5 Navigation Panel ...58 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 10
WAN-to-LAN Traffic through the Firewall 105 4.2.6 Testing the Connections 112 4.3 Using NAT with Multiple Game Players 112 4.4 How to Manage the ZyWALL's Bandwidth 113 4.4.1 Example Parameters and Scenario 113 4.4.2 Configuring Bandwidth Management Rules 114 4.5 Configuring Content Filtering - ZyXEL ZyWALL 2WG | User Guide - Page 11
Technical Reference 148 Chapter 8 WAN Screens...151 8.1 Overview ...151 8.1.1 What You Can Do in the WAN Screens 151 8.1.2 What You Need To Know About WAN 151 8.2 The WAN Route Screen ...152 8.3 The WAN Screen ...153 8.3.1 Configuring Ethernet Encapsulation 155 ZyWALL 2 Plus User's Guide 11 - ZyXEL ZyWALL 2WG | User Guide - Page 12
196 11.1.3 Before You Begin ...196 11.2 Firewall Rules Examples 196 11.3 The Firewall Default Rule Screen (Router Mode 198 11.4 The Firewall Default Rule Screen (Bridge Mode 200 11.5 The Firewall Rule Summary Screen 202 11.5.1 The Firewall Edit Rule Screen 204 12 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 13
Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14.4 The SA Monitor Screen 275 14.5 The Global Setting Screen 275 14.5.1 Configuring the Global Setting Screen 277 14.6 Telecommuter VPN/IPSec Examples 278 ZyWALL 2 Plus User's Guide 13 - ZyXEL ZyWALL 2WG | User Guide - Page 14
Server Screens 323 16.1.2 What You Need To Know About Authentication Server 323 16.2 The Local User Database Screen 324 16.3 The RADIUS Screen ...326 Part IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 15
Servers Behind Port Forwarding (Example 337 17.4.2 Configuring the Port Forwarding Screen 338 17.5 The Port Triggering Screen 340 17.6 NAT Technical Reference 341 Chapter 18 Static Route Screens ...347 18.1 Overview ...347 18.1.1 What You Can Do in the Static Route Screens 347 18.2 The IP - ZyXEL ZyWALL 2WG | User Guide - Page 16
397 22.1.2 What You Need To Know About UPnP 397 22.2 UPnP Examples ...398 22.2.1 Installing UPnP in Windows Example 398 22.2.2 Using UPnP in Windows XP Example 400 22.3 The UPnP Screen ...404 22.4 The Ports Screen ...405 Chapter 23 Custom Application Screen 407 16 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 17
26.3 The Password Screen ...448 26.4 The Time and Date Screen 449 26.4.1 Time Server Synchronization Example 452 26.5 The Device Mode Screen 453 26.5.1 The Device Mode Screen (Router 453 26.5.2 The Device Mode Screen (Bridge 454 26.6 The F/W Upload Screen 457 ZyWALL 2 Plus User's Guide 17 - ZyXEL ZyWALL 2WG | User Guide - Page 18
29.3 Dial Backup ...482 29.4 Configuring Dial Backup in Menu 2 482 29.5 Advanced WAN Setup ...483 29.6 Remote Node Profile (Backup ISP 485 29.7 Editing TCP/IP Options ...487 29.8 Editing Login Script ...488 29.9 Remote Node Filter ...489 Chapter 30 LAN Setup...491 18 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 19
PPPoE Client 499 31.5 Basic Setup Complete ...500 Chapter 32 DMZ Setup ...501 32.1 Configuring DMZ Setup 501 32.2 DMZ Port Filter Setup ...501 32.3 TCP/IP Setup ...502 32.3.1 IP Address ...502 32.3.2 IP Alias Setup ...503 Chapter 33 Wireless Setup ...505 33.1 TCP/IP Setup ...505 33.1.1 IP Address - ZyXEL ZyWALL 2WG | User Guide - Page 20
behind NAT 528 36.4 General NAT Examples 530 36.4.1 Internet Access Only 530 36.4.2 Example 2: Internet Access with a Default Server 532 36.4.3 Example 3: Multiple Public IP Addresses With Inside Servers 532 36.4.4 Example 4: NAT Unfriendly Application Programs 536 36.5 Trigger Port Forwarding - ZyXEL ZyWALL 2WG | User Guide - Page 21
Upload 582 41.5.6 TFTP Upload Command Example 583 41.5.7 Uploading Via Console Port 583 41.5.8 Uploading Firmware File Via Console Port 583 41.5.9 Example Xmodem Firmware Upload Using HyperTerminal 583 41.5.10 Uploading Configuration File Via Console Port 584 ZyWALL 2 Plus User's Guide 21 - ZyXEL ZyWALL 2WG | User Guide - Page 22
Connections, and LEDs 605 45.2 ZyWALL Access and Login 606 45.3 Internet Access ...608 45.4 Wireless Router/AP Troubleshooting 610 45.5 UPnP ...610 Chapter 46 Product Specifications ...613 46.1 General ZyWALL Specifications 613 46.2 Cable Pin Assignments 615 46.3 Wall-mounting Instructions - ZyXEL ZyWALL 2WG | User Guide - Page 23
of Contents Appendix B Pop-up Windows, JavaScripts and Java Permissions 637 Appendix C IP Addresses and Subnetting 645 Appendix D Common Services 653 Appendix E Importing Certificates 657 Appendix F Legal Information 669 Appendix G Customer Support 673 Index...679 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 24
Table of Contents 24 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 25
Policy 89 Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 90 Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 91 Figure 37 SECURITY > FIREWALL > Rule Summary 92 Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 93 ZyWALL 2 Plus User's Guide 25 - ZyXEL ZyWALL 2WG | User Guide - Page 26
Tutorial Example: Bandwidth Management Monitor 118 Figure 78 SECURITY > CONTENT FILTER > General 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 27
118 NETWORK > DMZ > IP Alias 180 Figure 119 NETWORK > DMZ > Port Roles 181 Figure 120 WLAN Overview ...183 Figure 121 NETWORK > WLAN ...185 Figure 122 NETWORK > WLAN > Static DHCP 188 Figure 123 NETWORK > WLAN > IP Alias 189 Figure 124 WLAN Port Role Example 191 ZyWALL 2 Plus User's Guide 27 - ZyXEL ZyWALL 2WG | User Guide - Page 28
Coat: Login ...247 Figure 162 Content Filtering Reports Main Screen 248 Figure 163 Blue Coat: Report Home ...248 Figure 164 Global Report Screen Example 249 Figure 165 Requested URLs Example 250 Figure 166 Web Page Review Process Screen 251 Figure 167 VPN: Example ...253 28 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 29
/NAT Example ...287 Figure 191 IPSec High Availability ...289 Figure 192 Virtual Mapping of Local and Remote Network IP Addresses 291 Figure 193 VPN: Transport and Tunnel Mode Encapsulation 292 Figure 194 Certificates on Your Computer 296 Figure 195 Certificate Details ...297 Figure 196 SECURITY - ZyXEL ZyWALL 2WG | User Guide - Page 30
382 Figure 248 SSH Example 1: Store Host Key 383 Figure 249 SSH Example 2: Test ...383 Figure 250 SSH Example 2: Log in ...384 Figure 251 Secure FTP: Firmware Upload Example 384 Figure 252 HTTPS Implementation ...385 Figure 253 ADVANCED > REMOTE MGMT > WWW 386 30 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 31
459 Figure 291 Configuration Upload Successful 460 Figure 292 Network Temporarily Disconnected 460 Figure 293 Configuration Upload Error 460 Figure 294 Reset Warning Message ...461 Figure 295 MAINTENANCE > Restart 461 Figure 296 MAINTENANCE > Diagnostics 462 ZyWALL 2 Plus User's Guide 31 - ZyXEL ZyWALL 2WG | User Guide - Page 32
Node Filter (Ethernet Encapsulation 516 Figure 336 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation 517 Figure 337 Menu 11.1.5: Traffic Redirect Setup 517 Figure 338 Menu 12: IP Static Route Setup 519 Figure 339 Menu 12. 1: Edit IP Static Route 520 32 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 33
551 Figure 377 Protocol and Device Filter Sets 552 Figure 378 Filtering LAN Traffic ...554 Figure 379 Filtering DMZ Traffic ...554 Figure 380 Filtering Remote Node Traffic 555 Figure 381 Menu 22: SNMP Configuration 557 Figure 382 Menu 24: System Maintenance 559 ZyWALL 2 Plus User's Guide 33 - ZyXEL ZyWALL 2WG | User Guide - Page 34
Figure 421 Schedule Set Setup ...600 Figure 422 Applying Schedule Set(s) to a Remote Node (PPPoE 601 Figure 423 Applying Schedule Set(s) to a Remote Node (PPTP 602 Figure 424 Console/Dial Backup Cable DB-9 End Pin Layout 616 Figure 425 Wall-mounting Example ...618 34 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 35
649 Figure 463 Security Certificate ...657 Figure 464 Login Screen ...658 Figure 465 Certificate General Information before Import 658 Figure 466 Certificate Import Wizard 1 659 Figure 467 Certificate Import Wizard 2 659 Figure 468 Certificate Import Wizard 3 660 ZyWALL 2 Plus User's Guide 35 - ZyXEL ZyWALL 2WG | User Guide - Page 36
Certificate Import Wizard 4 665 Figure 477 Personal Certificate Import Wizard 5 666 Figure 478 Personal Certificate Import Wizard 6 666 Figure 479 Access the ZyWALL Via HTTPS 666 Figure 480 SSL Client Authentication 667 Figure 481 ZyWALL Secure Login Screen 667 36 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 37
33 NETWORK > WAN > WAN (PPPoE Encapsulation 159 Table 34 NETWORK > WAN > WAN (PPTP Encapsulation 161 Table 35 NETWORK > WAN > Traffic Redirect 165 Table 36 NETWORK > WAN > Dial Backup 166 Table 37 NETWORK > WAN > Dial Backup > Edit 169 Table 38 NETWORK > DMZ ...175 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 38
Table 44 NETWORK > WLAN > IP Alias 189 Table 45 NETWORK > WLAN > Port Roles 192 Table 46 Blocking All LAN to WAN IRC Traffic Example 197 Table 47 Limited LAN to WAN IRC Traffic Example 198 Table 48 SECURITY > FIREWALL > Default Rule (Router Mode 199 Table 49 SECURITY > FIREWALL > Default Rule - ZyXEL ZyWALL 2WG | User Guide - Page 39
> Local User Database 325 Table 92 SECURITY > AUTH SERVER > RADIUS 326 Table 93 NAT Mapping Types ...332 Table 94 ADVANCED > NAT > NAT Overview 333 Table 95 ADVANCED > NAT > Address Mapping 334 Table 96 ADVANCED > NAT > Address Mapping > Edit 336 Table 97 ADVANCED > NAT > Port Forwarding 339 - ZyXEL ZyWALL 2WG | User Guide - Page 40
Configuration ...459 Table 162 MAINTENANCE > Diagnostics 462 Table 163 Main Menu Commands ...468 Table 164 Main Menu Summary ...470 Table 165 SMT Menus Overview ...471 Table 166 Menu 1: General Setup (Router Mode 475 Table 167 Menu 1: General Setup (Bridge Mode 476 40 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 41
527 Table 194 15.2.1: NAT Server Configuration 529 Table 195 Menu 15.3: Trigger Port Setup 538 Table 196 Abbreviations Used in the Filter Rules Summary Menu 545 Table 197 Rule Abbreviations Used ...545 Table 198 Menu 21.1.1.1: TCP/IP Filter Rule 547 Table 199 Generic Filter Rule Menu Fields 549 - ZyXEL ZyWALL 2WG | User Guide - Page 42
Subnet 1 ...649 Table 226 Subnet 2 ...650 Table 227 Subnet 3 ...650 Table 228 Subnet 4 ...650 Table 229 Eight Subnets ...650 Table 230 24-bit Network Number Subnet Planning 651 Table 231 16-bit Network Number Subnet Planning 651 Table 232 Commonly Used Services 654 42 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 43
PART I Introduction and Registration Getting to Know Your ZyWALL (45) Introducing the Web Configurator (49) Wizard Setup (67) Tutorials (87) Registration Screens (125) 43 - ZyXEL ZyWALL 2WG | User Guide - Page 44
44 - ZyXEL ZyWALL 2WG | User Guide - Page 45
features and applications of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyWALL's De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting - ZyXEL ZyWALL 2WG | User Guide - Page 46
upgrades and configuration backup/restore (Chapter 41 on page 571) • SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User's Guide. • Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server. 46 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 47
or even crashes. If you forget your password, you will have to reset the ZyWALL to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the ZyWALL. You could simply restore your last configuration. 1.5 LEDs Figure 3 Front Panel The - ZyXEL ZyWALL 2WG | User Guide - Page 48
is not ready, or has failed. Green On The ZyWALL has a successful 10Mbps WAN connection. Flashing The 10M WAN is sending or receiving packets. Orange On The ZyWALL has a successful 100Mbps WAN connection. Flashing The 100M WAN is sending or receiving packets. 48 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 49
network to connect to the ZyWALL (refer to the Quick Start Guide). 2 Launch your web browser. 3 Type "192.168.1.1" as the URL. 4 Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login. ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 50
HOME screen (see Figure 8 on page 53). " The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyWALL if this happens to you. 50 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 51
. This indicates that the defaults have been restored and the ZyWALL is now restarting. 5 Release the RESET button and wait for the ZyWALL to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and - ZyXEL ZyWALL 2WG | User Guide - Page 52
. See Chapter 3 on page 67 for more information. Help: Click this icon to open the help page for the current screen. 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. 52 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 53
is the bootbase version and the date created. Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file. ZyWALL 2 Plus User's Guide 53 - ZyXEL ZyWALL 2WG | User Guide - Page 54
if you're using Ethernet encapsulation and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you're using PPPoE encapsulation. IP/Netmask This shows the port's IP address and subnet mask. 54 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 55
, click Renew to release the WAN port's dynamically assigned IP address and get the IP address afresh. Click Dial to dial up the PPTP, PPPoE or dial backup connection. Click Drop to disconnect the PPTP, PPPoE or dial backup connection. Security Services Content Filter Expiration Date This is the - ZyXEL ZyWALL 2WG | User Guide - Page 56
you can upload a new firmware file. Up Time This field displays how long the ZyWALL has been running since it last started up. The ZyWALL starts up when you turn it on, when you restart it (MAINTENANCE > Restart), or when you reset it (see Section 2.3 on page 51). 56 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 57
the root bridge. Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU) from the root bridge. Forward Delay This is the forward delay interval. Bridge Port This is the port type. Port types are: WAN, LAN, DMZ and WLAN. ZyWALL 2 Plus User's Guide 57 - ZyXEL ZyWALL 2WG | User Guide - Page 58
have all features listed in this table. Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Internet Access Wizard Y VPN Wizard Y Y DHCP Table Y System Statistics Y Y Registration Y Y LAN Y WAN Y DMZ Y Bridge Y 58 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 59
manage and update the service status and license information. NETWORK LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings. Static DHCP Use this screen to assign fixed IP addresses on the LAN. IP Alias Use this screen to partition your LAN interface into subnets. Port Roles Use - ZyXEL ZyWALL 2WG | User Guide - Page 60
to configure your WLAN connection. Static DHCP Use this screen to assign fixed IP addresses on the WLAN. IP Alias Use this screen to partition your WLAN interface into subnets. Port Roles Use this screen to change the LAN/DMZ/WLAN port roles on the ZyWALL. SECURITY FIREWALL Default Rule - ZyXEL ZyWALL 2WG | User Guide - Page 61
server to authenticate wireless and/or VPN users. ADVANCED NAT NAT Overview Use this screen to enable NAT. Address Mapping Use this screen to configure network address translation mapping rules. Port Forwarding Use this screen to configure servers behind the ZyWALL. Port Triggering Use this - ZyXEL ZyWALL 2WG | User Guide - Page 62
Click this label to exit the web configurator. 2.4.6 Port Statistics Click Port Statistics in the HOME screen. Read-only information here includes port status and packet specific statistics. The Poll Interval(s) field is configurable. Figure 10 HOME > Show Statistics 62 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 63
ZyWALL is set to router mode. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP client information (including IP Address, Host Name and MAC Address) of all network clients using the ZyWALL's DHCP server. Figure 11 HOME > DHCP Table ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 64
is set to router mode. This screen displays read-only information about the active VPN connections. The Poll Interval(s) field is configurable. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. Figure 12 HOME > VPN Status 64 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 65
using the VPN IPSec feature of your ZyWALL. Remote Network This field displays IP address (in a range) of computers on the remote network behind the remote IPSec router. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used - ZyXEL ZyWALL 2WG | User Guide - Page 66
Configurator The update the screen's statistics immediately. A.If you allocate all the root class's bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). 66 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 67
port on the ZyWALL (in router mode). • VPN Setup Use VPN Setup to configure a VPN connection that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. See Section 3.3 on page 77. Figure 14 Wizard Setup Welcome ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 68
. Table 11 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection. 68 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 69
(PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks. ZyWALL 2 Plus User's Guide 69 - ZyXEL ZyWALL 2WG | User Guide - Page 70
. WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. 70 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 71
server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks. PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the Internet. " The ZyWALL supports one PPTP server connection at any given time. ZyWALL 2 Plus User's Guide 71 - ZyXEL ZyWALL 2WG | User Guide - Page 72
-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP. 72 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 73
the congratulations screen and click Close to complete the Internet access setup. Figure 18 Internet Access Wizard: Second Screen 3.2.3 Internet Access Wizard Setup Complete The congratulations screen displays. Click Close to complete the Internet access setup. ZyWALL 2 Plus User's Guide 73 - ZyXEL ZyWALL 2WG | User Guide - Page 74
to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate the content filtering trial application. " If you want to activate a standard service with your iCard's PIN number (license key), use the REGISTRATION > Service screen. 74 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 75
you fill in the fields and click Next, the following screen shows indicating the registration is in progress. Wait for the registration progress to finish. ZyWALL 2 Plus User's Guide 75 - ZyXEL ZyWALL 2WG | User Guide - Page 76
activation are done. Figure 22 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 23 Internet Access Wizard: Registration Failed 76 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 77
this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to open the VPN configuration wizard. The first screen displays as shown next. ZyWALL 2 Plus User's Guide 77 - ZyXEL ZyWALL 2WG | User Guide - Page 78
IP address. Back Click Back to return to the previous screen. Next Click Next to continue. 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel. 78 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 79
field is N/A. When the Local Network field is configured to Range IP, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Local Network field is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL. ZyWALL 2 Plus User's Guide 79 - ZyXEL ZyWALL 2WG | User Guide - Page 80
return to the previous screen. Next Click Next to continue. 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1) Use this screen to specify the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. Figure 28 VPN Wizard: IKE Tunnel Setting 80 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 81
Setup The following table describes the labels in this screen. Table 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords - ZyXEL ZyWALL 2WG | User Guide - Page 82
minimum value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. 82 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 83
return to the previous screen. Next Click Next to continue. 3.7 VPN Wizard Status Summary This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct. Figure 30 VPN Wizard: VPN Status ZyWALL 2 Plus User's Guide 83 - ZyXEL ZyWALL 2WG | User Guide - Page 84
the network behind the remote IPSec router. When the remote network is configured for a subnet, this is a subnet mask on the network behind the remote IPSec router. IKE Tunnel Setting (IKE Phase 1) Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through a secure - ZyXEL ZyWALL 2WG | User Guide - Page 85
the wizard setup. 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 31 VPN Wizard Setup Complete ZyWALL 2 Plus User's Guide 85 - ZyXEL ZyWALL 2WG | User Guide - Page 86
Chapter 3 Wizard Setup 86 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 87
) IP address from your ISP. • how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL's WAN port. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall and content filtering to the traffic going to or from the ZyWALL's VPN tunnels. The ZyWALL - ZyXEL ZyWALL 2WG | User Guide - Page 88
B. 1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 33 SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply. 88 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 89
Chapter 4 Tutorials Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. ZyWALL 2 Plus User's Guide 89 - ZyXEL ZyWALL 2WG | User Guide - Page 90
this instead of specifying port numbers in this VPN network policy. • The firewall provides better security because it operates at layer 4 and checks traffic sessions. The VPN network policy only operates at layer 3 and just checks IP addresses and port numbers. 90 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 91
types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions. 4.1.3.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. ZyWALL 2 Plus User's Guide 91 - ZyXEL ZyWALL 2WG | User Guide - Page 92
as the packet direction and click Refresh. 3 Click the insert icon. Figure 37 SECURITY > FIREWALL > Rule Summary 4 Configure the rule as follows and click Apply. The source addresses are the VPN rule's remote network and the destination address is the LAN FTP server. 92 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 93
Chapter 4 Tutorials Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 2 Plus User's Guide 93 - ZyXEL ZyWALL 2WG | User Guide - Page 94
you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN. 1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply. Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 94 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 95
the WAN connection to use the first public IP address (1.2.3.4). 2 Configure NAT address mapping for other public IP addresses (1.2.3.5 and 1.2.3.6). 3 Configure NAT port forwarding to forward FTP traffic from the WAN to a specific computer on your local network. ZyWALL 2 Plus User's Guide 95 - ZyXEL ZyWALL 2WG | User Guide - Page 96
name and password) provided by your ISP. If your ISP didn't give you the service name, leave the field blank. 4 In the WAN IP Address Assignment section, select Use Fixed IP Address and enter the first fixed public IP address (1.2.3.4 in this example). 5 Click Apply. 96 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 97
. Click the Insert button to configure the IP address of the DNS server the ZyWALL can query to resolve domain names. Figure 44 Tutorial Example: DNS > System 8 Select Public DNS Server and enter the first DNS server's IP address given by your ISP. Click Apply. ZyWALL 2 Plus User's Guide 97 - ZyXEL ZyWALL 2WG | User Guide - Page 98
IP address as follows. Click Apply. " To resolve a domain name, theZyWALL checks it against the name server record entries in the order that they appear in this list. Figure 46 Tutorial Example: DNS > System Edit-2 10 The DNS > System screen should look as shown. 98 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 99
screen to check your WAN connection status. Make sure the status is not down. Figure 48 Tutorial Example: Status 4.2.3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them. ZyWALL 2 Plus User's Guide 99 - ZyXEL ZyWALL 2WG | User Guide - Page 100
ZyWALL applies the rules in the order that you specify. You should put any one-to-one rules before a many-to-one rule. 1 Click ADVANCED > NAT. 2 Enable NAT and select Full Feature as you have multiple public IP addresses to map to private IP addresses. Click Apply. 100 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 101
the Address Mapping Rule screen. Figure 51 Tutorial Example: NAT > Address Mapping 5 Map a public IP address to the web server. Select the One-to-One type and enter 192.168.1.12 as the local start IP address and 1.2.3.5 as the global start IP address. Click Apply. ZyWALL 2 Plus User's Guide 101 - ZyXEL ZyWALL 2WG | User Guide - Page 102
outgoing LAN traffic. Select the Many-to-One type and enter 192.168.1.1 as the local start IP address, 192.168.1.254 as the local end IP address and 1.2.3.4 as the global start IP address. Click Apply. Figure 54 Tutorial Example: NAT Address Mapping Edit: Many-to-One 102 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 103
have the ZyWALL forward incoming traffic to a specific computer on your local network, you should also create a port forwarding (server mapping) rule. In this example, you want to forward FTP traffic using port 21 to the computer with the IP address of 192.168.1.39. ZyWALL 2 Plus User's Guide 103 - ZyXEL ZyWALL 2WG | User Guide - Page 104
configure a server rule. Figure 57 Tutorial Example: NAT Address Mapping Edit: Server 3 Click the Port Forwarding tab. 4 Select the Active check box, enter a descriptive name (FTP for example), incoming port number (21) and 192.168.1.39 as the server IP address. Click Apply. 104 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 105
: NAT Port Forwarding Chapter 4 Tutorials 4.2.5 Allow WAN-to-LAN Traffic through the Firewall By default, the ZyWALL blocks any traffic initiated from the WAN to the LAN. To have the ZyWALL forward traffic initiated from the WAN to a local computer or server on the LAN, you need to configure - ZyXEL ZyWALL 2WG | User Guide - Page 106
Configure a firewall rule to allow HTTP traffic from the WAN to the web server. Enter a descriptive name (W-L_Web for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.12 and click Add. ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 107
4 Tutorials Figure 62 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server 7 Select HTTP(TCP:80) and HTTPS(TCP:443) in the Available Services box on the left, and click >> to add them to the Selected Service(s) box on the right. Click Apply. ZyWALL 2 Plus User's Guide 107 - ZyXEL ZyWALL 2WG | User Guide - Page 108
a firewall rule to allow traffic from the WAN to the mail server. Enter a descriptive name (W-L_Mail for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.13 and click Add. 108 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 109
: WAN to LAN Address Edit for Mail Server 9 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. Figure 65 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server ZyWALL 2 Plus User's Guide 109 - ZyXEL ZyWALL 2WG | User Guide - Page 110
to configure a firewall rule to allow FTP traffic from the WAN to Firewall Rule: WAN to LAN Address Edit for FTP Server 11Select FTP(TCP:20,21) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply. 110 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 111
Chapter 4 Tutorials Figure 67 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for FTP Server 12When you are done, the Rule Summary screen looks as shown. Figure 68 Tutorial Example: Firewall Rule Summary ZyWALL 2 Plus User's Guide 111 - ZyXEL ZyWALL 2WG | User Guide - Page 112
outside network to send or retrieve a file. If you cannot access the FTP server, make sure the NAT port forwarding rule is active and there is a firewall rule to allow FTP traffic from the WAN to FTP server. 4.3 Using NAT with Multiple Game Players If two users (behind the ZyWALL) want to connect to - ZyXEL ZyWALL 2WG | User Guide - Page 113
port has an upstream (outgoing) speed of 512 kbps. To prevent SIP-based VoIP (Voice over IP) traffic from getting delayed due to heavy WWW or FTP traffic, you reserve 128 Kbps of bandwidth for outgoing VoIP traffic (from LAN to WAN) and higher priority than FTP or WWW traffic. ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 114
WAN port's upstream speed. 4 Select Priority-Based to have the ZyWALL give preference to bandwidth classes with higher priorities. 5 Deselect the Maximize Bandwidth Usage option to reserve bandwidth for traffic that is not defined in a bandwidth class. 6 Click Apply. 114 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 115
for VoIP traffic. The higher the number, the higher the priority. 10Enable this filter and select the SIP service. 11Leave the IP address and subnet mask fields blank, so that the filter will be applied to any outgoing traffic through the WAN port. Click Apply. ZyWALL 2 Plus User's Guide 115 - ZyXEL ZyWALL 2WG | User Guide - Page 116
Class Setup: VoIP 12Click the Add Sub-Class button to create a rule for FTP traffic as follows. Click Apply. Figure 74 Tutorial Example: Bandwidth Management Class Setup: FTP 13Click the Add Sub-Class button to create a rule for WWW traffic as follows. Click Apply. 116 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 117
: Bandwidth Management Class Setup: WWW 14When you are finished, the Class Setup screen looks as shown. Figure 76 Tutorial Example: Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface. ZyWALL 2 Plus User's Guide 117 - ZyXEL ZyWALL 2WG | User Guide - Page 118
content filtering service. " You must register for external content filtering before you can use it. 118 Use the REGISTRATION screens (see Chapter 5 on page 125) to create a myZyXEL.com account, register your device and activate the external content filtering service. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 119
Apply. Figure 78 SECURITY > CONTENT FILTER > General 4.5.2 Block Categories of Web Content Here is how to block access to web pages by category of content. 1 Click SECURITY > CONTENT FILTER > Policy and then the external database icon next to the default policy. ZyWALL 2 Plus User's Guide 119 - ZyXEL ZyWALL 2WG | User Guide - Page 120
Chapter 4 Tutorials Figure 79 SECURITY > CONTENT FILTER > Policy 2 Select Active. 3 Select the categories to block. 4 Click Apply. Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default) 120 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 121
button. The ZyWALL applies the content filter policies in order, so make sure you add the new policy before the default policy. Figure 82 SECURITY > CONTENT FILTER > Policy 2 Select Active. 3 Give the policy a name. 4 Configure a single address of 192.168.1.33. ZyWALL 2 Plus User's Guide 121 - ZyXEL ZyWALL 2WG | User Guide - Page 122
filter policy (which blocks access to arts and entertainment web pages). 1 Click SECURITY > CONTENT FILTER > Policy and then the Bob policy's schedule icon. Figure 84 SECURITY > CONTENT FILTER > Policy 122 2 Select Everyday and enter 12:00 to 13:00. 3 Click Apply. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 123
Policy and then the Bob policy's external database icon. Figure 86 SECURITY > CONTENT FILTER > Policy 2 Select Active. 3 Select the categories to block. This is very similar to Section 4.5.2 on page 119, except you do not select the arts and entertainment category. ZyWALL 2 Plus User's Guide 123 - ZyXEL ZyWALL 2WG | User Guide - Page 124
Chapter 4 Tutorials 4 Click Apply. Figure 87 SECURITY > CONTENT FILTER > Policy > External Database (Bob) 124 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 125
screen. Alternatively, go to http://www.myZyXEL.com with the ZyWALL's serial number and LAN MAC address to register it. Refer to the web site's on-line help for details. " To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL 2 Plus User's Guide 125 - ZyXEL ZyWALL 2WG | User Guide - Page 126
and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.com If you already have an account at myZyXEL.com, select this option and enter account your user name and password in the fields below to register your ZyWALL. 126 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 127
Click Reset to begin configuring this screen afresh. " If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 89 REGISTRATION: Registered Device ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 128
runs out, you need to buy a new iCard (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Refresh Click this button to renew service license information (such as the license key, registration status and expiration day). 128 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 129
PART II Network LAN Screens (131) Bridge Screens (143) WAN Screens (151) DMZ Screens (171) Wireless LAN Screens (183) 129 - ZyXEL ZyWALL 2WG | User Guide - Page 130
130 - ZyXEL ZyWALL 2WG | User Guide - Page 131
and NetBIOS settings on the LAN. • Use the Static DHCP screen (Section 6.3 on page 137) to configure the IP addresses assigned to devices in the LAN by DHCP. • Use the IP Alias screen (Section 6.4 on page 139) to configure IP alias settings on the ZyWALL's LAN ports. ZyWALL 2 Plus User's Guide 131 - ZyXEL ZyWALL 2WG | User Guide - Page 132
user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the ZyWALL. The Internet - ZyXEL ZyWALL 2WG | User Guide - Page 133
you disable the ZyWALL's DHCP service, you must have another DHCP server on your LAN, or else the computers must be manually configured. IP Pool Setup The ZyWALL is pre-configured with a pool of IP addresses for the computers on your LAN. See Chapter 46 on page 613 for the default IP pool range. Do - ZyXEL ZyWALL 2WG | User Guide - Page 134
Click NETWORK > LAN to open the LAN screen. Use this screen to configure the ZyWALL's IP address and other LAN TCP/IP settings as well as the built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 134 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 135
Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default. ZyWALL 2 Plus User's Guide 135 - ZyXEL ZyWALL 2WG | User Guide - Page 136
computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN. 136 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 137
afresh. 6.3 The Static DHCP Screen This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. To change your ZyWALL's static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown. ZyWALL 2 Plus User's Guide 137 - ZyXEL ZyWALL 2WG | User Guide - Page 138
IP address that you want to assign to the computer on your LAN. Alternatively, click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 138 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 139
. The following figure shows a LAN divided into subnets A, B, and C. Figure 94 Physical Network & Partitioned Logical Networks To change your ZyWALL's IP alias settings, click NETWORK > LAN > IP Alias. The screen appears as shown. Figure 95 NETWORK > LAN > IP Alias ZyWALL 2 Plus User's Guide 139 - ZyXEL ZyWALL 2WG | User Guide - Page 140
to access the ZyWALL. To change your ZyWALL's port role settings, click NETWORK > LAN > Port Roles. The screen appears as shown. The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 141
Click Reset to begin configuring this screen afresh. After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 97 Port Roles Change Complete ZyWALL 2 Plus User's Guide 141 - ZyXEL ZyWALL 2WG | User Guide - Page 142
Chapter 6 LAN Screens 142 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 143
firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network. In the first figure below the ZyWALL is in bridge mode and is bridging traffic on the WAN. The router device - ZyXEL ZyWALL 2WG | User Guide - Page 144
from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding. Finding Out More To see more information on bridging refer to Section 26.5 on page 453. To see more advanced information on bridging refer to Section 7.4 on page 148. 144 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 145
to configure bridge and RSTP (Rapid Spanning Tree Protocol) settings. " In bridge mode, if you need to let DHCP clients behind the ZyWALL use a DHCP server on the WAN, enable the default WAN to LAN firewall rule for the BOOTP_CLIENT service. Figure 101 NETWORK > Bridge ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 146
Path Cost Enter a number between 1 and 65535 as RSTP path cost for the 1(Lowest)~65535(Highe corresponding port. 65535 is the highest. st) Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 146 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 147
Click Reset to begin configuring this screen afresh. After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 103 Port Roles Change Complete ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 148
(Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology. 148 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 149
All BPDUs are received and processed. Learning All BPDUs are received and processed. Information frames are submitted to the learning process but not forwarded. Forwarding All BPDUs are received and processed. All information frames are received and forwarded. ZyWALL 2 Plus User's Guide 149 - ZyXEL ZyWALL 2WG | User Guide - Page 150
Chapter 7 Bridge Screens 150 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 151
offers a dial-up Internet connection using PPPoE (PPP over Ethernet) or PPPoA, they should also provide a username and password (and service name) for user authentication. WAN IP Address The WAN IP address is an IP address for the ZyWALL, which makes it accessible from an outside network. It is used - ZyXEL ZyWALL 2WG | User Guide - Page 152
routes cannot take priority over the WAN routes. 8.2 The WAN Route Screen Click NETWORK > WAN to open the Route screen. Use this screen to configure the priorities of the ZyWALL's routes and settings for Windows Networking traffic. Figure 104 NETWORK > WAN Route 152 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 153
. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.3 The WAN Screen To change your ZyWALL's WAN ISP, IP and MAC settings, click NETWORK > WAN > WAN. The screen differs by the encapsulation. ZyWALL 2 Plus User's Guide 153 - ZyXEL ZyWALL 2WG | User Guide - Page 154
IPSec router (see Section 20.1.2 on page 365). WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. 154 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 155
please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number. 8.3.1 Configuring Ethernet Encapsulation The screen shown next is for Ethernet encapsulation. Figure 105 NETWORK > WAN > WAN (Ethernet Encapsulation) ZyWALL 2 Plus User's Guide 155 - ZyXEL ZyWALL 2WG | User Guide - Page 156
of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this check box to enable NAT. 156 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 157
IP address of the computer on the LAN whose MAC you are cloning. It is recommended that you clone the MAC address prior to hooking up the WAN port. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 158
on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LANs' computers will have access. The screen shown next is for PPPoE encapsulation. Figure 106 NETWORK > WAN > WAN (PPPoE Encapsulation) 158 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 159
network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT. For more information about NAT see Chapter 17 on page 331. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 160
client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. 160 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 161
(VPN) using TCP/IP-based networks. PPTP supports ondemand, multi-protocol, and virtual private networking over public networks, such as the Internet. The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the User Name and Password - ZyXEL ZyWALL 2WG | User Guide - Page 162
the ISP assigned a fixed IP address. My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address. Advanced Setup Enable NAT (Network Address Translation) Network Address Translation (NAT) allows the translation of an Internet protocol address used within one - ZyXEL ZyWALL 2WG | User Guide - Page 163
The Traffic Redirect Screen Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. ZyWALL 2 Plus User's Guide 163 - ZyXEL ZyWALL 2WG | User Guide - Page 164
the backup gateway (Subnet 2). Figure 109 Traffic Redirect LAN Setup 8.5 Configuring Traffic Redirect To change your ZyWALL's traffic redirect settings, click NETWORK > WAN > Traffic Redirect. The screen appears as shown. Figure 110 NETWORK > WAN > Traffic Redirect 164 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 165
to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.6 The Dial Backup Screen Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. ZyWALL 2 Plus User's Guide 165 - ZyXEL ZyWALL 2WG | User Guide - Page 166
labels in this screen. Table 36 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to - ZyXEL ZyWALL 2WG | User Guide - Page 167
the WAN device. Consult the manual of String your WAN device connected to your Dial Backup port for specific AT commands. Advanced Modem Click Edit to display the Advanced Setup screen and edit the details of your dial Setup backup setup. TCP/IP Options Get IP Address Type the login name - ZyXEL ZyWALL 2WG | User Guide - Page 168
The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device. The response strings have not been standardized; please consult the documentation of your WAN device to find the correct tags. 168 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 169
string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. Called ID Type the keyword preceding the dialed number. Speed Type the keyword preceding the connection speed. ZyWALL 2 Plus User's Guide 169 - ZyXEL ZyWALL 2WG | User Guide - Page 170
Delay Type a number of seconds for the ZyWALL to wait between dropping a callback (sec) request call and dialing the corresponding callback call. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 170 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 171
to configure the IP addresses assigned to devices in the DMZ by DHCP. • Use the IP Alias screen (Section 9.4 on page 179) to configure IP alias settings on the ZyWALL's DMZ ports. • Use the Port Roles screen (Section 9.5 on page 181) to configure DMZ ports on the ZyWALL. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 172
special filter rules allowing access were configured by the administrator or the user is an authorized remote user. DMZ and NAT See Chapter 17 on page 331 for an overview of NAT. If you do not configure SUA NAT or any full feature NAT mapping rules for the public IP addresses on the DMZ, the ZyWALL - ZyXEL ZyWALL 2WG | User Guide - Page 173
private) in the Network > DMZ screen (see Section 9.2 on page 174) and configure the other subnet in the Network > DMZ > IP Alias screen (see Section 9.4 on page 179) to use this kind of network setup. You also need to configure NAT for the private DMZ IP addresses. ZyWALL 2 Plus User's Guide 173 - ZyXEL ZyWALL 2WG | User Guide - Page 174
uses public IP addresses, the WAN and DMZ ports must use public IP addresses that are on separate subnets. See Appendix C on page 645 for information on IP subnetting. From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears as shown next. 174 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 175
Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default. ZyWALL 2 Plus User's Guide 175 - ZyXEL ZyWALL 2WG | User Guide - Page 176
IP addresses within a specified range. This allows packets even when their IP and MAC addresses do not match those specified in the Static DHCP screen or DHCP Table. Type this range of IP addresses in the From and To fields. Windows Networking (NetBIOS over TCP/IP) 176 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 177
9.3 The Static DHCP Screen This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC Addresses. To change your ZyWALL's static DHCP settings on the DMZ, click NETWORK > DMZ > Static DHCP. The screen appears as shown. ZyWALL 2 Plus User's Guide 177 - ZyXEL ZyWALL 2WG | User Guide - Page 178
of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ. IP Address Type the IP address that you want to assign to the computer on your DMZ. Alternatively, click the right mouse button to copy and/or paste the IP address. 178 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 179
use IP alias, you can have the DMZ use both public and private IP addresses at the same time. " Make sure that the subnets of the logical networks do not overlap. To change your ZyWALL's IP alias settings, click NETWORK > DMZ > IP Alias. The screen appears as shown. ZyWALL 2 Plus User's Guide 179 - ZyXEL ZyWALL 2WG | User Guide - Page 180
router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1. Click Apply to save your changes back to the ZyWALL. Click Reset to begin configuring this screen afresh. 180 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 181
a port's DMZ radio button to use the port as part of the DMZ. The port will use the ZyWALL's DMZ IP address and MAC address. WLAN Select a port's WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL's WLAN IP address and MAC address. ZyWALL 2 Plus User's Guide 181 - ZyXEL ZyWALL 2WG | User Guide - Page 182
Chapter 9 DMZ Screens Table 41 NETWORK > DMZ > Port Roles (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 182 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 183
assigned to devices in the LAN by DHCP. • Use the IP Alias screen (Section 10.4 on page 189) to configure IP alias settings on the ZyWALL's LAN ports. • Use the Port Roles screen (Section 10.5 on page 190) to set ports as part of the LAN, DMZ and/or WLAN interface. ZyWALL 2 Plus User's Guide 183 - ZyXEL ZyWALL 2WG | User Guide - Page 184
screen (see Figure 125 on page 191) to set a port to be part of the WLAN and connect an access point (AP) to the WLAN interface. Click NETWORK > WLAN to open the WLAN screen to configure the IP address for ZyWALL's WLAN interface, other TCP/IP and DHCP settings. 184 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 185
Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP packets and will ignore any RIP packets received. Both is the default. ZyWALL 2 Plus User's Guide 185 - ZyXEL ZyWALL 2WG | User Guide - Page 186
. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the ZyWALL provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields. Select Relay to have the ZyWALL forward DHCP requests to - ZyXEL ZyWALL 2WG | User Guide - Page 187
Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL's WLAN static DHCP settings, click NETWORK >WLAN > Static DHCP. The screen appears as shown. ZyWALL 2 Plus User's Guide 187 - ZyXEL ZyWALL 2WG | User Guide - Page 188
IP address that you want to assign to the computer on your WLAN. Alternatively, click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 188 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 189
DESCRIPTION Enable IP Alias 1, Select the check box to configure another WLAN network for the ZyWALL. 2 IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. ZyWALL 2 Plus User's Guide 189 - ZyXEL ZyWALL 2WG | User Guide - Page 190
APs as part of the ZyWALL's WLAN. You can specify firewall rules for traffic going to or from the WLAN. The WLAN includes the Ethernet ports in the WLAN port role. The following figure shows the ZyWALL with an AP connected to an Ethernet port in the WLAN port role. 190 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 191
as shown. The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL, ports 1 to 4 are all LAN ports by default. " Your changes are also reflected in the LAN and DMZ Port Roles screen. Figure 125 NETWORK > WLAN > Port Roles ZyWALL 2 Plus User's Guide 191 - ZyXEL ZyWALL 2WG | User Guide - Page 192
configuring this screen afresh. After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen. Figure 126 NETWORK > WLAN > Port Roles: Change Complete 192 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 193
PART III Security Firewall Screens (195) Content Filtering Screens (223) Content Filtering Reports (245) IPSec VPN Screens (253) Certificates Screen (295) Authentication Server Screens (323) 193 - ZyXEL ZyWALL 2WG | User Guide - Page 194
194 - ZyXEL ZyWALL 2WG | User Guide - Page 195
ZyWALL's default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 196
configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule. 196 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 197
. Any traffic that does not match the first firewall rule will match the default rule and the ZyWALL forwards it. Now suppose that your company wants to let the CEO use IRC. You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO's computer. In order to - ZyXEL ZyWALL 2WG | User Guide - Page 198
ZyWALL would drop it and not check any other firewall rules. 11.3 The Firewall Default Rule Screen (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. 198 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 199
the labels in this screen. Table 48 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL's firewall rules storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary - ZyXEL ZyWALL 2WG | User Guide - Page 200
ZyWALL. Click Reset to begin configuring this screen afresh. 11.4 The Firewall Default Rule Screen (Bridge Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. 200 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 201
activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Note: When you activate the firewall, all current connections through the ZyWALL are dropped when you apply your changes. ZyWALL 2 Plus User's Guide 201 - ZyXEL ZyWALL 2WG | User Guide - Page 202
Click Apply to save your changes back to the ZyWALL. Click Reset to begin configuring this screen afresh. 11.5 The Firewall Rule Summary Screen Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. 202 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 203
for the BOOTP_CLIENT service to let DHCP clients behind the ZyWALL use a DHCP server on the WAN. • Enable the default WAN to LAN firewall rule for the NetBIOS service to let computers behind the ZyWALL access devices on the WAN using computer names. Figure 132 SECURITY > FIREWALL > Rule Summary The - ZyXEL ZyWALL 2WG | User Guide - Page 204
. 11.5.1 The Firewall Edit Rule Screen In the Rule Summary screen, click the edit icon or the insert icon to display the Firewall Edit Rule screen. Use this screen to create or edit a firewall rule. Refer to the following table for information on the labels. 204 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 205
Chapter 11 Firewall Screens Figure 133 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 2 Plus User's Guide 205 - ZyXEL ZyWALL 2WG | User Guide - Page 206
:53) means UDP port 53 and TCP port 53. Click the Service link to go to the Service screen where you can configure custom service ports. See Appendix D on page 653 for a list of commonly used services and port numbers. You can use the [CTRL] key and select multiple services at once. Edit Schedule - ZyXEL ZyWALL 2WG | User Guide - Page 207
need to configure NAT port forwarding (or full featured NAT address mapping rules) if you want to allow computers on the WAN to access devices on the LAN. Apply Cancel Note: You may also need to configure the remote management settings if you want to allow a WAN computer to manage the ZyWALL or - ZyXEL ZyWALL 2WG | User Guide - Page 208
half-open sessions). These thresholds apply globally to all sessions. Click SECURITY > FIREWALL > Threshold to bring up the next screen. The global values specified for the threshold and timeout apply to all TCP connections. Figure 135 SECURITY > FIREWALL > Threshold 208 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 209
open session when a new connection request comes. or Deny new connection requests for the number of minutes that you specify (between 1 and 255). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 209 - ZyXEL ZyWALL 2WG | User Guide - Page 210
Service This table shows all configured custom services. # This is the index number of the custom service. Service Name This is the name of the service. Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. 210 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 211
This is the IP port number or ICMP type and code that defines the service. 11.8.1 The Firewall Edit Custom Service Screen Click SECURITY > FIREWALL > Service > Add to display the following screen. Use this screen to configure a custom service entry not is not predefined in the ZyWALL. See Appendix - ZyXEL ZyWALL 2WG | User Guide - Page 212
connection from the Internet. 1 In the Service screen, click Add to open the Edit Custom Service screen. Figure 138 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply. Figure 139 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN - ZyXEL ZyWALL 2WG | User Guide - Page 213
, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. " Custom services show up with an * before their names in the Services list boxes and the Rule Summary screen's Service Type list box. ZyWALL 2 Plus User's Guide 213 - ZyXEL ZyWALL 2WG | User Guide - Page 214
Chapter 11 Firewall Screens Figure 142 My Service Firewall Rule Example: Edit Rule: Service Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. 214 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 215
the LAN interface (IP alias). Note: You can also configure the remote management settings to allow only a specific computer to manage the ZyWALL. • LAN to WAN These rules specify which computers on the LAN can access which computers or services connected to the WAN. ZyWALL 2 Plus User's Guide 215 - ZyXEL ZyWALL 2WG | User Guide - Page 216
IP addresses from accessing it. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow computers on the WAN to access devices on the LAN. See Section 17.4.1 on page 337 for an example. • WAN to WAN By default the ZyWALL stops computers connected - ZyXEL ZyWALL 2WG | User Guide - Page 217
any VPN tunnel to go to any of the ZyWALL's interfaces, the ZyWALL itself and other VPN tunnels. You could edit the From VPN To LAN default firewall rule to silently block traffic from the VPN tunnels from going to the LAN computers. Figure 145 From VPN to LAN Example ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 218
is to use IP alias to put the ZyWALL and the backup gateway on separate subnets. Asymmetrical Routes and IP Alias You can use IP alias instead of allowing asymmetrical routes. IP Alias allow you to partition your network into logical sections over the same interface. 218 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 219
). After this handshake, a connection is established. Figure 148 Three-Way Handshake For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack. ZyWALL 2 Plus User's Guide 219 - ZyXEL ZyWALL 2WG | User Guide - Page 220
to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example - ZyXEL ZyWALL 2WG | User Guide - Page 221
Chapter 11 Firewall Screens ZyWALL 2 Plus User's Guide 221 - ZyXEL ZyWALL 2WG | User Guide - Page 222
Chapter 11 Firewall Screens 222 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 223
filtering, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories. The content filtering lookup process is described below. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 224
and configure general settings. You must register for external content filtering before you can use it. Use the REGISTRATION screens (see Chapter 5 on page 125) to create a myZyXEL.com account, register your device and activate the external content filtering service. 224 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 225
ZyWALL sends out through a VPN tunnel or receives through a VPN tunnel. The ZyWALL applies the content filter to the traffic before encrypting it or after decrypting it. External Database Service General Setup Enable External Database Content Filtering Note: The ZyWALL can apply content filtering - ZyXEL ZyWALL 2WG | User Guide - Page 226
ZyWALL's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 160 on page 247). Type your myZyXEL.com account password in the Password field and click Submit. External Database Service License Status 226 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 227
a URL and a user tries to access a web page containing a forbidden object, a blocking page displays on the forbidden object. Click Apply to save your changes back to the ZyWALL. Click Reset to begin configuring this screen afresh. 12.3 The Policy Screen Click SECURITY > CONTENT FILTER > Policy to - ZyXEL ZyWALL 2WG | User Guide - Page 228
the policy applies. Click the delete icon to remove the content filter policy. You cannot delete the default policy. A window display asking you to confirm that you want to delete the policy. Note that subsequent policies move up by one when you take this action. 228 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 229
Policy > General LABEL DESCRIPTION Active Select this option to turn on the content filter policy. Policy Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the content filter policy. Spaces are allowed. ZyWALL 2 Plus User's Guide 229 - ZyXEL ZyWALL 2WG | User Guide - Page 230
acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. Address Setup Address Type Do you want - ZyXEL ZyWALL 2WG | User Guide - Page 231
, sexual content, or nudity. These pages include very profane or vulgar content and pages that are not appropriate for children. Selecting this category excludes pages that contain sexually explicit material for the purpose of arousing a sexual or prurient interest. ZyWALL 2 Plus User's Guide 231 - ZyXEL ZyWALL 2WG | User Guide - Page 232
12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > people or property, or that advocate or provide instructions on how to cause such harm. It also promote collecting weapons, or groups that either support or oppose weapons use. Selecting this category ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 233
Chapter 12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > Policy > here. Includes sites that endorse or offer methods, means of instruction, or other resources to affect or influence real events through support or host online sweepstakes and giveaways. ZyWALL 2 Plus User's Guide 233 - ZyXEL ZyWALL 2WG | User Guide - Page 234
magazines. It does not include pages that can be rated in other categories. Personals/Dating Selecting this category excludes pages that promote interpersonal relationships. 234 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 235
pages that support the offering and purchasing of goods between individuals. This does not include classified advertisements. Real Estate Selecting this category excludes pages that provide information on renting, buying, or selling real estate or properties. ZyWALL 2 Plus User's Guide 235 - ZyXEL ZyWALL 2WG | User Guide - Page 236
that bypasses the proxy server/appliance. It also includes any service that will allow a person to bypass the content filtering feature, such as anonymous surfing services. For Kids Selecting this include advertising servers that serve adult-oriented advertisements. 236 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 237
to add or remove specific sites or keywords from the filter list. " Use the SECURITY > CONTENT FILTER > Object screen (see Section 12.4 on page 240) first to configure the master lists of trusted (allowed) web sites, forbidden (blocked) web sites, and keywords. ZyWALL 2 Plus User's Guide 237 - ZyXEL ZyWALL 2WG | User Guide - Page 238
The following table describes the labels in this screen. Table 60 SECURITY > CONTENT FILTER > Policy > Customization LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Web Site List Customization Enable Web site customization Select this - ZyXEL ZyWALL 2WG | User Guide - Page 239
Click Cancel to exit this screen without saving. 12.3.4 The Edit Policy Screen: Schedule Click SECURITY > CONTENT FILTER > Policy and then a policy's schedule icon to display the following screen. Use this screen to set for which days and times the policy applies. ZyWALL 2 Plus User's Guide 239 - ZyXEL ZyWALL 2WG | User Guide - Page 240
SECURITY > CONTENT FILTER > Policy > Schedule LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Schedule Setup Content filtering scheduling applies to the filter specific sites or keywords from the filter list. 240 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 241
in content filtering, you must use the SECURITY > CONTENT FILTER > Policy > Customization screen to set individual policies to add or remove specific sites or keywords for individual policies. Click SECURITY > CONTENT FILTER > Object to display the following screen. ZyWALL 2 Plus User's Guide 241 - ZyXEL ZyWALL 2WG | User Guide - Page 242
SECURITY > CONTENT FILTER > Object LABEL DESCRIPTION Trusted Web Sites These are sites that you want to allow access to, regardless of their content . For example, entering "zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", etc. Trusted Web ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 243
back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 12.5 The Cache Screen Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen. Use this screen to view and configure your ZyWALL's URL caching. You can also configure how long a categorized - ZyXEL ZyWALL 2WG | User Guide - Page 244
address that the ZyWALL previously checked with the external content filtering database. Remaining Time This is the number of hours left before the URL entry is discarded from the cache. (hour) Modify Click the delete icon to remove the URL entry from the cache. 244 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 245
to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. 2 Fill in your myZyXEL.com account information and click Submit. ZyWALL 2 Plus User's Guide 245 - ZyXEL ZyWALL 2WG | User Guide - Page 246
name for your ZyWALL using the Rename button in the Service Management screen (see Figure 160 on page 247). Figure 159 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen. 246 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 247
the Name field. You can find this MAC address in the Service Management screen (Figure 160 on page 247). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 161 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab. ZyWALL 2 Plus User's Guide 247 - ZyXEL ZyWALL 2WG | User Guide - Page 248
(or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. 10 A chart and/or list of requested web site categories display in the lower half of the screen. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 249
Figure 164 Global Report Screen Example Chapter 13 Content Filtering Reports 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 2 Plus User's Guide 249 - ZyXEL ZyWALL 2WG | User Guide - Page 250
procedure to submit the web site for review. 1 Log into the content filtering reports web site (see Section 13.2 on page 245). 2 In the Web Filter Home screen (see Figure 162 on page 248), click Site Submissions to open the Web Page Review Process screen shown next. 250 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 251
Figure 166 Web Page Review Process Screen Chapter 13 Content Filtering Reports 3 Type the web site's URL in the field and click Submit to have the web site reviewed. ZyWALL 2 Plus User's Guide 251 - ZyXEL ZyWALL 2WG | User Guide - Page 252
Chapter 13 Content Filtering Reports 252 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 253
of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. • Use the SA Monitor screen (see Section 14.4 on page 275) to display and manage active VPN connections. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 254
computer or network. • A gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel. • A network policy contains the IPSec SA settings. It specifies which devices (behind the IPSec routers) can use the VPN tunnel. 254 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 255
IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 256
Policies The subsequent rows in a VPN rule are network policies. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. 256 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 257
. Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA. ZyWALL 2 Plus User's Guide 257 - ZyXEL ZyWALL 2WG | User Guide - Page 258
Chapter 14 IPSec VPN Screens Figure 172 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 258 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 259
-only and displays the ZyWALL's IP address. The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup. Primary Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to - ZyXEL ZyWALL 2WG | User Guide - Page 260
to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses. When you select DNS or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this ZyWALL in the local Content field. Use up to 31 ASCII - ZyXEL ZyWALL 2WG | User Guide - Page 261
how you configure the ID Type and Content fields, two active IPSec SAs cannot have both the local and remote IP address ranges overlap between rules. Extended Authentication Enable Extended Select this check box to activate extended authentication. Authentication ZyWALL 2 Plus User's Guide 261 - ZyXEL ZyWALL 2WG | User Guide - Page 262
Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients' usernames and passwords in the authentication server's local user database or a RADIUS server. Click Local - ZyXEL ZyWALL 2WG | User Guide - Page 263
Policy -Edit screen. Use this screen to configure a network policy. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. ZyWALL 2 Plus User's Guide 263 - ZyXEL ZyWALL 2WG | User Guide - Page 264
Chapter 14 IPSec VPN Screens Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 265
remote network and vice versa. Select this check box to send NetBIOS packets through the VPN connection. Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router - ZyXEL ZyWALL 2WG | User Guide - Page 266
rule, click this button to go to a screen where you can configure port forwarding for your VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address. Type Select One-to-One to translate a single (static - ZyXEL ZyWALL 2WG | User Guide - Page 267
common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Remote Network Specify the IP addresses of the devices behind the remote IPSec router that can use the VPN tunnel. The remote IP addresses must correspond to the remote IPSec router's configured local IP addresses - ZyXEL ZyWALL 2WG | User Guide - Page 268
-to-One as the Type and click the Port Forwarding Rules button to open the following screen. Use this screen to configure port forwarding for your VPN tunnels to let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address on the LAN. 268 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 269
VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a default server IP - ZyXEL ZyWALL 2WG | User Guide - Page 270
Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies. • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel. • The network policy - ZyXEL ZyWALL 2WG | User Guide - Page 271
Address. A (static) IP address and a subnet mask are displayed when the Remote Network Address Type field in the VPN - Manual Key - Edit screen is configured to Subnet Address. Encap. This field displays Tunnel or Transport mode (Tunnel is the default selection). ZyWALL 2 Plus User's Guide 271 - ZyXEL ZyWALL 2WG | User Guide - Page 272
edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rules that use manual keys. Manual key management is useful if you have problems with IKE key management. Figure 177 SECURITY > VPN > VPN Rules (Manual) > Edit 272 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 273
this check box to send NetBIOS packets through the VPN connection. Local Network Specify the IP addresses of the devices behind the ZyWALL that can use the VPN tunnel. The local IP addresses must correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the - ZyXEL ZyWALL 2WG | User Guide - Page 274
mask on the network behind the remote IPSec router. Gateway Policy Information My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you - ZyXEL ZyWALL 2WG | User Guide - Page 275
to display the current active VPN connection(s). Disconnect Select a security association index number that you want to disconnect and then click Disconnect. 14.5 The Global Setting Screen Use this screen to change settings that apply to all of your VPN tunnels. ZyWALL 2 Plus User's Guide 275 - ZyXEL ZyWALL 2WG | User Guide - Page 276
network M (10.1.2.0/24) in ZyWALL X's LAN. For the VPN rule, you configure the VPN network as follows. • Local IP address start: 192.168.1.1, end: 192.168.1.254 • Remote IP address start: 10.1.2.240, end: 10.1.2.254 • IP addresses 10.1.2.240 to 10.1.2.254 overlap. 276 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 277
IP alias network M, you have to set Local and Remote IP Address Conflict Resolution to The Local Network. 14.5.1 Configuring the Global Setting Screen Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. Figure 181 SECURITY > VPN > Global Setting ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 278
VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address. 278 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 279
. They can use different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules configured on the ZyWALL at headquarters can overlap. The local IP addresses of the rules configured on the telecommuters' IPSec routers should not overlap. ZyWALL 2 Plus User's Guide 279 - ZyXEL ZyWALL 2WG | User Guide - Page 280
(telecommuterb.dydns.org) Local ID Type: DNS Local ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Headquarters ZyWALL Rule 2: Peer ID Type: DNS Peer ID Content: telecommuterb.com Remote Gateway Address: telecommuterb.dydns.org Remote Address 192.168.3.2 280 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 281
to use a service (like Telnet or HTTP) through a VPN tunnel to manage the ZyWALL. One of the ZyWALL's ports must be part of the VPN rule's local network. This can be the ZyWALL's LAN port if you do not want to allow remote management on the WAN port. You also have to configure remote management - ZyXEL ZyWALL 2WG | User Guide - Page 282
able to use VPN to connect to more networks. Hub-and-spoke VPN makes it easier for the hub router to manage the traffic between the spoke routers. If you have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, the hub router can also provide content filtering protection for - ZyXEL ZyWALL 2WG | User Guide - Page 283
-and-spoke VPN. The local IP addresses configured in the VPN rules cannot overlap The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may - ZyXEL ZyWALL 2WG | User Guide - Page 284
sends the accepted proposal back to the ZyWALL. If the remote IPSec router rejects all of the proposals (for example, if the VPN tunnel is not configured correctly), the ZyWALL and remote IPSec router cannot establish an IKE SA. " Both routers must use the same encryption algorithm, authentication - ZyXEL ZyWALL 2WG | User Guide - Page 285
ID Type and Content ZYWALL REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: [email protected] ZyWALL 2 Plus User's Guide 285 - ZyXEL ZyWALL 2WG | User Guide - Page 286
name or password is wrong, the routers do not establish an IKE SA. You can set up the ZyWALL to provide a user name and password to the remote IPSec router, or you can set up the ZyWALL to check a user name and password that is provided by the remote IPSec router. 286 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 287
feature helps router A recognize VPN packets and route them appropriately. If router A has this feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP. (See Section 14.9 on page 283 for more information about active protocols.) ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 288
packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel. You have to do the following things to set up NAT traversal. • Enable NAT traversal on the ZyWALL and remote IPSec router. • Configure the NAT router to forward packets with the - ZyXEL ZyWALL 2WG | User Guide - Page 289
VPN tunnel (A) goes down, the ZyWALL uses the redundant VPN tunnel (B). Figure 191 IPSec High Availability When setting up an IPSec high availability VPN tunnel, the remote IPSec router: • Must have multiple WAN connections here in order from weakest to strongest. ZyWALL 2 Plus User's Guide 289 - ZyXEL ZyWALL 2WG | User Guide - Page 290
them through the VPN tunnel. Avoiding Overlapping Local And Remote Network IP Addresses If both IPSec routers support virtual address mapping, you can access devices on both networks, even if their IP addresses overlap. You map the ZyWALL's local network addresses to virtual IP addresses and map - ZyXEL ZyWALL 2WG | User Guide - Page 291
, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). " The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. ZyWALL 2 Plus User's Guide 291 - ZyXEL ZyWALL 2WG | User Guide - Page 292
you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. 292 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 293
keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA. They - ZyXEL ZyWALL 2WG | User Guide - Page 294
Chapter 14 IPSec VPN Screens 294 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 295
Servers screen (see Section 15.12 on page 319) to configure a list of addresses of directory servers (that contain lists of be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows. 1 Tim wants to ZyWALL 2 Plus User's Guide 295 - ZyXEL ZyWALL 2WG | User Guide - Page 296
15 Certificates Screen The ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the - ZyXEL ZyWALL 2WG | User Guide - Page 297
connection. 15.2 The My Certificates Screen Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL's summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 298
full, you should consider deleting expired or unnecessary certificates before adding more certificates. Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 299
use this screen to view in-depth certificate information and change the certificate's name. If it is a self-signed certificate, you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates. ZyWALL 2 Plus User's Guide 299 - ZyXEL ZyWALL 2WG | User Guide - Page 300
labels in this screen. Table 78 SECURITY > CERTIFICATES > My Certificates > Details ZyWALL. Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). 300 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 301
SECURITY owner's IP address (IP), domain name management computer for later manual enrollment. You can copy default self-signed certificate that signs the imported trusted remote host certificates. Cancel Click Cancel to quit and return to the My Certificates screen. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 302
make sure that you have entered it correctly. Apply Click Apply and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. Cancel Click Cancel to quit and return to the My Certificates screen. 302 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 303
to occur since many programs use text files by default. Click SECURITY > CERTIFICATES > My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate from a computer to the ZyWALL. ZyWALL 2 Plus User's Guide 303 - ZyXEL ZyWALL 2WG | User Guide - Page 304
> Import: PKCS#12 LABEL DESCRIPTION Password Type the file's password that was created when the PKCS #12 file was exported. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 304 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 305
open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 201 SECURITY > CERTIFICATES > My Certificates > Create (Basic) ZyWALL 2 Plus User's Guide 305 - ZyXEL ZyWALL 2WG | User Guide - Page 306
Create (Advanced) The following table describes the labels in this screen. Table 82 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name Type up to 31 subject information. The fields below display when you click - ZyXEL ZyWALL 2WG | User Guide - Page 307
SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Common Name Select a radio button to identify the certificate's owner by IP address, domain name or e-mail address. Type the IP apply to a certification authority for a certificate. ZyWALL 2 Plus User's Guide 307 - ZyXEL ZyWALL 2WG | User Guide - Page 308
through a RA (Registration Authority). The RA is an intermediary authorized by a CA to verify each subscriber's identity and forward the requests to the CA. After the CA signs and issues the certificates, the RA distributes the certificates to the subscribers. 308 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 309
that you have set the ZyWALL to accept as trusted. The ZyWALL accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. ZyWALL 2 Plus User's Guide 309 - ZyXEL ZyWALL 2WG | User Guide - Page 310
browse to the location that you want to use and click Save. Click the delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificates. Note that subsequent certificates move up by one when you take this action. 310 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 311
change the certificate's name and set whether or not you want the ZyWALL to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority. Figure 204 SECURITY > CERTIFICATES > Trusted CAs > Details ZyWALL 2 Plus User's Guide 311 - ZyXEL ZyWALL 2WG | User Guide - Page 312
. Table 84 SECURITY > CERTIFICATES > ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate's owner's IP address (IP), domain name (DNS) Name or e-mail address (EMAIL). 312 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 313
certification authority's certificate from a computer to the ZyWALL. The ZyWALL trusts any valid certificate signed by any of the imported trusted CA certificates. " You must remove any spaces from the certificate's filename before you can import the certificate. ZyWALL 2 Plus User's Guide 313 - ZyXEL ZyWALL 2WG | User Guide - Page 314
that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy. Figure 206 SECURITY > CERTIFICATES > Trusted Remote Hosts 314 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 315
your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates. 15.10 The Trusted Remote Hosts Details Screen Click SECURITY > CERTIFICATES > Trusted host's certificate and/or change the certificate's name. ZyWALL 2 Plus User's Guide 315 - ZyXEL ZyWALL 2WG | User Guide - Page 316
default self-signed certificate that the ZyWALL ZyWALL is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 317
Screen Table 87 SECURITY > CERTIFICATES information about the default self-signed certificate on the ZyWALL that the ZyWALL uses to Subject Alternative Name This field displays the certificate's owner's IP address (IP), domain name (DNS) or e-mail address (EMAIL). ZyWALL 2 Plus User's Guide 317 - ZyXEL ZyWALL 2WG | User Guide - Page 318
screen. Table 88 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. 318 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 319
identify this directory server. Address This field displays the IP address or domain name of the directory server. Port This field displays the port number that the directory server uses. Protocol This field displays the protocol that the directory server uses. ZyWALL 2 Plus User's Guide 319 - ZyXEL ZyWALL 2WG | User Guide - Page 320
Directory Access Protocol) is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates.A Server Address Type the IP address (in dotted decimal notation) or the domain name of the directory server. 320 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 321
authority). Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to quit configuring this screen and return to the Directory Servers screen. A. At the time of writing, LDAP is the only choice of directory server access protocol. ZyWALL 2 Plus User's Guide 321 - ZyXEL ZyWALL 2WG | User Guide - Page 322
Chapter 15 Certificates Screen 322 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 323
services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client's network activity. RADIUS is a simple package exchange in which the ZyWALL acts as a message relay between the client and the network RADIUS server. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 324
network security, the ZyWALL and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. 16.2 The Local User - ZyXEL ZyWALL 2WG | User Guide - Page 325
the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 325 - ZyXEL ZyWALL 2WG | User Guide - Page 326
IP address of the external accounting server in dotted decimal notation. Port Number The default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. 326 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 327
accounting server and the ZyWALL. The key is not sent over the network. This key must be the same on the external accounting server and ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 327 - ZyXEL ZyWALL 2WG | User Guide - Page 328
Chapter 16 Authentication Server Screens 328 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 329
PART IV Advanced Network Address Translation (NAT) Screens (331) Static Route Screens (347) Bandwidth Management Screens (351) DNS Screens (365) Remote Management Screens (377) UPnP Screens (397) ALG Screen (409) 329 - ZyXEL ZyWALL 2WG | User Guide - Page 330
330 - ZyXEL ZyWALL 2WG | User Guide - Page 331
local IP address to a unique global IP address. • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. ZyWALL 2 Plus User's Guide 331 - ZyXEL ZyWALL 2WG | User Guide - Page 332
select Full Feature NAT and don't configure NAT mapping rules to those computers with public IP addresses on the DMZ. 17.1.3 Before You Begin You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 17.2 The NAT Overview - ZyXEL ZyWALL 2WG | User Guide - Page 333
off the NAT feature for the WAN port. Address Mapping Rules Select SUA if you have just one public WAN IP address for your ZyWALL. This lets the ZyWALL use its permanent, pre-defined NAT address mapping rules. Select Full Feature if you have multiple public WAN IP addresses for your ZyWALL. This - ZyXEL ZyWALL 2WG | User Guide - Page 334
you have already configured rules 1 to 6 in your current set and now you configure rule number 9. NAT > Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules 334 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 335
change for the One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. 3. Many-to-Many Overload mode - ZyXEL ZyWALL 2WG | User Guide - Page 336
services at your location. If you are unsure, refer to your ISP. Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. 336 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 337
be accessible to the outside world through a single WAN IP address. When you use port translation with port forwarding, multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address. ZyWALL 2 Plus User's Guide 337 - ZyXEL ZyWALL 2WG | User Guide - Page 338
access server B from the Internet must use port 8100. Figure 217 Port Translation Example 17.4.2 Configuring the Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. " If you do not assign a Default Server IP address, the ZyWALL discards all packets - ZyXEL ZyWALL 2WG | User Guide - Page 339
ZyWALL automatically calculates the last port of the translated port range. Server IP Address Enter the inside IP address of the server here. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 339 - ZyXEL ZyWALL 2WG | User Guide - Page 340
port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually - ZyXEL ZyWALL 2WG | User Guide - Page 341
Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 17.6 NAT Technical Reference This technical reference contains the following sections: • Inside/outside and Global/local • What NAT Does • How NAT Works ZyWALL 2 Plus User's Guide 341 - ZyXEL ZyWALL 2WG | User Guide - Page 342
Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with 342 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 343
221 How NAT Works NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. ZyWALL 2 Plus User's Guide 343 - ZyXEL ZyWALL 2WG | User Guide - Page 344
1, A has already sent packets to 3, C and 4, D, they can send packets back to 2, B and the ZyWALL will perform NAT on them and send them to the server at IP address 1, port A. Packets have not been sent from 1, A to 4, E or 5, so they cannot send packets to 1, A. 344 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 345
Chapter 17 Network Address Translation (NAT) Screens Figure 223 Port Restricted Cone NAT Example ZyWALL 2 Plus User's Guide 345 - ZyXEL ZyWALL 2WG | User Guide - Page 346
Chapter 17 Network Address Translation (NAT) Screens 346 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 347
LAN interface. The ZyWALL routes most traffic from A to the Internet through the default gateway (R1). You create one static route to connect to services offered by your ISP behind router R2. You create another static route to communicate with a separate network behind a router (R3) connected to the - ZyXEL ZyWALL 2WG | User Guide - Page 348
to their destinations. Modify Click the edit icon to go to the screen where you can set up a static route on the ZyWALL. Click the delete icon to remove a static route from the ZyWALL. A window displays asking you to confirm that you want to delete the route. 348 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 349
identical to the host ID. IP Subnet Mask Enter the IP subnet mask here. Gateway IP Address Enter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Metric Metric - ZyXEL ZyWALL 2WG | User Guide - Page 350
Chapter 18 Static Route Screens 350 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 351
page 357) to view the configured bandwidth classes by individual interface and to to set up a bandwidth class's name, bandwidth allotment, and bandwidth filter. • Use the Monitor screen (Section 19.5 on page 363) to view the device's bandwidth usage and allotments. ZyWALL 2 Plus User's Guide 351 - ZyXEL ZyWALL 2WG | User Guide - Page 352
classes that you configure without filters. The ZyWALL leaves the bandwidth budget allocated and unused for a class that does not have a filter or sub-classes with filters. The total of the configured bandwidth budgets for sub-classes cannot exceed the configured bandwidth budget speed of the parent - ZyXEL ZyWALL 2WG | User Guide - Page 353
Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities more bandwidth, the ZyWALL gives extra bandwidth to that class. When multiple classes require more bandwidth, the ZyWALL gives the highest Kbps ZyWALL 2 Plus User's Guide 353 - ZyXEL ZyWALL 2WG | User Guide - Page 354
configure both maximize bandwidth usage (on the interface) and bandwidth borrowing (on individual sub-classes), the ZyWALL functions as follows. 1 The ZyWALL (Service = SIP): 500 Kbps 7 as Speed setting) NetMeeting traffic (Service = H.323): 500 kbps 7 FTP (Service = ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 355
a bandwidth class (see Maximize Bandwidth Usage on page 353) or you want to limit the speed of this interface (see the Speed field description). Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 355 - ZyXEL ZyWALL 2WG | User Guide - Page 356
is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option. Table 104 Maximize Bandwidth Usage goes to the higher priority sales and marketing classes. 356 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 357
the interface (see Section 19.3 on page 354 to configure the speed of the interface). Configure subclass layers for the root class. To add or delete child classes on an interface, click ADVANCED > BW MGMT > Class Setup. The screen is shown here with example classes. ZyWALL 2 Plus User's Guide 357 - ZyXEL ZyWALL 2WG | User Guide - Page 358
is configured to manage. Destination IP Address This is the destination IP address for connections to which this bandwidth management filter applies. Destination Port This is the destination port for connections to which this bandwidth management filter applies. 358 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 359
allotment of their parent class. The ZyWALL uses the scheduler to divide a parent class's unused bandwidth among the sub-classes. Click ADVANCED > BW MGMT > Class Setup > Add Sub-Class or Edit to open the following screen. Use this screen to add a child class. ZyWALL 2 Plus User's Guide 359 - ZyXEL ZyWALL 2WG | User Guide - Page 360
Filter to have the ZyWALL use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address). 360 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 361
C on page 645 for more information on IP subnetting. Source Port Enter the starting and ending destination port numbers. Enter the same port number in both fields to specify a single port number. See the following table for some common services and port numbers. ZyWALL 2 Plus User's Guide 361 - ZyXEL ZyWALL 2WG | User Guide - Page 362
borrowing disabled. 19.4.3 The Bandwidth Management Statistics Screen Click ADVANCED > BW MGMT > Class Setup > Statistics to open the Bandwidth Management Statistics screen. This screen displays the selected bandwidth class's bandwidth usage and allotments. 362 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 363
screen. Table 110 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the time interval or to not update the screen statistics. Refresh Click this button to update the screen's statistics immediately. and allotments. ZyWALL 2 Plus User's Guide 363 - ZyXEL ZyWALL 2WG | User Guide - Page 364
bandwidth class is using. Click Refresh to update the page. A.If you allocate all the root class's bandwidth to the bandwidth classes, the default class still displays a budget of 2 kbps (the minimum amount of bandwidth that can be assigned to a bandwidth class). 364 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 365
set the DNS server fields to get the DNS server address from the ISP. 3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Private DNS Server on page 366). ZyWALL 2 Plus User's Guide 365 - ZyXEL ZyWALL 2WG | User Guide - Page 366
VPN tunnels are created from ZyWALL A; one to branch office 2, one to branch office 3 and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the ZyWALL at branch office 1 uses the Intranet DNS server in headquarters. 366 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 367
reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address. 20.2 The System Screen Click ADVANCED > DNS to display the following screen. Use this screen to configure your ZyWALL's DNS address and name server records. ZyWALL 2 Plus User's Guide 367 - ZyXEL ZyWALL 2WG | User Guide - Page 368
. This column displays whether or not the DNS wildcard feature is enabled for this domain name. This is the IP address of a host. Click the edit icon to go the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. 368 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 369
WAN port, select Custom and enter the IP address of the host in dotted decimal notation. Enable Wildcard Select the check box to enable DNS wildcard. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 370
behind a VPN peer. Enter the DNS server's IP address in the field to the right. With a private DNS server, you must also configure the first DNS server entry for the LAN, DMZ and/or WLAN in the DNS DHCP screen to use DNS Relay. You must also configure a VPN rule since the ZyWALL uses a VPN tunnel - ZyXEL ZyWALL 2WG | User Guide - Page 371
and reduces the amount of traffic that the ZyWALL sends out to the WAN. Maximum TTL Type the maximum time to live (TTL) (60 to 3600 seconds). This sets how long the ZyWALL is to allow a positive resolution entry to remain in the DNS cache before discarding it. ZyWALL 2 Plus User's Guide 371 - ZyXEL ZyWALL 2WG | User Guide - Page 372
entry from the cache. 20.4 The DHCP Screen Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyWALL sends to its LAN, DMZ or WLAN DHCP clients. Figure 238 ADVANCED > DNS > DHCP 372 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 373
Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. ZyWALL 2 Plus User's Guide 373 - ZyXEL ZyWALL 2WG | User Guide - Page 374
WAN IP address, then you cannot use Dynamic DNS. To change your ZyWALL's DDNS, click ADVANCED > DNS > DDNS. The screen appears as shown. Figure 239 ADVANCED > DNS > DDNS 374 The following table describes the labels in this screen. LABEL Account Setup Active Service Provider Username Password - ZyXEL ZyWALL 2WG | User Guide - Page 375
to have the ZyWALL update the domain name with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address. Select Let DDNS Server Auto Detect only when there are one or more NAT routers between the ZyWALL and the DDNS server. This feature has the DDNS - ZyXEL ZyWALL 2WG | User Guide - Page 376
Chapter 20 DNS Screens 376 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 377
• Use the DNS screen (Section 21.8 on page 393) to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL's DNS settings. • Use the CNM screen (Section 21.9 on page 394) to configure the ZyWALL's CNM settings. ZyWALL 2 Plus User's Guide 377 - ZyXEL ZyWALL 2WG | User Guide - Page 378
Management refer to Section 21.10 on page 396. The next section covers remote management examples. If you would prefer to find out how to configure the screens then proceed to Section 21.3 on page 385. 378 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 379
If you haven't changed the default HTTPS port on the ZyWALL, then in your browser enter "https://ZyWALL IP Address/" as the web site address where "ZyWALL IP Address" is the IP address or domain name of the ZyWALL you wish to access. 21.2.1.1 Internet Explorer Warning Messages When you attempt to - ZyXEL ZyWALL 2WG | User Guide - Page 380
ZyWALL's factory default certificate is the ZyWALL actual IP address of the HTTPS server (the IP address of the ZyWALL's port that ZyWALL sends to HTTPS clients. • Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. 380 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 381
in the bottom right of the browser status bar denotes a secure connection. Figure 244 Example: Lock Denoting a Secure Connection Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models. ZyWALL 2 Plus User's Guide 381 - ZyXEL ZyWALL 2WG | User Guide - Page 382
to that shown in the following figure. Figure 246 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 247 Common ZyWALL Certificate 382 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 383
client program user's guide. 21.2.2.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program. 1 Launch the SSH client and specify the connection information (IP address, port number or device name) for the ZyWALL. 2 Configure the SSH client - ZyXEL ZyWALL 2WG | User Guide - Page 384
(yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. [email protected]'s password: sftp> put firmware.bin ras Uploading firmware.bin to /ras Read from remote host 192.168.1.1: Connection reset by peer Connection closed $ 384 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 385
server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL's WS (web server). Figure 252 HTTPS Implementation " If you disable the HTTP service in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. ZyWALL 2 Plus User's Guide 385 - ZyXEL ZyWALL 2WG | User Guide - Page 386
that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service. HTTP 386 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 387
SMT management and file transfer on port 22. Only one SSH connection is allowed at a time. Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. ZyWALL 2 Plus User's Guide 387 - ZyXEL ZyWALL 2WG | User Guide - Page 388
exit this screen. Reset Click Reset to begin configuring this screen afresh. 21.5 The Telnet Screen You can use Telnet to access the ZyWALL's SMT or command line interface. Specify which interfaces allow Telnet access and from which IP address the access can come. 388 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 389
use this feature, your computer must have an FTP client. To change your ZyWALL's FTP settings, click ADVANCED > REMOTE MGMT > FTP. The screen appears as shown. Use this screen to specify which interfaces allow FTP access and from which IP address the access can come. ZyWALL 2 Plus User's Guide 389 - ZyXEL ZyWALL 2WG | User Guide - Page 390
SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1). The next figure illustrates an SNMP management operation. " SNMP is only available if TCP/IP is configured. 390 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 391
. • Trap - Used by the agent to inform the manager of some events. 21.7.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. ZyWALL 2 Plus User's Guide 391 - ZyXEL ZyWALL 2WG | User Guide - Page 392
screen. Table 118 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 393
settings. Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL's DNS settings. This feature is not available when the ZyWALL is set to bridge mode. Figure 260 ADVANCED > REMOTE MGMT > DNS ZyWALL 2 Plus User's Guide 393 - ZyXEL ZyWALL 2WG | User Guide - Page 394
CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be - ZyXEL ZyWALL 2WG | User Guide - Page 395
Additional Configuration for Vantage CNM If you have NAT routers or firewalls between the ZyWALL and the Vantage CNM server, you must configure them to forward TCP ports 8080 (HTTP), 443 (HTTPS) and 20 and 21 (FTP). They must also forward UDP ports 1864 and 1865. ZyWALL 2 Plus User's Guide 395 - ZyXEL ZyWALL 2WG | User Guide - Page 396
Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 396 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 397
allows the following: • Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See Chapter 17 on page 331 for further information about NAT. ZyWALL 2 Plus User's Guide 397 - ZyXEL ZyWALL 2WG | User Guide - Page 398
opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows - ZyXEL ZyWALL 2WG | User Guide - Page 399
Details. Chapter 22 UPnP Screens 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next. 5 Restart the computer when prompted. ZyWALL 2 Plus User's Guide 399 - ZyXEL ZyWALL 2WG | User Guide - Page 400
section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device. 400 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 401
the icon and select Properties. Chapter 22 UPnP Screens 3 In the Internet Connection Properties You may edit or delete the port mappings or window, click Settings to see the port click Add to manually add port mappings. mappings that were automatically created. ZyWALL 2 Plus User's Guide 401 - ZyXEL ZyWALL 2WG | User Guide - Page 402
Internet connection status. 22.2.2.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device. 402 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 403
My Network Places under Other Places. Chapter 22 UPnP Screens 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 2 Plus User's Guide 403 - ZyXEL ZyWALL 2WG | User Guide - Page 404
(UPnP) feature Select this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyWALL's IP address (although you must still enter the password to access the web configurator). 404 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 405
ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port. When this field displays an external IP address, the NAT rule has the ZyWALL forward inbound packets to the Internal Client from that IP address only. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 406
of the NAT mapping rule (TCP or UDP). Internal Port This field displays the port number on the Internal Client to which the ZyWALL should forward incoming connection requests. Internal Client This field displays the DNS host name or IP address of a client on the LAN. Multiple NAT clients can use - ZyXEL ZyWALL 2WG | User Guide - Page 407
23.1 Overview Use custom application to have the ZyWALL's ALG and content filtering features monitor traffic on custom ports, in addition to the default ports. 23.1.1 What You Need to Know About Custom Application By default, these ZyWALL features monitor traffic for the following protocols on these - ZyXEL ZyWALL 2WG | User Guide - Page 408
entering a single port number, enter it here. End Port Enter the ending port for the range that the ZyWALL is to monitor for this application. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 408 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 409
, the ZyWALL translates the device's private IP address inside the data stream to a public IP address. It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application's traffic to come in from the WAN to the LAN. To configure the ALG - ZyXEL ZyWALL 2WG | User Guide - Page 410
running an FTP client. The service allows users to send commands to the server for uploading and downloading files. The FTP ALG allows TCP packets with a port 21 destination to pass through. If the FTP server is located on the LAN, you must also configure NAT port forwarding and firewall rules if - ZyXEL ZyWALL 2WG | User Guide - Page 411
(Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the VoIP device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the VoIP device to find the public IP address that NAT assigned, so the - ZyXEL ZyWALL 2WG | User Guide - Page 412
. H.323 is a protocol used for audio communications over networks. Enable SIP ALG Select this check box to allow SIP sessions to pass through the ZyWALL. SIP is a signaling protocol used in VoIP (Voice over IP), the sending of voice signals over Internet Protocol. 412 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 413
(default 60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. Enter the SIP signaling session timeout value. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 413 - ZyXEL ZyWALL 2WG | User Guide - Page 414
Chapter 24 ALG Screen 414 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 415
PART V Logs and Maintenance Logs Screens (417) Maintenance Screens (447) 415 - ZyXEL ZyWALL 2WG | User Guide - Page 416
416 - ZyXEL ZyWALL 2WG | User Guide - Page 417
web features such configurator allows you to look at all of the ZyWALL's logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 25.4 on page 420). ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 418
as it adds new ones. You can configure the ZyWALL to email you the log when it is full in the Log Settings screen. Click a configure the ZyWALL's time and date. Message This field states the reason for the log. Source This field lists the source IP address and the port ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 419
this log every time it attempts to connect with myzyxel.com and the update server. Follow the steps below to download the certificate from myZyXEL.com. 1 Go to http://www.myZyXEL.com and log in with your account. 2 Click Download Center and then Certificate Download. ZyWALL 2 Plus User's Guide 419 - ZyXEL ZyWALL 2WG | User Guide - Page 420
or web sites with restricted web features such as cookies, active X and so on. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black. 420 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 421
Chapter 25 Logs Screens " Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full (see Log Schedule). Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent. ZyWALL 2 Plus User's Guide 421 - ZyXEL ZyWALL 2WG | User Guide - Page 422
Chapter 25 Logs Screens Figure 272 LOGS > Log Settings 422 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 423
Internet. user name of a mail account). Password Enter the password associated with the user name above. Schedule Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: Daily Weekly Hourly When Log is Full or IP ZyWALL 2 Plus User's Guide 423 - ZyXEL ZyWALL 2WG | User Guide - Page 424
an individual web page loads, it may contain references to other web sites that also get counted as hits. " Enabling the ZyWALL's reporting function decreases the overall throughput by about 1 Mbps. Click LOGS > Traffic Statistics to display the following screen. 424 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 425
the ZyWALL. 25.5.1 Viewing Web Site Hits In the Traffic Statistics screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited. ZyWALL 2 Plus User's Guide 425 - ZyXEL ZyWALL 2WG | User Guide - Page 426
has been sent to and/or from those IP addresses. " Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses. The ZyWALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a different computer. 426 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 427
/Port In the Traffic Statistics screen, select Protocol/Port from the Report Type drop-down list box to have the ZyWALL record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 428
or service port. The measurement unit shown (bytes, Kbytes, Mbytes or Gbytes) varies with the amount of traffic for the particular protocol or service port. The count starts over at 0 if a protocol or port passes the bytes count limit (see Table 132 on page 429). 428 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 429
264 bytes. 25.6 The E-mail Report Screen You can configure the ZyWALL to email a report including the network traffic information provided in the traffic statistics screens. Click LOGS > E-mail Report to display the following screen. Figure 277 LOGS > E-mail Report ZyWALL 2 Plus User's Guide 429 - ZyXEL ZyWALL 2WG | User Guide - Page 430
Setup Enable E-mail Select this to turn on the e-mail report feature Enter the server name or the IP address of the mail server for the message-exchange standard for the Internet. SMTP enables you to move Reset Click Reset to begin configuring this screen afresh. 430 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 431
The router dropped an ICMP packet that was too large. SMT Session Begin An SMT management session has started. SMT Session End An SMT management session has ended. Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. ZyWALL 2 Plus User's Guide 431 - ZyXEL ZyWALL 2WG | User Guide - Page 432
network through this interface. Dial backup started working. Dial backup stopped working. The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the specified static DHCP IP addresses are no longer valid. The static DHCP IP address conflicts with another host. 432 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 433
incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen. The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state. ZyWALL 2 Plus User's Guide 433 - ZyXEL ZyWALL 2WG | User Guide - Page 434
a blocked: ICMP corresponding NAT table entry. Unsupported/out-of-order ICMP: ICMP The firewall does not support this kind of ICMP packets or the ICMP packets are out of order. Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender. 434 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 435
connection's Internet Protocol Control Protocol stage is closing. Table 142 UPnP Logs LOG MESSAGE UPnP pass through Firewall DESCRIPTION UPnP packets can pass through the firewall. Table 143 Content Filtering . %s: Contains cookie The web site contains a cookie. ZyWALL 2 Plus User's Guide 435 - ZyXEL ZyWALL 2WG | User Guide - Page 436
. Creating socket failed The ZyWALL cannot issue a query because TCP/IP socket creation failed, port:port number. Connecting to content The connection to the external content filtering server failed. filter server fail License key is invalid The external content filtering license key is invalid - ZyXEL ZyWALL 2WG | User Guide - Page 437
settings. Attempted use of TELNET service was blocked according to remote management settings. Attempted use of HTTP or UPnP service was blocked according to remote management settings. Attempted use of WWW service was blocked according to remote management settings. ZyWALL 2 Plus User's Guide 437 - ZyXEL ZyWALL 2WG | User Guide - Page 438
router dropped all connections with the "MyIP" configured as "0.0.0.0" when the WAN IP address changed. Please check the algorithm configuration. A packet matches a rule, but there is no phase 2 SA for outbound traffic. The device sent a ping packet to check the specified VPN tunnel's connectivity - ZyXEL ZyWALL 2WG | User Guide - Page 439
peer IPSec router's "Local ID Type". Phase 1 ID content mismatch This router's "Peer ID Content" is different from the peer IPSec router's "Local ID Content". No known phase 1 ID type found The router could not find a known phase 1 ID in the connection attempt. ZyWALL 2 Plus User's Guide 439 - ZyXEL ZyWALL 2WG | User Guide - Page 440
match between the router and the peer. Rule [%d] Phase 1 ID mismatch The listed rule's IKE phase 1 ID did not match between the router and the peer. Rule [%d] Phase 1 hash mismatch The listed rule's IKE phase 1 hash did not match between the router and the peer. 440 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 441
online certificate enrollment was successful. The Destination field records the certification authority server's IP address and port. The CMP online certificate enrollment failed. The Destination field records the certification authority server's IP address and port. ZyWALL 2 Plus User's Guide 441 - ZyXEL ZyWALL 2WG | User Guide - Page 442
IP address and port are recorded in the Source field. Rcvd user cert: The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port revoked by a CRL. 8 Certificate was not added to the cache. 442 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 443
the WAN to the WAN or the ZyWALL. ACL set for packets traveling from the DMZ to the DM or the ZyWALL. ACL set for packets traveling from the LAN to the WLAN. ACL set for packets traveling from the WLAN to the LAN. ACL set for packets traveling from the WAN to the WLAN. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 444
11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 444 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 445
router's LAN port. The "cat" is the same as the category in the router device when the connection (session) is service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN system name if you haven't configured one) at the time when this ZyWALL 2 Plus User's Guide 445 - ZyXEL ZyWALL 2WG | User Guide - Page 446
LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID 446 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 447
) to configure the ZyWALL as a router or a bridge. • Use the F/W Upload screen (Section 26.6 on page 457) to upgrade the ZyWALL's firmware. • Use the Backup and Restore screen (Section 26.7 on page 458) to backup and restore the ZyWALL configuration file and to reset the device to factory settings - ZyXEL ZyWALL 2WG | User Guide - Page 448
Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 26.3 The Password Screen Click MAINTENANCE > Password to open the following screen. Use this screen to change the ZyWALL's management password. 448 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 449
NTP servers to clients. The ZyWALL continues to use the NTP time server pools if you do not specify a time server or it cannot synchronize with the time server you specified. " The ZyWALL can use the NTP time server pools regardless of the time protocol you select. ZyWALL 2 Plus User's Guide 449 - ZyXEL ZyWALL 2WG | User Guide - Page 450
up. To change your ZyWALL's time and date, click MAINTENANCE > Time and Date. The screen appears as shown. Use this screen to configure the ZyWALL's time based on your field displays the ZyWALL's present time. Current Date This field displays the ZyWALL's present date. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 451
configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below. Time Protocol Select the time service protocol - ZyXEL ZyWALL 2WG | User Guide - Page 452
changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. updated successfully. Figure 282 Synchronization is Successful 452 If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 453
as a DHCP server to assign IP addresses to your local computers. The LAN, WAN, DMZ and WLAN interfaces all have different IP addresses. The ZyWALL also provides NAT, port forwarding, policy routing, and DNS in router mode. These features allow you to set up private network. See Table 5 on page 58 - ZyXEL ZyWALL 2WG | User Guide - Page 454
of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port. All future communications to that MAC address will only be sent on that port. 454 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 455
same and it's likely that one design can be used for many of the networks. A bridging firewall could be configured at HQ, sent to the branches and then installed directly without additional configuration. Click MAINTENANCE > Device Mode to open the following screen. ZyWALL 2 Plus User's Guide 455 - ZyXEL ZyWALL 2WG | User Guide - Page 456
is the factory default. LAN Interface Subnet Mask Enter the IP subnet mask of the ZyWALL's LAN port. DHCP DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Unless you are instructed by - ZyXEL ZyWALL 2WG | User Guide - Page 457
IP address you configured in the LAN Interface IP Address field to access the ZyWALL again. Reset Click Reset to begin configuring this screen afresh. 26.6 The F/W Upload Screen Find firmware at www.zyxel turn off the ZyWALL while firmware upload is in progress! ZyWALL 2 Plus User's Guide 457 - ZyXEL ZyWALL 2WG | User Guide - Page 458
was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 289 Firmware Upload Error 26.7 The Backup and Restore Screen See Section 41.5 on page 579 for transferring configuration files using FTP/TFTP commands. 458 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 459
factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 290 MAINTENANCE > Backup and Restore 26.7.1 Backup Configuration Backup configuration allows you to back up (save) the ZyWALL's current configuration the upload process. ZyWALL 2 Plus User's Guide 459 - ZyXEL ZyWALL 2WG | User Guide - Page 460
device IP address (192.168.1.1). See your Quick Start Guide for details on how to set up your computer's IP address. If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 293 Configuration Upload Error 460 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 461
mail and/or the console port. The diagnostics files contain the ZyWALL's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click MAINTENANCE > Diagnostics to open the following screen. ZyWALL 2 Plus User's Guide 461 - ZyXEL ZyWALL 2WG | User Guide - Page 462
the information through the console port, you still need to configure the mail settings and open a terminal emulation program on the computer connected to the console port. To handle the size of the diagnostic file, change your console port speed to 115200 bps (on both the ZyWALL and your terminal - ZyXEL ZyWALL 2WG | User Guide - Page 463
format (for example 23:00 equals 11:00 pm) to generate and send diagnostic files. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. ZyWALL 2 Plus User's Guide 463 - ZyXEL ZyWALL 2WG | User Guide - Page 464
Chapter 26 Maintenance Screens 464 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 465
1 - General Setup (475) WAN and Dial Backup Setup (481) LAN Setup (491) Internet Access (497) DMZ Setup (501) Remote Node Setup (509) IP Static Route Setup (519) Network Address Translation (NAT) (521) Introducing the ZyWALL Firewall (539) Filter Configuration (541) SNMP Configuration (557) System - ZyXEL ZyWALL 2WG | User Guide - Page 466
466 - ZyXEL ZyWALL 2WG | User Guide - Page 467
, how to navigate the SMT and how to configure SMT menus. 27.2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide. When configuring using the console port, you need a computer equipped with communications software - ZyXEL ZyWALL 2WG | User Guide - Page 468
. Move to a "hidden" menu Press [SPACE BAR] to change No to Yes then press [ENTER]. Fields beginning with "Edit" lead to hidden menus and have a default setting of No. Press [SPACE BAR] to change No to Yes, and then press [ENTER] to go to a "hidden" menu. 468 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 469
ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup 5. DMZ Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 26. Schedule Setup 7. Wireless - ZyXEL ZyWALL 2WG | User Guide - Page 470
(Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started 1. General Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 7. Wireless Setup 99. Exit Enter Menu Selection Number - ZyXEL ZyWALL 2WG | User Guide - Page 471
Port Forwarding Setup 21 Filter and Firewall Setup 15.3 Trigger Port Setup 21.1 Filter Setup 21.2 Firewall Setup 22 SNMP Configuration 23 System Password 1.1.1 DDNS Host Summary 1.1.1 DDNS Edit Host 3.2.1 IP Alias Setup 5.2.1 IP Alias Setup 7.2.1 IP Alias Setup 11.1.2 Remote Node Network Layer - ZyXEL ZyWALL 2WG | User Guide - Page 472
continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.3 Log and Trace 24.4 Diagnostic 24.5 Backup Configuration 24.6 Restore Configuration 24.7 Upload Firmware 26 Schedule Setup 24.8 Command Interpreter Mode 24.9 Call Control 24 - ZyXEL ZyWALL 2WG | User Guide - Page 473
Chapter 27 Introducing the SMT Note that as you type a password, the screen displays an "x" for each character you type. 27.5 Resetting the ZyWALL See Section 2.3 on page 51 for directions on resetting the ZyWALL. ZyWALL 2 Plus User's Guide 473 - ZyXEL ZyWALL 2WG | User Guide - Page 474
Chapter 27 Introducing the SMT 474 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 475
. You can go to menu 24.8 and type "sys domain name" to see the current domain name used by your router. The domain name entered by you is given priority over the ISP assigned domain name. If you want to clear this field just press [SPACE BAR] and then [ENTER]. ZyWALL 2 Plus User's Guide 475 - ZyXEL ZyWALL 2WG | User Guide - Page 476
Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next). 476 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 477
Setup. 3 Press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS. 4 Press [SPACE BAR] and then [ENTER] to select Yes in the Edit Host field. Press [ENTER] to display Menu 1.1.1 - DDNS Host Summary. ZyWALL 2 Plus User's Guide 477 - ZyXEL ZyWALL 2WG | User Guide - Page 478
save your configuration, or press [ESC] at any time to cancel. 5 Select Edit in the Select Command field; type the index number of the DDNS host you want to configure in the Select Rule field and press [ENTER] to open Menu 1.1.1 DDNS Edit Host (see the next figure). 478 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 479
proxy server between the ZyWALL and the DDNS server. Press [SPACE BAR] to select Yes and then press [ENTER] to update the IP address of the host name(s) to the IP address specified below. Only select Yes if the ZyWALL uses or is behind a static public IP address. ZyWALL 2 Plus User's Guide 479 - ZyXEL ZyWALL 2WG | User Guide - Page 480
Use User-Defined field. When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. 480 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 481
2. Figure 307 MAC Address Cloning in WAN Setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide 481 - ZyXEL ZyWALL 2WG | User Guide - Page 482
WAN Setup and 3 Menu 11.2 - Remote Node Profile (Backup ISP) as shown next Refer also to the section about traffic redirect for information on an alternate backup WAN connection. 29.4 Configuring Dial Backup in Menu 2 From the main menu, enter 2 to open menu 2. 482 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 483
this menu, press [ENTER] at the prompt "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. 29.5 Advanced WAN Setup " Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands. ZyWALL 2 Plus User's Guide 483 - ZyXEL ZyWALL 2WG | User Guide - Page 484
string. This lets the ZyWALL capture the CLID in the AT response string that comes from the WAN device. CLID is required for CLID authentication. Called Id Enter the keyword preceding the dialed number. Speed Enter the keyword preceding the connection speed. 484 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 485
#= Edit IP= No Edit Script Options= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Always On= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide 485 - ZyXEL ZyWALL 2WG | User Guide - Page 486
automatically disconnects the PPP connection. This option only applies when the ZyWALL initiates the call. Once you have configured this menu, press [ENTER] at the message "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. 486 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 487
supports two types of mapping: Many-to-One and Server. See Chapter 17 on page 331 for a full discussion on this feature. Metric Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes. The smaller the number, the higher priority the route has. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 488
after an empty one are ignored. Second, the last set should match the final message sent by the server. For instance, if the server prints: login successful. Starting PPP... 488 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 489
from triggering calls. You can specify up to four filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field. Note that spaces are accepted in this field. Please refer to Chapter 38 on page 541 for more information on defining the filters. ZyWALL 2 Plus User's Guide 489 - ZyXEL ZyWALL 2WG | User Guide - Page 490
313 Menu 11.2.4: Remote Node Filter Menu 11.2.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: 490 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 491
LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. ZyWALL 2 Plus User's Guide 491 - ZyXEL ZyWALL 2WG | User Guide - Page 492
Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 3, select the submenu option TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 3.2 - TCP/IP and DHCP Ethernet Setup, as shown next. Not all fields are available on all models. 492 ZyWALL 2 Plus - ZyXEL ZyWALL 2WG | User Guide - Page 493
clients. When set to Server, the following items need to be set: Client IP Pool: Starting Address This field specifies the first of the contiguous addresses in the IP address pool. Size of Client IP This field specifies the size, or count of the IP address pool. Pool ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 494
as the gateway for each LAN network. Press [SPACE BAR] to select Yes and then press [ENTER] to display menu 3.2.1 When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm...] to save your configuration, or press [ESC] at any time to cancel. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 495
filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Use the instructions in the following table to configure IP alias parameters. Table 180 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION IP Alias 1, 2 Choose Yes to configure the LAN network for the ZyWALL. IP - ZyXEL ZyWALL 2WG | User Guide - Page 496
Chapter 30 LAN Setup 496 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 497
My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide 497 - ZyXEL ZyWALL 2WG | User Guide - Page 498
network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple - ZyXEL ZyWALL 2WG | User Guide - Page 499
31 Internet Access 31.3 Configuring the PPTP Client " The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login - ZyXEL ZyWALL 2WG | User Guide - Page 500
name provided to you in the Service Name field. 31.5 Basic Setup Complete Well done! You have successfully connected, installed and set up your ZyWALL to operate on your network as well as access the Internet. " When the firewall is activated, the default policy allows all communications to the - ZyXEL ZyWALL 2WG | User Guide - Page 501
to apply to your public server(s) traffic. Figure 323 Menu 5.1: DMZ Port Filter Setup Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide 501 - ZyXEL ZyWALL 2WG | User Guide - Page 502
to Confirm or ESC to Cancel: The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup. Each public server will need a unique IP address. Refer to Section 30.4 on page 492 for information on how to configure these fields. 502 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 503
N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 180 on page 495 for instructions on configuring IP alias parameters. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 504
Chapter 32 DMZ Setup 504 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 505
327 Menu 7: WLAN Setup Menu 7 - WLAN Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 7, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 7.2 - TCP/IP and DHCP Ethernet Setup, as shown next. ZyWALL 2 Plus User's Guide 505 - ZyXEL ZyWALL 2WG | User Guide - Page 506
Setup You must use menu 7.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Pressing [ENTER] opens Menu 7.2.1 - IP Alias Setup, as shown next. 506 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 507
= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 180 on page 495 for instructions on configuring IP alias parameters. ZyWALL 2 Plus User's Guide 507 - ZyXEL ZyWALL 2WG | User Guide - Page 508
Chapter 33 Wireless Setup 508 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 509
network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 - Remote Node Profile, Menu 11.1.2 Remote Node Network Layer Options and Menu 11.1.4 - Remote Node Filter - ZyXEL ZyWALL 2WG | User Guide - Page 510
jim@poellc) to access the PPPoE server. My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Confirm Type your password again to make sure that you have entered it correctly. 510 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 511
PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you're using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. ZyWALL 2 Plus User's Guide 511 - ZyXEL ZyWALL 2WG | User Guide - Page 512
for obvious reasons. Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern. The following table describes the fields not already described in Table 184 on page 510. 512 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 513
seconds that can elapse before the ZyWALL automatically disconnects the PPPoE connection. This option only applies when the ZyWALL initiates the call. 34.3.3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. ZyWALL 2 Plus User's Guide 513 - ZyXEL ZyWALL 2WG | User Guide - Page 514
to this remote node a nailed-up connection. 34.4 Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.1.2 - Remote Node Network Layer Options. Not all fields are available on all models. 514 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 515
network (for example a public IP address used on the Internet). Choose None to disable NAT. Choose SUA Only if you have a single public IP address. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. Choose Full Feature if you have multiple - ZyXEL ZyWALL 2WG | User Guide - Page 516
call filter sets. Figure 335 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: 516 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 517
(to disable) traffic redirect setup. The default is No. Configuration Backup Gateway IP Address Enter the IP address of your backup gateway in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates. Metric This field - ZyXEL ZyWALL 2WG | User Guide - Page 518
an IP address here. If you are using PPTP or PPPoE Encapsulation, enter "0.0.0.0" to configure the ZyWALL to check the PVC (Permanent Virtual Circuit) or PPTP tunnel. Fail Tolerance Enter the number of times your ZyWALL may attempt and fail to connect to the Internet before traffic is forwarded to - ZyXEL ZyWALL 2WG | User Guide - Page 519
- IP Static Route Setup 1. Reserved 2. test1 3. -test2 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ Enter selection number: Now, enter the index number of the static route that you want to configure. ZyWALL 2 Plus User's Guide 519 - ZyXEL ZyWALL 2WG | User Guide - Page 520
your ZyWALL that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyWALL; over the WAN, the gateway must be the IP address ENTER to Confirm..." to save your configuration, or press [ESC] to cancel. 520 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 521
ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. " Choose SUA Only if you have just one public WAN IP address for your ZyWALL. Choose Full Feature if you have multiple public WAN IP addresses - ZyXEL ZyWALL 2WG | User Guide - Page 522
Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: 522 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 523
3. Trigger Port Setup Enter Menu Selection Number: " Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 36.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. ZyWALL 2 Plus User's Guide 523 - ZyXEL ZyWALL 2WG | User Guide - Page 524
IP Global Start IP Global End IP Type 1. 0.0.0.0 255.255.255.255 0.0.0.0 M-1 2. 0.0.0.0 Server 3. 4. 5. 6. 7. 8. 9. 10. Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu. " Menu 15.1.255 is read-only. 524 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 525
configure rules in this screen. Note also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. " The entire set will be deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 526
Network Address Translation (NAT) Figure 345 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP /End IPs are configured in menu be deleted. Action The default is Edit. Edit means ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 527
. Start Enter the starting local IP address (ILA). End Enter the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One and Server types. Global IP ZyWALL 2 Plus User's Guide 527 - ZyXEL ZyWALL 2WG | User Guide - Page 528
[ESC] to cancel. 36.3 Configuring a Server behind NAT " If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. 528 Follow these steps to configure a server behind NAT: 1 Enter 15 in the - ZyXEL ZyWALL 2WG | User Guide - Page 529
figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. 6 Press [ENTER] at the "Press ENTER to confirm ..." prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. ZyWALL 2 Plus User's Guide 529 - ZyXEL ZyWALL 2WG | User Guide - Page 530
The following are some examples of NAT configuration. 36.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. 530 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 531
36 Network Address Translation (NAT) Figure 352 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address - ZyXEL ZyWALL 2WG | User Guide - Page 532
convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Default Server behind the NAT as shown in the next figure. Figure 354 Menu 15.2: Specifying an Inside Server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address 001 - ZyXEL ZyWALL 2WG | User Guide - Page 533
multiple servers, of different types, to other computers behind NAT on the LAN. The example situation looks somewhat like this: Figure 355 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature - ZyXEL ZyWALL 2WG | User Guide - Page 534
following figure shows how to configure the first rule. Figure 357 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Press ENTER to Confirm or ESC to Cancel: 534 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 535
configure it as shown in Figure 359 on page 535. Figure 359 Example 3: Menu 15.2. Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP 0 0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide 535 - ZyXEL ZyWALL 2WG | User Guide - Page 536
Type= Many-One-to-One Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you've configured your rule, you should be able to check the settings in menu 15.1.1 as shown next. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 537
port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually - ZyXEL ZyWALL 2WG | User Guide - Page 538
or the starting port number in a range of port numbers. End Port Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message "Press ENTER to Confirm..." to save your configuration, or press [ESC] at any time to cancel. 538 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 539
menu to bring up the following screen. Press [SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the web configurator to configure firewall rules. ZyWALL 2 Plus User's Guide 539 - ZyXEL ZyWALL 2WG | User Guide - Page 540
the ZyWALL Firewall Figure 365 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default - ZyXEL ZyWALL 2WG | User Guide - Page 541
as shown in the following figure. Figure 366 Outgoing Packet Filtering Process For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. ZyWALL 2 Plus User's Guide 541 - ZyXEL ZyWALL 2WG | User Guide - Page 542
set. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic - ZyXEL ZyWALL 2WG | User Guide - Page 543
Figure 367 Filter Rule Process Chapter 38 Filter Configuration You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. ZyWALL 2 Plus User's Guide 543 - ZyXEL ZyWALL 2WG | User Guide - Page 544
Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 368 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall - ZyXEL ZyWALL 2WG | User Guide - Page 545
be taken i.e., forward the packet, drop filter rules abbreviation are listed as follows: Table 197 Rule Abbreviations Used ABBREVIATION DESCRIPTION IP Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number GEN ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 546
Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: 546 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 547
Rule, Forward and Drop. When you have Menu 21.1.1.1 - TCP/IP Filter Rule configured, press [ENTER] at the message "Press ENTER to Confirm" to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. ZyWALL 2 Plus User's Guide 547 - ZyXEL ZyWALL 2WG | User Guide - Page 548
Chapter 38 Filter Configuration The following figure illustrates the logic flow of an IP filter. Figure 372 Executing an IP Filter 548 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 549
38 Filter Configuration 38.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats - ZyXEL ZyWALL 2WG | User Guide - Page 550
and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. 6 Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. 550 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 551
means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren't in this example). ZyWALL 2 Plus User's Guide 551 - ZyXEL ZyWALL 2WG | User Guide - Page 552
router's interface according to the filter rules you designed. • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. • Packet filtering only checks the header portion of an IP packet. 552 ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 553
Control List (ACL) database. 38.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming Telnet, FTP and HTTP connections. ZyWALL 2 Plus User's Guide 553 - ZyXEL ZyWALL 2WG | User Guide - Page 554
and block incoming Telnet, FTP and HTTP connections. Figure 379 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 554 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 555
Telnet, FTP and HTTP connections. Figure 380 Filtering Remote Node Traffic Menu 11.1.4 - Remote Node Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide 555 - ZyXEL ZyWALL 2WG | User Guide - Page 556
Chapter 38 Filter Configuration 556 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 557
only respond to SNMP messages from this address. A blank (default) field means your ZyWALL will respond to all SNMP messages it receives, regardless of source. Trap Community Type the Trap community, which is the password sent with each trap to the SNMP manager. ZyWALL 2 Plus User's Guide 557 - ZyXEL ZyWALL 2WG | User Guide - Page 558
password). 6 whyReboot (defined in ZYXEL user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.). 6b For fatal error: A trap is sent with the message of the fatal code if the system reboots because of fatal errors. 558 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 559
Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: 40.2 System Status The first selection, System Status - ZyXEL ZyWALL 2WG | User Guide - Page 560
up. Ethernet Address This is the MAC address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 561
202 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION System up Time This is the total time the ZyWALL has been on. You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24. 40.3 System Information and Console Port Speed This section - ZyXEL ZyWALL 2WG | User Guide - Page 562
the IP mask of the ZyWALL. DHCP This field shows the DHCP setting of the ZyWALL. When finished viewing, press [ESC] or [ENTER] to exit. 40.3.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 - Console Port Speed. Your ZyWALL supports 9600 (default), 19200 - ZyXEL ZyWALL 2WG | User Guide - Page 563
53 2004 PP05 ERROR Wireless LAN init fail, ZyWALL uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured IP Address= 0.0.0.0 Log Facility= Local 1 Press ENTER to Confirm or ESC to Cancel: ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 564
: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated 564 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 565
12:00:52 202.132.155.97 ZyXEL: GEN[ffffffffffff0080] }S05>R01mF Mar 03 12:00:57 202.132.155.97 ZyXEL: GEN[00a0c5f502010080] }S05>R01mF Mar 03 12:01:06 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 TCP spo=01170 dpo=00021]}S04>R01mF ZyWALL 2 Plus User's Guide 565 - ZyXEL ZyWALL 2WG | User Guide - Page 566
|default permit:|B 40.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next. 566 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 567
IP Destination IP = 4 = 20 = 0x00 (0) = 0x002C (44) = 0x0002 (2) = 0x00 = 0x00 = 0xFE (254) = 0x06 (TCP) = 0xFB20 (64288) = 0xC0A80101 (192.168.1.1) = 0x00000000 (0.0.0.0) TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window ZyWALL 2 Plus User's Guide 567 - ZyXEL ZyWALL 2WG | User Guide - Page 568
System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. 568 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 569
the Internet setup. You can also test the Internet setup in Menu 4 - Internet Access. Please refer to Chapter 31 on page 497 for more details. This feature is only available for dial-up connections using PPPoE or PPTP encapsulation. Reboot System Enter 11 to reboot the ZyWALL. Host IP Address - ZyXEL ZyWALL 2WG | User Guide - Page 570
Chapter 40 System Information & Diagnosis 570 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 571
FTP site to use to upgrade your ZyWALL's performance. 41.2 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a "rom" filename extension. Once - ZyXEL ZyWALL 2WG | User Guide - Page 572
note that terms "download" and "upload" are relative to the computer. Download means to transfer from the ZyWALL to the computer, while upload means from your computer to the ZyWALL. 41.3.1 Backup Configuration Follow the instructions as shown in the next screen. 572 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 573
your router manual. Press ENTER to Exit: 41.3.2 Using the FTP Command from the Command Line 1 Launch the FTP client on your computer. 2 Enter "open", followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default - ZyXEL ZyWALL 2WG | User Guide - Page 574
or in menu 11.5 (WAN) to block Telnet service. 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 574 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 575
's default IP address when shipped. Send/Fetch Use "Send" to upload the file to the ZyWALL and "Fetch" to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 576
program by clicking Transfer, then Receive File as shown in the following screen. Figure 397 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 576 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 577
PERMANENTLY DAMAGE YOUR ZyWALL. When the Restore Configuration process is complete, the ZyWALL will automatically restart. 41.4.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter. ZyWALL 2 Plus User's Guide 577 - ZyXEL ZyWALL 2WG | User Guide - Page 578
okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Section 41.3.5 on page 574 to read about configurations that disallow TFTP and FTP over WAN. 578 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 579
you how to upload firmware and configuration files. You can upload configuration files by following the procedure in Section 41.4 on page 577 or by following the instructions in Menu 24.7.2 - System Maintenance - Upload System Configuration File (for console port). ZyWALL 2 Plus User's Guide 579 - ZyXEL ZyWALL 2WG | User Guide - Page 580
details on uploading system firmware using TFTP (note that you must remain on this menu to upload system firmware using TFTP), please see your manual. Press ENTER to Exit: 41.5.2 Configuration File Upload You see the following screen when you Telnet into menu 24.7.2. 580 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 581
firmware and the configuration file, follow these examples 41.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter "open", followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password - ZyXEL ZyWALL 2WG | User Guide - Page 582
Telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. 1 Use Telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the Telnet client and accepts TFTP - ZyXEL ZyWALL 2WG | User Guide - Page 583
clients are listed earlier in this chapter. 41.5.7 Uploading Via Console Port FTP or TFTP are the preferred methods for uploading firmware to your ZyWALL. However, in the event of your network being down, uploading files is only possible with a direct connection to your ZyWALL via the console port - ZyXEL ZyWALL 2WG | User Guide - Page 584
adjust your terminal's speed accordingly. The password may change (menu 23), also. 3. When uploading the DEFAULT configuration file, the console port speed will be reset to 9600 bps and the password to "1234". should be similar. 3 Enter "atgo" to restart the ZyWALL. 584 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 585
Maintenance 41.5.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Figure 411 Example Xmodem Upload After the configuration upload process has completed, restart the ZyWALL by entering "atgo". ZyWALL 2 Plus User's Guide 585 - ZyXEL ZyWALL 2WG | User Guide - Page 586
Chapter 41 Firmware and Configuration File Maintenance 586 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 587
Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 588
settings. bridge These commands display bridge information. bm These commands configure bandwidth management settings and display bandwidth management information. certificates These commands display certificate information and configure certificate settings. 588 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 589
Menus 8 to 10 42.2 Call Control Support The ZyWALL provides two call control functions: budget management and Connection Time/Total Budget Elapsed Time/Total Period 1.ChangeMe No Budget No Budget 2.Dial No Budget No Budget Reset Node (0 to update screen): ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 590
You can reset the accumulated connection time in this menu by entering the index of a remote node. Enter 0 to update the screen. The budget and the reset period can be configured in menu 11 4. 5. 6. 7. 8. 9. 10. Enter Entry to Delete(0 to exit): Min Total 590 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 591
417 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11 - ZyXEL ZyWALL 2WG | User Guide - Page 592
DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error . If you use daylight savings time, then choose Yes. 592 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 593
24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Start Date (mmnth-week-hr) Configure the day and time when Daylight Saving Time starts if you selected Yes in the Daylight or ESC to Cancel" to save your configuration, or press [ESC] to cancel. ZyWALL 2 Plus User's Guide 593 - ZyXEL ZyWALL 2WG | User Guide - Page 594
Chapter 42 System Maintenance Menus 8 to 10 594 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 595
on the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces. To disable remote management of a service, select Disable in the corresponding Access field. Enter 11 from menu 24 to bring up Menu 24.11 - Remote Management Control. ZyWALL 2 Plus User's Guide 595 - ZyXEL ZyWALL 2WG | User Guide - Page 596
Press [SPACE BAR] and then [ENTER] to select the certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL). 596 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 597
immediately. 4 There is an SMT console session running. 5 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 6 There is a firewall rule that blocks it. ZyWALL 2 Plus User's Guide 597 - ZyXEL ZyWALL 2WG | User Guide - Page 598
Chapter 43 Remote Management 598 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 599
will take precedence over set 2, 3 and 4 as the ZyWALL, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on. You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. ZyWALL 2 Plus User's Guide 599 - ZyXEL ZyWALL 2WG | User Guide - Page 600
your ZyWALL will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration. Table 214 Schedule Set Setup FIELD should activate here in year-month-date format. Weekdays: 600 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 601
Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preference(s). ZyWALL 2 Plus User's Guide 601 - ZyXEL ZyWALL 2WG | User Guide - Page 602
Addr= Connection ID/Name= Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= 1,2,3,4 Nailed-up Connections= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: 602 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 603
PART VII Troubleshooting and Specifications Troubleshooting (605) Product Specifications (613) 603 - ZyXEL ZyWALL 2WG | User Guide - Page 604
604 - ZyXEL ZyWALL 2WG | User Guide - Page 605
you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access • Wireless Router/AP Troubleshooting • UPnP 45.1 Power, Hardware Connections, and LEDs V The ZyWALL does not turn on. None - ZyXEL ZyWALL 2WG | User Guide - Page 606
on your network, make sure your computer is using a dynamic IP address. See Appendix A on page 621. Your ZyWALL is a DHCP server by default. 5 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address. See Section 2.3 on page 51. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 607
the ZyWALL. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. V I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. ZyWALL 2 Plus User's Guide 607 - ZyXEL ZyWALL 2WG | User Guide - Page 608
NAT is configured for your DMZ servers. 45.3 Internet Access V I cannot get a WAN IP address from the ISP. 1 The ISP provides the WAN IP address after authenticating you. Authentication may be through the user name and password, the MAC address or the host name. 608 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 609
entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN setup chapter (web configurator or SMT). 2 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 3 If the problem continues, contact your - ZyXEL ZyWALL 2WG | User Guide - Page 610
, my computer cannot detect UPnP and refresh My Network Places > Local Network. 1 Disconnect the Ethernet cable from the ZyWALL's LAN port or from your computer. 2 Re-connect the Ethernet cable. V The Local Area Connection icon for UPnP disappears in the screen. 610 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 611
Chapter 45 Troubleshooting Restart your computer. V I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. 1 Wait more than three minutes. 2 Restart the applications. ZyWALL 2 Plus User's Guide 611 - ZyXEL ZyWALL 2WG | User Guide - Page 612
Chapter 45 Troubleshooting 612 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 613
Class B, VCCI Class B Safety: CSA International, CE EN60950-1 Table 216 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 DHCP Pool 192.168.1.33 to 192.168.1.160 ZyWALL 2 Plus User's Guide 613 - ZyXEL ZyWALL 2WG | User Guide - Page 614
Network Address Translation (NAT) Port Forwarding DHCP (Dynamic Host Configuration Protocol) Dynamic DNS Support IP Multicast IP Alias Time and Date Logging and Tracing PPPoE PPTP Encapsulation Universal Plug and Play (UPnP) RoadRunner Support Firewall Content Filter Note: Only upload firmware - ZyXEL ZyWALL 2WG | User Guide - Page 615
on a network (LAN or WAN for example) can access the ZyWALL. Table 217 Feature and Performance Specifications FEATURE Local User Database Entries Static DHCP Table Entries Static Routes Port Forwarding Rules Concurrent Sessions (NAT sessions) Address Mapping Rules Configurable IPSec VPN Network - ZyXEL ZyWALL 2WG | User Guide - Page 616
/Dial Backup Cable DB-9 End Pin Layout Table 218 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE 9 Table 220 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through Crossover (Switch) (Adapter) (Switch) (Switch) 616 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 617
heads of the screws and the wall. 4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyWALL with the connection cables. 5 Align the holes on the back of the ZyWALL with the screws on the wall. Hang the ZyWALL on the screws. ZyWALL 2 Plus User's Guide 617 - ZyXEL ZyWALL 2WG | User Guide - Page 618
Chapter 46 Product Specifications Figure 425 Wall-mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). Figure 426 Masonry Plug and M4 Tap Screw 618 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 619
. Some details may not apply to your ZyWALL. Setting up Your Computer's IP Address (621) Pop-up Windows, JavaScripts and Java Permissions (637) IP Addresses and Subnetting (645) Common Services (653) Importing Certificates (657) Legal Information (669) Customer Support (673) Index (679) 619 - ZyXEL ZyWALL 2WG | User Guide - Page 620
620 - ZyXEL ZyWALL 2WG | User Guide - Page 621
instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL's LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. ZyWALL 2 Plus User's Guide 621 - ZyXEL ZyWALL 2WG | User Guide - Page 622
Networks: 1 Click Add. 2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. 622 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 623
TCP/IP Properties: IP Address 3 Click the DNS Configuration tab. • If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). ZyWALL 2 Plus User's Guide 623 - ZyXEL ZyWALL 2WG | User Guide - Page 624
. 3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. 624 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 625
's IP Address Figure 430 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 431 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 2 Plus User's Guide 625 - ZyXEL ZyWALL 2WG | User Guide - Page 626
opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 627
in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. ZyWALL 2 Plus User's Guide 627 - ZyXEL ZyWALL 2WG | User Guide - Page 628
). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. 628 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 629
window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 630
Ethernet built-in from the Connect via list. Figure 438 Macintosh OS 8/9: TCP/IP 630 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 631
window. Figure 439 Macintosh OS X: Apple Menu 2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 632
Settings Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer's TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. 632 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 633
Setting and click Network. Figure 441 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 442 Red Hat 9.0: KDE: Ethernet Device: General ZyWALL 2 Plus User's Guide 633 - ZyXEL ZyWALL 2WG | User Guide - Page 634
computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. 634 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 635
. Figure 448 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: Shutting down loopback interface: Setting network parameters: Bringing up loopback interface: Bringing up interface eth0: [OK] [OK] [OK] [OK] [OK] ZyWALL 2 Plus User's Guide 635 - ZyXEL ZyWALL 2WG | User Guide - Page 636
Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 449 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00 TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# 636 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 637
Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 450 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 638
with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings...to open the Pop-up Blocker Settings screen. 638 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 639
452 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://". For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 453 Pop-up Blocker Settings ZyWALL 2 Plus User - ZyXEL ZyWALL 2WG | User Guide - Page 640
: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. 640 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 641
Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 456 Security Settings - Java ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 642
OK to close the window. Figure 457 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in the screen that appears. 642 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 643
Appendix B Pop-up Windows, JavaScripts and Java Permissions Figure 458 Mozilla Firefox: Tools > Options Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 459 Mozilla Firefox Content Security ZyWALL 2 Plus User's Guide 643 - ZyXEL ZyWALL 2WG | User Guide - Page 644
Appendix B Pop-up Windows, JavaScripts and Java Permissions 644 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 645
). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. ZyWALL 2 Plus User's Guide 645 - ZyXEL ZyWALL 2WG | User Guide - Page 646
sequence of zeros, for a total number of 32 bits. Subnet masks can be referred to by the size of the network number part (the bits with a "1" value). For example, an "8-bit mask" means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. 646 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 647
can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 /24 0000 0000 0 255.255.255.128 /25 1000 0000 128 ZyWALL 2 Plus User's Guide 647 - ZyXEL ZyWALL 2WG | User Guide - Page 648
ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two subnetworks, A and B. 648 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 649
(Decimal) 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: 192.168.1.63 Highest Host ID: 192.168.1.62 ZyWALL 2 Plus User's Guide 649 - ZyXEL ZyWALL 2WG | User Guide - Page 650
128 10000000 11000000 NETWORK NUMBER 192.168.1. IP address last octet values for each subnet. Table 229 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 650 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 651
Appendix C IP Addresses and Subnetting Table 229 Eight Subnets following table is a summary for subnet planning on a network with a 24-bit network number. Table 230 24-bit Network Number Subnet Planning NO. "BORROWED" HOST BITS SUBNET MASK .255.248 (/29) 8192 6 ZyWALL 2 Plus User's Guide 651 - ZyXEL ZyWALL 2WG | User Guide - Page 652
situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 652 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 653
. • If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number. • If the Protocol is USER, this is the IP protocol number. • Description: This is a brief explanation of the applications that use this service or the situations in which this service is used. ZyWALL 2 Plus User's Guide 653 - ZyXEL ZyWALL 2WG | User Guide - Page 654
chat program. Microsoft Networks' messenger service uses this protocol. An Internet chat program. A protocol for news groups. Network File System - NFS is a client/ server distributed file service that provides transparent file sharing for network environments. 654 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 655
mainframes, midrange systems, UNIX systems and network servers. Secure Shell Remote Login Program. Stream Works Protocol. Syslog allows you to send system logs to a UNIX server. Login Host Protocol used for (Terminal Access Controller Access Control System). ZyWALL 2 Plus User's Guide 655 - ZyXEL ZyWALL 2WG | User Guide - Page 656
Commonly Used Services (continued) NAME TELNET TFTP VDOLIVE PROTOCOL TCP UDP TCP PORT(S) 23 69 7000 DESCRIPTION Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/ IP networks. Its primary function is to allow users to log - ZyXEL ZyWALL 2WG | User Guide - Page 657
certification authority. The following example procedure shows how to import the ZyWALL's (self-signed) server certificate into your operating system as a trusted certification authority. 1 In Internet Explorer, double click the lock shown in the following screen. ZyWALL 2 Plus User's Guide 657 - ZyXEL ZyWALL 2WG | User Guide - Page 658
Appendix E Importing Certificates Figure 464 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 465 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. 658 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 659
Figure 466 Certificate Import Wizard 1 Appendix E Importing Certificates 4 Select where you would like to store the certificate and then click Next. Figure 467 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 2 Plus User's Guide 659 - ZyXEL ZyWALL 2WG | User Guide - Page 660
Appendix E Importing Certificates Figure 468 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 469 Root Certificate Store 660 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 661
to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL's Trusted CA web configurator screen). ZyWALL 2 Plus User's Guide 661 - ZyXEL ZyWALL 2WG | User Guide - Page 662
a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA's Certificate 1 Double click the CA's trusted certificate to produce a screen similar to the one shown next. 662 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 663
(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. ZyWALL 2 Plus User's Guide 663 - ZyXEL ZyWALL 2WG | User Guide - Page 664
automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 474 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. 664 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 665
in the following store and choose a different location. Figure 476 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. ZyWALL 2 Plus User's Guide 665 - ZyXEL ZyWALL 2WG | User Guide - Page 666
479 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. 666 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 667
Figure 480 SSL Client Authentication Appendix E Importing Certificates 3 You next see the ZyWALL login screen. Figure 481 ZyWALL Secure Login Screen ZyWALL 2 Plus User's Guide 667 - ZyXEL ZyWALL 2WG | User Guide - Page 668
Appendix E Importing Certificates 668 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 669
it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 670
or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/ support_warranty_info.php. 670 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 671
Appendix F Legal Information Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. ZyWALL 2 Plus User's Guide 671 - ZyXEL ZyWALL 2WG | User Guide - Page 672
Appendix F Legal Information 672 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 673
, Unit B, Horizon Building, No.6, Zhichun Str, Haidian District, Beijing • Web: http://www.zyxel.cn China - ZyXEL Communications (Shanghai) Corp. • Support E-mail: [email protected] • Sales E-mail: [email protected] • Telephone: +86-021-61199055 • Fax: +86-021-52069033 ZyWALL 2 Plus User's Guide 673 - ZyXEL ZyWALL 2WG | User Guide - Page 674
Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland France • E-mail: [email protected] • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France 674 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 675
• Support: http://zyxel.kz/support • Sales E-mail: [email protected] • Telephone: +7-3272-590-698 • Fax: +7-3272-590-689 • Web: www.zyxel.kz • Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of Kazakhstan ZyWALL 2 Plus User's Guide 675 - ZyXEL ZyWALL 2WG | User Guide - Page 676
, ul. Okrzei 1A, 03-715 Warszawa, Poland Russia • Support: http://zyxel.ru/support • Sales E-mail: [email protected] • Telephone: +7-095-542-89-29 • Fax: +7-095-542-89-25 • Web: www.zyxel.ru • Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, Russia 676 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 677
• Support E-mail: [email protected] • Sales E-mail: [email protected] • Telephone: +662-831-5315 • Fax: +662-831-5395 • Web: http://www.zyxel.co.th • Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand. ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 678
@zyxel.co.uk • Telephone: +44-1344-303044, 08707-555779 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • FTP: ftp.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) 678 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 679
notation 647 Application Layer Gateway. See ALG. Applications 45 broadband connection 45 applications 45 asymmetrical routes 218 vs virtual interfaces 218 AT bandwidth class 352 ZyWALL 2 Plus User's Guide Index Index bandwidth filter 360 class configuration 359 class setup 357 fairness-based - ZyXEL ZyWALL 2WG | User Guide - Page 680
Server 493 WAN 568 DHCP clients 448 DHCP table 63 diagnostic 567 diagnostics 461 dial timeout 485 Diffie-Hellman key group 284 Perfect Forward Secrecy (PFS) 292 Dimensions 613 disclaimer 669 DMZ IP alias setup 503 port filter setup 501 setup 501 TCP/IP setup 502 DNS 393 DNS Server For VPN Host 366 - ZyXEL ZyWALL 2WG | User Guide - Page 681
208 VPN 91 ZyWALL 2 Plus User's Guide when to use 553 firmware file maintenance 571 upload 457 firmware upload 579 FTP 580 flow control 467 FTP 367, 389 commands 573 file upload 581 firmware upload 580 GUI-based clients 574 restoring files 577 G gateway IP address 498, 515, 520 general setup 447 - ZyXEL ZyWALL 2WG | User Guide - Page 682
134, 186, 488, 494, 516 myZyXEL.com 125 N nailed-up connection 512, 514 NAT 132, 331, 336, 337, 487, 498, 515, 552, 652 and VPN 287 application 343 configuring 523 default server IP address 336 examples 530 how NAT works 342 in the SMT 521 inside global address 342 682 ZyWALL 2 Plus User's Guide - ZyXEL ZyWALL 2WG | User Guide - Page 683
path cost 148 Perfect Forward Secrecy. see PFS. PFS 292 Diffie-Hellman key group 292 PIN number 128 ping 568 Point-to-Point Protocol over Ethernet. See PPPoE Point-to-Point Tunneling Protocol. See PPTP. pool of IP addresses 133, 136 port filter setup ZyWALL 2 Plus User's Guide R RADIUS 323 and IKE - ZyXEL ZyWALL 2WG | User Guide - Page 684
509 filter 489, 516 reports host IP address 425, 426 protocol/port 425, 427 web site hits 425 required fields 469 reset button 51 resetting the time 450 resetting the ZyWALL 51 restore configuration 459, 577 via console port 584 restoring factory defaults 461 restoring files via console port 579 - ZyXEL ZyWALL 2WG | User Guide - Page 685
163 transparent firewall 55, 143, 145, 454 triangle routes 218 vs virtual interfaces 218 trigger port forwarding 537 ZyWALL 2 Plus User's Guide Trivial File Transfer Protocol. See TFTP. troubleshooting 461 Index U unicast 134 Universal Plug and Play. See UPnP. upgrading firmware 457 upload - ZyXEL ZyWALL 2WG | User Guide - Page 686
wireless network overview 183 wireless security 610 wizard setup 67 WLAN IP alias 506 setup 505 TCP/IP setup 506 WWW 386 www.dyndns.org 479 X Xmodem 583 file upload 583 protocol 572 Z ZyNOS 562, 572 ZyWALL registration 126 ZyXEL's Network Operating System. See ZyNOS. 686 ZyWALL 2 Plus User's Guide
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
 |
 |
www.zyxel.com
ZyWALL 2 Plus
Internet Security Appliance
User’s Guide
Version 4.04
2/2008
Edition 1