| all | frequencies |
|
|
exhibits | applications |
|---|---|---|---|---|---|
| manuals | |||||
| app s | submitted / available | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 2 |
|
Installation guide 1 of 2 | Users Manual | 3.75 MiB | ||||
| 1 2 |
|
Installation guide 2 of 2 | Users Manual | 2.09 MiB | ||||
| 1 2 | Cover Letter(s) | |||||||
| 1 2 | Test Setup Photos | |||||||
| 1 2 | Cover Letter(s) | |||||||
| 1 2 | External Photos | |||||||
| 1 2 | Internal Photos | |||||||
| 1 2 | Cover Letter(s) | |||||||
| 1 2 | RF Exposure Info | |||||||
| 1 2 | Test Setup Photos | |||||||
| 1 2 | Test Report | |||||||
| 1 2 | Test Report | |||||||
| 1 2 | ID Label/Location Info | |||||||
| 1 2 | Test Report |
| 1 2 | Installation guide 1 of 2 | Users Manual | 3.75 MiB |
P-3202HN-Ba 802.11N GPON VoIP IAD Default Login Details 192.168.1.1 IP Address User Name admin 1234 Password Version 1.0 Edition 1, 12/2009 www.zyxel.com www.zyxel.com Copyright 2009 ZyXEL Communications Corporation About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the IAD using the web configurator. Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get your IAD up and running right away. It contains information on setting up your network and configuring for Internet access. Web Configurator Online Help The embedded Web Help contains descriptions of individual screens and supplementary information. Support Disc Refer to the included CD for support documents. Documentation Feedback Send your comments, questions or suggestions to: techwriters@zyxel.com.tw Thank you!
The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan. Need More Help?
More help is available at www.zyxel.com. IAD Users Guide 3 About This User's Guide Download Library Search for the latest product updates and documentation from this link. Read the Tech Doc Overview to find out how to efficiently use the documentation in order to better understand how to use your product. Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well. Customer Support Should problems arise that cannot be solved by the methods listed above, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following information ready when you contact an office. Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. 4 IAD Users Guide Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this Users Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions This product may be referred to as the IAD, the device or the system in this Users Guide. Product labels, screen names, field labels and field choices are all in bold font. A key stroke is denoted by square brackets and uppercase text, for example,
[ENTER] means the enter or return key on your keyboard. Enter means for you to type one or more characters and then press the
[ENTER] key. Select or choose means for you to use one of the predefined choices. A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen. Units of measurement may denote the metric value or the scientific value. For example, k for kilo may denote 1000 or 1024, M for mega may denote 1000000 or 1048576 and so on. e.g., is a shorthand for for instance, and i.e., means that is or in other words. IAD Users Guide 5 Document Conventions Icons Used in Figures Figures in this Users Guide may use the following generic icons. The IAD icon is not an exact representation of your device. IAD Computer Notebook computer Server DSLAM Firewall Telephone Switch Router 6 IAD Users Guide Safety Warnings Safety Warnings Do NOT use this product near water, for example, in a wet basement or near a swimming pool. Do NOT expose your device to dampness, dust or corrosive liquids. Do NOT store things on the device. Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. Connect ONLY suitable accessories to the device. Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information. Make sure to connect the cables to the correct ports. Place connecting cables carefully so that no one will step on them or stumble over them. Always disconnect all cables from this device before servicing or disassembling. Use ONLY an appropriate power adaptor or cord for your device. Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord. Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution. If the power adaptor or cord is damaged, remove it from the device and the power source. Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one. Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device. Use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s). If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. IAD Users Guide 7 Safety Warnings 8 IAD Users Guide Contents Overview Contents Overview Users Guide ...........................................................................................................................19 Introduction ................................................................................................................................ 21 The Web Configurator ............................................................................................................... 29 Tutorials ..................................................................................................................................... 35 Technical Reference ..............................................................................................................39 Status Screens .......................................................................................................................... 41 Device Mode Screen ................................................................................................................. 51 WAN .......................................................................................................................................... 55 LAN Setup ................................................................................................................................. 59 Wireless LAN ............................................................................................................................. 69 Network Address Translation (NAT) ........................................................................................ 101 Voice .........................................................................................................................................117 Phone Usage ........................................................................................................................... 129 Firewalls .................................................................................................................................. 137 Static Route ............................................................................................................................. 159 Quality of Service (QoS) .......................................................................................................... 163 Dynamic DNS Setup ................................................................................................................ 179 Remote Management .............................................................................................................. 183 Universal Plug-and-Play (UPnP) ............................................................................................. 197 System ......................................................................................................................................211 Logs ........................................................................................................................................ 215 Tools ........................................................................................................................................ 219 Diagnostic ............................................................................................................................... 223 Troubleshooting ....................................................................................................................... 225 Product Specifications ............................................................................................................. 231 IAD Users Guide 9 Contents Overview 10 IAD Users Guide Table of Contents Table of Contents About This User's Guide ..........................................................................................................3 Document Conventions............................................................................................................5 Safety Warnings........................................................................................................................7 Contents Overview ...................................................................................................................9 Table of Contents....................................................................................................................11 Part I: Users Guide................................................................................ 19 Chapter 1 Introduction.............................................................................................................................21 1.1 Overview .............................................................................................................................. 21 1.2 Managing the IAD ................................................................................................................ 21 1.3 Good Habits for Managing the IAD ...................................................................................... 21 1.4 Applications for the IAD ....................................................................................................... 22 1.4.1 Internet Access and Device Mode ............................................................................. 22 1.4.2 Internet Calls (VoIP) ................................................................................................... 23 1.4.3 Wireless Connection .................................................................................................. 23 1.4.4 Triple Play .................................................................................................................. 24 1.5 The Reset Button ................................................................................................................. 25 1.5.1 Using the Reset Button .............................................................................................. 25 1.6 LEDs (Lights) ....................................................................................................................... 26 Chapter 2 The Web Configurator ............................................................................................................29 2.1 Overview ............................................................................................................................. 29 2.1.1 Accessing the Web Configurator ................................................................................ 29 2.2 Web Configurator Main Screen ........................................................................................... 31 2.2.1 Title Bar ...................................................................................................................... 31 2.2.2 Navigation Panel ........................................................................................................ 32 2.2.3 Main Window .............................................................................................................. 34 2.2.4 Status Bar ................................................................................................................... 34 Chapter 3 Tutorials...................................................................................................................................35 IAD Users Guide 11 Table of Contents 3.1 Overview .............................................................................................................................. 35 3.2 Getting Starting with the IAD ............................................................................................... 35 3.3 Placing Phone Calls Over the Internet ................................................................................ 36 Part II: Technical Reference .................................................................. 39 Chapter 4 Status Screens ........................................................................................................................41 4.1 Overview .............................................................................................................................. 41 4.2 Status Screen ...................................................................................................................... 42 4.2.1 VoIP Status ................................................................................................................. 47 4.2.2 WLAN Status .............................................................................................................. 49 Chapter 5 Device Mode Screen...............................................................................................................51 5.1 Overview .............................................................................................................................. 51 5.1.1 Hybrid Mode (Router Mode) ....................................................................................... 51 5.1.2 Bridge Mode ............................................................................................................... 51 5.2 Device Mode Screen ........................................................................................................... 52 Chapter 6 WAN..........................................................................................................................................55 6.1 Overview .............................................................................................................................. 55 6.1.1 What You Need to Know ............................................................................................ 55 6.2 Internet Access Setup ........................................................................................................ 56 Chapter 7 LAN Setup................................................................................................................................59 7.1 LAN Overview ..................................................................................................................... 59 7.1.1 LANs, WANs and the ZyXEL Device .......................................................................... 59 7.1.2 DHCP Setup ............................................................................................................... 59 7.2 DNS Server Addresses ....................................................................................................... 60 7.3 LAN TCP/IP ......................................................................................................................... 60 7.3.1 IP Address and Subnet Mask ..................................................................................... 61 7.3.2 RIP Setup ................................................................................................................... 62 7.3.3 Multicast ..................................................................................................................... 62 7.4 Configuring LAN IP and DHCP ........................................................................................... 63 7.5 LAN Client List ..................................................................................................................... 65 7.6 LAN IP Alias ........................................................................................................................ 66 Chapter 8 Wireless LAN...........................................................................................................................69 12 IAD Users Guide Table of Contents 8.1 Overview .............................................................................................................................. 69 8.1.1 What You Can Do in this Chapter .............................................................................. 69 8.2 What You Need to Know ...................................................................................................... 70 8.3 Before You Begin ................................................................................................................. 72 8.4 The General Screen ........................................................................................................... 73 8.4.1 No Security ................................................................................................................. 75 8.4.2 WEP Encryption ......................................................................................................... 76 8.4.3 WPA(2)-PSK .............................................................................................................. 77 8.4.4 WPA(2) Authentication ............................................................................................... 78 8.4.5 MAC Filter ............................................................................................................. 80 8.4.6 Adding a New MAC Filtering Rule ......................................................................... 81 8.5 The More AP Screen .......................................................................................................... 82 8.5.1 More AP Edit .............................................................................................................. 83 8.6 The WPS Screen ................................................................................................................ 83 8.7 The WPS Station Screen .................................................................................................... 85 8.8 The WDS Screen ................................................................................................................ 86 8.9 The Advanced Setup Screen .............................................................................................. 88 8.10 Technical Reference .......................................................................................................... 89 8.10.1 Wireless Network Overview ..................................................................................... 90 8.10.2 Additional Wireless Terms ........................................................................................ 91 8.10.3 Wireless Security Overview ..................................................................................... 91 8.10.4 WiFi Protected Setup ............................................................................................... 93 Chapter 9 Network Address Translation (NAT)....................................................................................101 9.1 Overview ........................................................................................................................... 101 9.1.1 What You Can Do in this Chapter ............................................................................ 101 9.1.2 What You Need To Know ......................................................................................... 101 9.2 The NAT General Screen .................................................................................................. 102 9.3 The Port Forwarding Screen ............................................................................................ 104 9.3.1 Configuring the Port Forwarding Screen .................................................................. 105 9.3.2 The Port Forwarding Rule Edit Screen .................................................................... 107 9.4 The Address Mapping Screen ........................................................................................... 108 9.4.1 The Address Mapping Rule Edit Screen ...................................................................110 9.5 The ALG Screen ................................................................................................................111 9.6 NAT Technical Reference ...................................................................................................112 9.6.1 NAT Definitions .........................................................................................................112 9.6.2 What NAT Does ........................................................................................................112 9.6.3 How NAT Works ........................................................................................................113 9.6.4 NAT Application .........................................................................................................114 9.6.5 NAT Mapping Types ..................................................................................................114 9.6.6 Port Translation .........................................................................................................115 IAD Users Guide 13 Table of Contents Chapter 10 Voice....................................................................................................................................... 117 10.1 Introduction ......................................................................................................................117 10.1.1 What You Need to Know .........................................................................................117 10.2 SIP Service Provider ........................................................................................................118 10.2.1 Advanced SIP Settings .......................................................................................... 120 10.3 SIP Account ..................................................................................................................... 122 10.3.1 Advanced Account Settings ................................................................................... 123 10.4 Analog Phone ................................................................................................................. 125 10.5 Speed Dial ...................................................................................................................... 126 Chapter 11 Phone Usage .........................................................................................................................129 11.1 Overview .......................................................................................................................... 129 11.2 Dialing a Telephone Number ............................................................................................ 129 11.3 Using Speed Dial ............................................................................................................. 129 11.4 Using Call Park and Pickup ............................................................................................. 129 11.5 Checking the IADs IP Address ........................................................................................ 130 11.6 Auto Provisioning and Auto Firmware Upgrade ............................................................... 130 11.7 Phone Services Overview ................................................................................................ 131 11.7.1 The Flash Key ........................................................................................................ 131 11.7.2 Europe Type Supplementary Phone Services ........................................................ 131 11.7.3 USA Type Supplementary Services ....................................................................... 133 11.8 Phone Functions Summary .............................................................................................. 135 Chapter 12 Firewalls.................................................................................................................................137 12.1 Overview ......................................................................................................................... 137 12.1.1 What You Can Do in this Chapter .......................................................................... 138 12.1.2 What You Need to Know ........................................................................................ 138 12.1.3 Firewall Rule Setup Example ................................................................................. 140 12.2 The Firewall General Screen .......................................................................................... 143 12.3 The Firewall Rules Screen .............................................................................................. 145 12.3.1 Configuring Firewall Rules ................................................................................... 146 12.3.2 Customized Services ............................................................................................ 149 12.3.3 Configuring A Customized Service ...................................................................... 150 12.4 The Firewall Threshold Screen ........................................................................................ 151 12.4.1 Threshold Values ................................................................................................... 151 12.4.2 Configuring Firewall Thresholds ............................................................................. 152 12.5 Technical Reference ........................................................................................................ 154 12.5.1 Guidelines For Enhancing Security With Your Firewall .......................................... 154 12.5.2 Security Considerations ......................................................................................... 154 12.5.3 Triangle Route ........................................................................................................ 155 14 IAD Users Guide Table of Contents Chapter 13 Static Route ...........................................................................................................................159 13.1 Overview ....................................................................................................................... 159 13.1.1 What You Can Do in this Chapter .......................................................................... 159 13.2 The Static Route Screen .................................................................................................. 160 13.2.1 Static Route Edit ................................................................................................... 161 Chapter 14 Quality of Service (QoS).......................................................................................................163 14.1 Overview ......................................................................................................................... 163 14.1.1 What You Can Do in this Chapter .......................................................................... 163 14.1.2 What You Need to Know ........................................................................................ 164 14.2 The QoS General Screen ............................................................................................... 164 14.3 The Class Setup Screen ................................................................................................ 166 14.3.1 Class Configuration ............................................................................................... 168 14.3.2 QoS Example ......................................................................................................... 171 14.4 The QoS Monitor Screen ................................................................................................ 175 14.5 Technical Reference ........................................................................................................ 175 14.5.1 IEEE 802.1Q Tag ................................................................................................... 176 14.5.2 IP Precedence ........................................................................................................ 176 14.5.3 DiffServ ................................................................................................................. 176 14.5.4 Automatic Priority Queue Assignment ................................................................... 177 Chapter 15 Dynamic DNS Setup .............................................................................................................179 15.1 Overview ........................................................................................................................ 179 15.1.1 What You Can Do in this Chapter .......................................................................... 179 15.1.2 What You Need To Know ....................................................................................... 179 15.2 The Dynamic DNS Screen ............................................................................................. 180 Chapter 16 Remote Management............................................................................................................183 16.1 Overview ......................................................................................................................... 183 16.1.1 What You Can Do in this Chapter .......................................................................... 184 16.1.2 What You Need to Know ........................................................................................ 184 16.2 The HTTP Screen ............................................................................................................ 185 16.3 The Telnet Screen ........................................................................................................... 186 16.4 The FTP Screen ............................................................................................................. 187 16.5 SNMP .............................................................................................................................. 188 16.5.1 Supported MIBs ..................................................................................................... 190 16.5.2 SNMP Traps ........................................................................................................... 190 16.5.3 The SNMP Screen ................................................................................................. 190 16.6 The DNS Screen ........................................................................................................... 191 IAD Users Guide 15 Table of Contents 16.7 The ICMP Screen ............................................................................................................ 192 16.8 SSH ............................................................................................................................... 193 16.9 How SSH Works .............................................................................................................. 194 16.10 SSH Implementation on the IAD .................................................................................... 195 16.10.1 Requirements for Using SSH ............................................................................... 195 16.11 The SSH Screen ............................................................................................................ 195 Chapter 17 Universal Plug-and-Play (UPnP)..........................................................................................197 17.1 Overview ......................................................................................................................... 197 17.1.1 What You Can Do in this Chapter .......................................................................... 197 17.1.2 What You Need to Know ........................................................................................ 197 17.2 The UPnP Screen ............................................................................................................ 198 17.3 Installing UPnP in Windows Example .............................................................................. 199 17.4 Using UPnP in Windows XP Example ............................................................................. 203 Chapter 18 System ................................................................................................................................... 211 18.1 Overview ...........................................................................................................................211 18.1.1 What You Need to Know .........................................................................................211 18.2 General Setup ............................................................................................................... 212 18.3 Time Setting .................................................................................................................... 213 Chapter 19 Logs ......................................................................................................................................215 19.1 Overview .......................................................................................................................... 215 19.2 View Log .......................................................................................................................... 215 19.3 Log Settings .................................................................................................................... 217 Chapter 20 Tools.......................................................................................................................................219 20.1 Overview .......................................................................................................................... 219 20.1.1 Some Warnings ...................................................................................................... 219 20.2 Firmware Upgrade ......................................................................................................... 220 20.3 Configuration .................................................................................................................. 221 20.3.1 Backup Configuration ............................................................................................ 221 20.3.2 Restore Configuration ........................................................................................... 221 20.3.3 Reset to Factory Defaults ...................................................................................... 222 20.4 Restart ............................................................................................................................. 222 Chapter 21 Diagnostic .............................................................................................................................223 21.1 Overview .......................................................................................................................... 223 16 IAD Users Guide Table of Contents 21.2 General ........................................................................................................................... 223 Chapter 22 Troubleshooting....................................................................................................................225 22.1 Overview .......................................................................................................................... 225 22.2 Power, Hardware Connections, and LEDs ...................................................................... 225 22.3 IAD Access and Login ..................................................................................................... 226 22.4 Internet Access ................................................................................................................ 227 22.5 Phone Calls and VoIP ...................................................................................................... 228 Chapter 23 Product Specifications .........................................................................................................231 Appendix A Passive Optical Networks .................................................................................239 Appendix B Setting Up Your Computers IP Address...........................................................245 Appendix C Pop-up Windows, JavaScripts and Java Permissions......................................275 Appendix D IP Addresses and Subnetting ...........................................................................285 Appendix E Wireless LANs ..................................................................................................297 Appendix F Common Services.............................................................................................313 Appendix G Legal Information..............................................................................................317 Index.......................................................................................................................................321 IAD Users Guide 17 Table of Contents 18 IAD Users Guide PART I Users Guide 19 20 CHAPTER 1 Introduction 1.1 Overview This device is an Integrated Access Device (IAD) which combines high-speed fiber optic (G-PON) Internet access, a built-in switch, wireless networking capability and Voice over IP (VoIP) technology to allow you to use an analog telephone to make phone calls over the Internet. The device also comes with one coaxial CATV connector to connect to a television or set-top-box. Please refer to the following description of the product name format. H denotes an integrated 4-port hub (switch). N denotes IEEE 802.11n wireless functionality. There is an embedded mini-PCI module for IEEE 802.11b/g/n wireless LAN connectivity. Only use firmware for your IADs specific model. Refer to the label on the bottom of your IAD. 1.2 Managing the IAD Use the IADs built-in Web Configurator to manage it. You can connect to it using a web browser such as Firefox 2.0 (and higher) or Internet Explorer 6 (and higher). The web configurator gives you access to all the available settings for this product. For details on connecting to it, see the Quick Start Guide. 1.3 Good Habits for Managing the IAD Do the following things regularly to make the IAD more secure and to manage the IAD more effectively. Change the password. Use a password thats not easy to guess and that consists of different types of characters, such as numbers and letters. Write down the password and put it in a safe place. IAD Users Guide 21 Chapter 1 Introduction Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the IAD to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the IAD. You could simply restore your last configuration. 1.4 Applications for the IAD Here are some example uses for which the IAD is well suited. 1.4.1 Internet Access and Device Mode Your IAD provides shared Internet access by connecting a fiber optic line provided by your ISP to the PON port. In hybrid mode, the IAD works as a router. You can enable NAT, firewall and use Quality of Service (QoS) to efficiently manage traffic on your network by giving priority to certain types of traffic and/or to particular computers. If you have a router deployed in your network already, set the IAD to act as a bridge. The routing features, such as NAT and static route are not available on the IAD in bridge mode and QoS configuration is done remotely by the ISPs OLT
(Optical Line Terminal). This allows you put the IAD into an existing network that has a router with minimum configuration. Figure 1 Internet Access Application (Router Mode) OLT 22 IAD Users Guide Chapter 1 Introduction 1.4.2 Internet Calls (VoIP) You can register up to 2 SIP (Session Initiation Protocol) accounts and use the IAD to make and receive VoIP telephone calls:
Figure 2 VoIP Applicarion A Peer-to-Peer calls (A) - Use the IAD to make a call to the recipients IP address without using a SIP proxy server. Calls via a VoIP service provider (A) - The IAD sends your call to a VoIP service providers SIP server which forwards your calls to either VoIP or PSTN phones. 1.4.3 Wireless Connection By default, the wireless LAN (WLAN) is enabled on the IAD. IEEE 802.11b/g compliant clients can wirelessly connect to the IAD to access network resources. You can set up a wireless network with WPS (WiFi Protected Setup) or manually add a client to your wireless network. Figure 3 Wireless Connection Application WLAN LAN WAN IAD Users Guide 23 Chapter 1 Introduction 1.4.3.1 The WPS/WLAN Button You can use the WPS/WLAN button on the top of the device to turn the wireless LAN off or on. You can also use it to activate WPS in order to quickly set up a wireless network with strong security. Turn the Wireless LAN Off or On 1 Make sure the POWER LED is on (not blinking). 2 Press the WPS/WLAN button for one second and release it. The WLAN/WPS LED should change from on to off or vice versa. Activate WPS 1 Make sure the POWER LED is on (not blinking). 2 Press the WPS/WLAN button for more than five seconds and release it. Press the WPS button on another WPS -enabled device within range of the IAD. The WLAN/
WPS LED should flash while the IAD sets up a WPS connection with the wireless device. Note: You must activate WPS in the IAD and in another wireless device within two minutes of each other. See Section 7.10.4 on page 151 for more information. 1.4.4 Triple Play Your ISP may provide triple play service to your IAD. This allows you to take advantage of such features as broadband Internet access, Voice over IP telephony, 24 IAD Users Guide Chapter 1 Introduction and streaming video/audio media, all at the same time with no noticeable loss in bandwidth. Figure 4 Triple Play Example 1.5 The Reset Button If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the device to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to 1234. 1.5.1 Using the Reset Button 1 Make sure the POWER LED is on (not blinking). 2 To set the device back to the factory default settings, press the RESET button for ten seconds or until the POWER LED begins to blink and then release it. When the POWER LED begins to blink, the defaults have been restored and the device restarts. IAD Users Guide 25 Chapter 1 Introduction 1.6 LEDs (Lights) The following graphic displays the labels of the LEDs. Figure 5 LEDs on the Top Panel None of the LEDs are on if the IAD is not receiving power. Table 1 LED Descriptions LED POWER COLOR STATUS Green On Blinking On Off On Off Blinking On On Blinking Off DESCRIPTION The IAD is receiving power and ready for use. The IAD is self-testing. The IAD detected an error while self-testing, or there is a device malfunction. The IAD is not receiving power. The IAD has established a PON line connection with the ISP. The IAD has not established a PON connection with the ISP or the fiber optic line is down. The IAD is in the process of downloading firmware. The IAD PON link has failed or has generated errors. The IAD has an Ethernet connection with another device (such as a computer) on the Local Area Network (LAN) through this port. The IAD is sending/receiving data to /from the LAN through this port. The IAD does not have an Ethernet connection with the LAN through this port. The wireless network is activated and is operating in IEEE 802.11b/g/n mode. The IAD is communicating with other wireless clients. The IAD is setting up a WPS connection. The wireless network is not activated. Red PON Green Red Green ETHERNET 1~4 WPS/
WLAN Green On Orange Blinking Blinking Off 26 IAD Users Guide Table 1 LED Descriptions LED INTERNET Green COLOR STATUS On Blinking On Red PHONE 1/2 Green Off On Blinking Orange On Blinking Off On Off CATV Green Chapter 1 Introduction DESCRIPTION The IAD has an IP connection but no traffic. Your device has a WAN IP address (either static or assigned by a DHCP server), PPP negotiation was successfully completed (if used) and the DSL connection is up. The IAD is sending or receiving IP traffic. The IAD attempted to make an IP connection but failed. Possible causes are no response from a DHCP server, no PPPoE response, PPPoE authentication failed. The IAD does not have an IP connection, or the IAD is in bridge mode. A SIP account is registered for the phone port. A telephone connected to the phone port has its receiver off of the hook or there is an incoming call. A SIP account is registered for the phone port and there is a voice message in the corresponding SIP account. A telephone connected to the phone port has its receiver off of the hook and there is a voice message in the corresponding SIP account. The phone port does not have a SIP account registered. The IAD is receiving video signals. The IAD is not receiving video signals. Refer to the Quick Start Guide for information on hardware connections. IAD Users Guide 27 Chapter 1 Introduction 28 IAD Users Guide CHAPTER 2 The Web Configurator 2.1 Overview The web configurator is an HTML-based management interface that allows easy device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Firefox 2.0 and later versions. The recommended screen resolution is 1024 by 768 pixels. In order to use the web configurator you need to allow:
Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2. JavaScript (enabled by default). Java permissions (enabled by default). See Appendix C on page 275 if you need to make sure these functions are allowed in Internet Explorer. 2.1.1 Accessing the Web Configurator 1 Make sure your IAD hardware is properly connected (refer to the Quick Start Guide for details on this). Launch your web browser. Type "192.168.1.1" as the URL. 2 3 IAD Users Guide 29 Chapter 2 The Web Configurator 4 A password screen displays. Enter your user name and password. The default user name is admin and the default password is 1234. Click Login. Figure 6 Password Screen 5 The following screen displays if you have not yet changed your password. It is strongly recommended you change the default password. Enter a new password of up to 30 characters, retype it to confirm and click Apply; alternatively click Ignore to proceed to the main menu if you do not want to change the password now. Figure 7 Change Password Screen Note: For security reasons, the IAD automatically logs you out if you do not use the web configurator for five minutes (default). If this happens, log in again. 30 IAD Users Guide 2.2 Web Configurator Main Screen The main screen is divided into these parts:
Chapter 2 The Web Configurator Figure 8 Main Screen B A C D A - title bar B - navigation panel C - main window D - status bar 2.2.1 Title Bar The title bar allows you to change the language and provides some icons in the upper right corner. The icons provide the following functions:
Table 2 Web Configurator Icons in the Title Bar ICON DESCRIPTION Help: Click this icon to open the online help. Logout: Click this icon to log out of the web configurator. IAD Users Guide 31 Chapter 2 The Web Configurator 2.2.2 Navigation Panel Use the menu items on the navigation panel to open screens to configure IAD features. The following tables describe each menu item. Table 3 Navigation Panel Summary LINK Status TAB FUNCTION This screen shows the IADs general device and network status information. Use this screen to access the statistics and client list. Device Device Mode Network WAN LAN Internet Access Setup IP Wireless LAN General Use this screen to select whether the IAD acts as a router
(Hybrid Mode) or a bridge (Bridge Mode). Use this screen to configure ISP parameters, WAN IP address assignment, DNS servers and other advanced properties. Use this screen to configure LAN TCP/IP settings, enable Any IP and other advanced properties. Use this screen to configure the wireless LAN settings, WLAN authentication/security settings. Use this screen to enable WPS (Wi-Fi Protected Setup) and view the WPS status. Use this screen to use WPS to set up your wireless network. Use this screen to configure MAC filtering rules. Use this screen to enable WMM QoS (Wi-Fi MultiMedia Quality of Service). WMM QoS allows you to prioritize wireless traffic according to the delivery requirements of individual services. Use this screen to enable NAT on the IAD. Use this screen to make your local servers visible to the outside world. Use this screen to allow certain applications to pass through the IAD. WPS WPS Station MAC Filter QoS General Port Forwarding ALG SIP Service Provider SIP Account Analog Phone Speed Dial Use this screen to configure the SIP settings used by the IAD when you place calls over the Internet. Use this screen to configure your SIP account information. Use this screen to set which phone ports use which SIP accounts. Use this screen to configure speed dial for SIP phone numbers that you call often. Security Firewall General Rules Advanced Use this screen to activate/deactivate the firewall and the default action to take on network traffic going in specific directions. This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule. 32 IAD Users Guide NAT VoIP SIP Phone Phone Book Chapter 2 The Web Configurator Table 3 Navigation Panel Summary LINK TAB Static Route Static Route Bandwidth MGMT General Rule Setup QoS Monitor Dynamic DNS Remote MGMT WWW Telnet FTP SSH ICMP TR-069 FUNCTION Use this screen to configure IP static routes to tell your device about networks beyond the directly connected remote nodes. Use this screen to enable QoS and configure bandwidth management on the WAN. Use this screen to define a classifier. Use this screen to view QoS packets statistics. This screen allows you to use a static hostname alias for a dynamic IP address. Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTP to manage the IAD. Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the IAD. Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the IAD. Use this screen to configure Secure SHell (SSH) connections to and from the IAD. Use this screen to set whether or not your device will respond to pings and probes for services that you have not made available. Use this screen to enable remote management via TR-069 on the WAN. Maintenance System General Logs Tools Time Setting View Log Log Settings Firmware Configuration Restart Diagnostic General Use this screen to configure your devices name, management inactivity timeout and password. Use this screen to change your IADs time and date. Use this screen to display your devices logs. Use this screen to select which logs and/or immediate alerts your device is to record. You can also set it to e-mail the logs to you. Use this screen to upload firmware to your device. Use this screen to backup and restore your devices configuration
(settings) or reset the factory default settings. This screen allows you to reboot the IAD without turning the power off. Use this screen to test the connections to other devices. IAD Users Guide 33 Chapter 2 The Web Configurator 2.2.3 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. Right after you log in, the Status screen is displayed. See Chapter 4 on page 41 for more information about the Status screen. 2.2.4 Status Bar Check the status bar when you click Apply or OK to verify that the configuration has been updated. 34 IAD Users Guide CHAPTER 3 Tutorials 3.1 Overview This chapter introduces you to some basic networking and Voice over IP (VoIP) concepts as well as how to configure your IAD for specific functions. 3.2 Getting Starting with the IAD This quick overview provides pointers on where in this Users Guide you can go to get started with configuring and using the IAD. Your IAD may have come pre-configured from your ISP. If such is the case, changing any network settings may affect your ability to get online or connect to other computers on your network. 1 Install the device as described in the included Quick Start Guide. 2 Connect and login to the Web Configurator at its default IP address as described in Section 2.2 on page 31. This is where you configure all available settings related to your device and its network connections. You will most likely need to connect to the IAD directly from your computer rather than over an existing network, since the devices default IP address wont match that networks existing topology. 3 Once youre in the Web Configurator, you can assign the IAD a new Local Area Network (LAN) IP address. This allows you to position in your LAN topology where you it is most beneficial to you. See Section 7.4 on page 63 for details. 4 5 If you were given settings to configure the IADs WAN connection, then you can do so in Section 6.2 on page 56. Finally, if you have a SIP account and want to place phone calls over the Internet, see Section 3.3 on page 36. IAD Users Guide 35 Chapter 3 Tutorials 3.3 Placing Phone Calls Over the Internet The IAD allows you to plug an analog phone into it and place calls over the Internet as if you were using an IP Phone or a SIP phone. Making Internet phone calls requries that first have a SIP account set up with either your ISP (if they provide such a service) or with a third-party SIP provider. To configure your SIP settings:
1 Connect to the Web Configurator (see the Quick Start Guide for details). 2 Open the VoIP > SIP screen, enter the following information, then click Apply:
Active - Select this to enable these SIP service settings. If left unchecked, then any configuration you do here will be saved but left unused. SIP Local Port, SIP Server Address, SIP Server Port, Register Server Address, Register Server Port, SIP Server Domain - These server settings are provided by the company that issues your VoIP account. 36 IAD Users Guide 3 Click VoIP > SIP > SIP Account to enter your SIP account information:
Chapter 3 Tutorials SIP Account Selector - The IAD allows you to set up multiple SIP accounts. The first time you do this, you wont need to make a selection but in the future if you set up additional SIP accounts this is where you choose the one to configure. Active SIP Account - Select this to make the current SIP account active. If you do not select this option, then you cannot use the settings configured here for the selected SIP account. Number - Enter your SIP number. If you were given a SIP number that looked this 1234567@sipaccount.com then your number is the part before the @. User Name -This is your SIP account user name. Password - This is the password for your SIP account. 4 Next, you must configure your Phone settings to bind your newly configured SIP settings to a single phone. Click VoIP > Phone to display the following screen:
IAD Users Guide 37 Chapter 3 Tutorials 5 Select a phone from the Phone Port Settings list, then select a SIP Account to use for all outgoing calls. The phone you choose corresponds to one of two phones physically connected to your IAD. For Incoming Calls, you can assign multiple SIP accounts to a single phone. This means any call sent to the selected SIP account is forwarded to the phone chosen in Phone Port Settings. Click Apply to save your settings. 6 Connect your analog phone to one of two phone ports on the IAD, as described in the Quick Start Guide. When you pick up the handset and hear a dial tone, enter the SIP phone number you want to call. 38 IAD Users Guide PART II Technical Reference 39 40 CHAPTER 4 Status Screens 4.1 Overview Use the Status screens to look at the current status of the device, system resources, interfaces (LAN and WAN), and SIP accounts. You can also register and unregister SIP accounts. IAD Users Guide 41 Chapter 4 Status Screens 4.2 Status Screen Click Status to open this screen. The screen varies slightly depending on the IADs device mode. See Chapter 5 on page 51 for more information. Figure 9 Status Screen (Bridge Mode) 42 IAD Users Guide Chapter 4 Status Screens Figure 10 Status Screen (Hybrid Mode) Each field is described in the following table. DESCRIPTION Table 4 Status Screen LABEL Refresh Interval Enter how often you want the IAD to update this screen. Apply Device Information Click this to update this screen immediately. Host Name Model Number This field displays the IAD system name. It is used for identification. You can change this in the Maintenance > System > General screens System Name field. This is the model name of your device. IAD Users Guide 43 Chapter 4 Status Screens Table 4 Status Screen LABEL DESCRIPTION This field displays the current version of the firmware inside the device. It also shows the date the firmware version was created. Click this to go to the screen where you can change it. This field displays the current IP address of the IAD in the WAN. Click this to go to the screen where you can change it. This field displays the current subnet mask in the WAN. This field displays the IP address of the default gateway, if applicable. This is the MAC (Media Access Control) or Ethernet address unique to your IAD. This MAC is used for VoIP connections made over the WAN and is different from the LAN MAC. This field displays the current IP address of the IAD in the LAN. Click this to go to the screen where you can change it. This field displays the current subnet mask in the LAN. This field displays what DHCP services the IAD is providing to the LAN. Choices are:
Server - The IAD is a DHCP server in the LAN. It assigns IP addresses to other computers in the LAN. Relay - The ZyXEL Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients. None - The IAD is not providing any DHCP services to the LAN. Click this to go to the screen where you can change it. This is the MAC (Media Access Control) or Ethernet address unique to your IAD. This MAC is used for LAN connections and differs from the WAN MAC. This is the descriptive name used to identify the IAD in the wireless LAN. Click this to go to the screen where you can change it. This is the channel number used by the IAD now. This displays the type of security mode the IAD is using in the wireless LAN. This displays whether or not the IADs firewall is activated. Click this to go to the screen where you can change it. Firmware Version WAN Information IP Address IP Subnet Mask Default Gateway MAC Address LAN Information IP Address IP Subnet Mask DHCP MAC Address WLAN Information SSID Channel Security Security Firewall System Status 44 IAD Users Guide Chapter 4 Status Screens Table 4 Status Screen LABEL System Uptime Current Date/Time System Mode CPU Usage Memory Usage Interface Status Interface Status Rate Summary DHCP Client List VoIP Status WLAN Status Bandwidth Status Registration Status Account DESCRIPTION This field displays how long the IAD has been running since it last started up. The IAD starts up when you plug it in, when you restart it
(Maintenance > Tools > Restart), or when you reset it (see Section 1.5 on page 25). This field displays the current date and time in the IAD. You can change this in Maintenance > System > Time Setting. This displays whether the IAD is functioning as a router or a bridge. This field displays what percentage of the IADs processing ability is currently used. When this percentage is close to 100%, the IAD is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications. This field displays what percentage of the IADs memory is currently used. Usually, this percentage should not increase much. If memory usage does get close to 100%, the IAD is probably becoming unstable, and you should restart the device. See Section 20.4 on page 222, or turn it off (unplug the power) for a few seconds. This column displays each interface the IAD has. This field indicates whether or not the IAD is using the interface. For the WAN interface, this field displays Up when the IAD is using the interface and Down when the IAD is not using the interface. For the LAN interface, this field displays Up when the IAD is using the interface and Down when the IAD is not using the interface. For the WLAN interface, it displays Enabled when WLAN is activated or Disabled when WLAN is not active. For the LAN interface, this displays the port speed and duplex setting. For the WAN interface, this displays the port speed and duplex setting. For the WLAN interface, it displays the maximum transmission rate when WLAN is enabled or N/A when WLAN is disabled. Click this link to view current DHCP client information. See Section 7.5 on page 65. Click this link to view statistics about your VoIP usage. See Section 4.2.1 on page 47. Click this link to display the MAC address(es) of the wireless stations that are currently associating with the IAD. See Section 4.2.2 on page 49. Click this link to view QoS packets statistics on the IAD. See Section 4.2.2 on page 49. This column displays each SIP account in the IAD. IAD Users Guide 45 Chapter 4 Status Screens Table 4 Status Screen LABEL Registration DESCRIPTION This field displays the current registration status of the SIP account. You have to register SIP accounts with a SIP server to use VoIP. Action Account Status If the SIP account is already registered with the SIP server, Click Unregister to delete the SIP accounts registration in the SIP server. This does not cancel your SIP account, but it deletes the mapping between your SIP identity and your IP address. The second field displays Registered. If the SIP account is not registered with the SIP server, Click Register to have the IAD attempt to register the SIP account with the SIP server. The second field displays the reason the account is not registered. Inactive - The SIP account is not active. You can activate it in VoIP >
SIP > SIP Settings. Register Fail - The last time the IAD tried to register the SIP account with the SIP server, the attempt failed. The IAD automatically tries to register the SIP account when you turn on the IAD or when you activate it. If the SIP account is already registered with the SIP server, the Account Status field displays Registered. Click Unregister to delete the SIP accounts registration in the SIP server. This does not cancel your SIP account, but it deletes the mapping between your SIP identity and your IP address or domain name. If the SIP account is not registered with the SIP server, the Account Status field displays Not Registered. Click Register to have the IAD attempt to register the SIP account with the SIP server. The second field displays the reason the account is not registered. The button is grayed out if the SIP account is disabled. This field displays the current registration status of the SIP account. You have to register SIP accounts with a SIP server to use VoIP. In-Active - The SIP account is not active. You can activate it in VoIP >
SIP > SIP Account. Not Registered - The last time the IAD tried to register the SIP account with the SIP server, the attempt failed. Use the Register button to register the account again. The IAD automatically tries to register the SIP account when you turn on the IAD or when you activate it. Registered - The SIP account is already registered with the SIP server. You can use it to make a VoIP call. Register Fail - The last time the IAD tried to register the SIP account with the SIP server, the attempt failed. The IAD automatically tries to register the SIP account when you turn on the IAD or when you activate it. 46 IAD Users Guide Chapter 4 Status Screens Table 4 Status Screen LABEL Associate Service Provider Name URI DESCRIPTION This field displays the VoIP service providers name that you specified in the VoIP > SIP > SIP Service Provider screen. This field displays the account number and service domain of the SIP account. You can change these in the VoIP > SIP screens. 4.2.1 VoIP Status Click Status > VoIP Status to access this screen. Figure 11 VoIP Status Each field is described in the following table. Table 5 VoIP Status LABEL SIP Status Account DESCRIPTION This column displays each SIP account in the IAD. IAD Users Guide 47 Chapter 4 Status Screens Table 5 VoIP Status LABEL Registration DESCRIPTION This field displays the current registration status of the SIP account. You can change this in the Status screen. Registered - The SIP account is registered with a SIP server. Error - The last time the IAD tried to register the SIP account with the SIP server, the attempt failed. The IAD automatically tries to register the SIP account when you turn on the IAD or when you activate it. Diabled - The SIP account is not active. You can activate it in VoIP >
SIP > SIP Account. This field displays the last time you successfully registered the SIP account. It displays Unregistered if you never successfully registered this account. This field displays the account number and service domain of the SIP account. You can change these in the VoIP > SIP screens. This field displays the transport protocol the SIP account uses. SIP accounts always use UDP. This field indicates whether or not there are any messages waiting for the SIP account. This field displays the last number that called the SIP account. The field is blank if no number has ever dialed the SIP account. This field displays the last number the SIP account called. The field is blank if the SIP account has never dialed a number. This column displays each SIP account in the IAD. This field indicates whether the phone is on the hook or off the hook. On - The phone is hanging up or already hung up. Off - The phone is dialing, calling, or connected. This field displays how long the current call has lasted. It displays 0 if no call has ever been made using the SIP account. This field displays the current state of the phone call. Idle - There are no current VoIP calls, incoming calls or outgoing calls being made. Dial - The callees phone is ringing. Ring - The phone is ringing for an incoming VoIP call. Process - There is a VoIP call in progress. DISC - The callees line is busy, the callee hung up or your phone was left off the hook. This field displays what voice codec is being used for a current VoIP call through a phone port. This field displays the SIP number of the party that is currently engaged in a VoIP call through a phone port. Last Registration URI Protocol Message Waiting Last Incoming Number Last Outgoing Number Call Status Account Hook Duration Status Codec Peer Number Phone Status 48 IAD Users Guide Chapter 4 Status Screens Table 5 VoIP Status LABEL Phone Outgoing Number Incomming Number Poll Interval(s) Set Interval Stop DESCRIPTION This field displays each phone port in the IAD. This field displays the SIP number that you use to make calls on this phone port. This field displays the SIP number that you use to receive calls on this phone port. Enter how often you want the IAD to update this screen, and click Set Interval. Click this to make the IAD update the screen based on the amount of time you specified in Poll Interval. Click this to make the IAD stop updating the screen. 4.2.2 WLAN Status Click Status > WLAN Status to access this screen. Use this screen to view the wireless stations that are currently associated to the IAD. Figure 12 Status > WLAN Status The following table describes the labels in this screen. Table 6 Status > WLAN Status LABEL
MAC Address This field displays the MAC (Media Access Control) address of an DESCRIPTION This is the index number of an associated wireless station. Association TIme Refresh associated wireless station. This field displays the time a wireless station first associated with the IAD. Click Refresh to reload this screen. IAD Users Guide 49 Chapter 4 Status Screens 50 IAD Users Guide CHAPTER 5 Device Mode Screen 5.1 Overview The Status screen lets you configure whether the IAD is a router or bridge. You can choose between Hybride Mode and Bridge Mode depending on your network topology and the features you require from your IAD. See Section 1.4 on page 22 for more information on which mode to choose. 5.1.1 Hybrid Mode (Router Mode) A router connects your local network with another network, such as the Internet. The router has two IP addresses, the LAN IP address and the WAN IP address. The router can use NAT to translate the packets source IP address before forwarding it from the LAN to the WAN or from the LAN to the WAN. Figure 13 LAN and WAN IP Addresses in Hybrid Mode (Router Mode) 192.168.1.33 LAN WAN 192.168.1.34 192.168.1.1 WAN IP Address 192.168.1.35 5.1.2 Bridge Mode When the IAD acts as a bridge, the routing features will not be available. That means a bridge can not use NAT to translate the packets source IP address before forwarding it. You need to set the client computer to receive an IP address automatically from the ISP. Computers behind the IAD cannot share the same Internet account. To configure the IAD, you need to manually set the computers IAD Users Guide 51 Chapter 5 Device Mode Screen IP address to be in the same subnet as the IAD since the DHCP server is also disabled on the IAD in bridge mode. Figure 14 IP Addresses in Bridge Mode 192.168.1.x LAN 192.168.1.1 WAN IP Address Assigned by ISP 5.2 Device Mode Screen Click Device > Device Mode to open this screen. The IAD restarts automatically after you select a different device mode and click Apply. Figure 15 Device Mode Screen The following table lists the features available for each device mode. Table 7 Hybrid and Bridge Modes Features Comparison FEATURE DHCP Client List WLAN Status Bandwidth Status Device Mode WAN LAN Wireless LAN NAT SIP Phone HYBRID MODE Y Y Y Y Y Y Y Y Y Y BRIDGE MODE Y Y Y Y Y Y Y 52 IAD Users Guide Chapter 5 Device Mode Screen Table 7 Hybrid and Bridge Modes Features Comparison FEATURE Phone Book VoIP Status Firewall Static Route Bandwidth MGMT Dynamic DNS Remote MGMT System Logs Tools Diagnostic HYBRID MODE Y Y Y Y Y Y Y Y Y Y Y BRIDGE MODE Y Y Y Y Y Y Y Table Key: A Y in a modes column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change. IAD Users Guide 53 Chapter 5 Device Mode Screen 54 IAD Users Guide CHAPTER 6 WAN 6.1 Overview This chapter describes how to configure WAN settings. A WAN (Wide Area Network) is an outside connection to another network or the Internet. 6.1.1 What You Need to Know The following terms and concepts may help as you read through the chapter. Encapsulation Be sure to use the encapsulation method required by your ISP. The IAD supports the following methods. PPP over Ethernet The IAD supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example RADIUS). One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function known as dynamic service selection. This enables the service provider to easily create and offer new IP services for individuals. Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the IAD (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the IAD does that part of the task. IAD Users Guide 55 Chapter 6 WAN IP Address Assignment A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway. 6.2 Internet Access Setup Use this screen to change your IADs WAN remote node settings. Click Network >
WAN > Internet Access Setup. Although the screen differs by the encapsulation you select, all options are presented in the image below. Figure 16 Internet Access Setup - PPPoE 56 IAD Users Guide Figure 17 Internet Access Setup - IP Chapter 6 WAN The following table describes the labels in this screen. Table 8 Internet Access Setup LABEL DESCRIPTION General Encapsulation Select the method of encapsulation used by your ISP from the drop-
down list box Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given. Enter the password associated with the user name above. Type the name of your PPPoE service here. A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. Select Obtain an IP Address Automatically if you have a dynamic IP address; otherwise select Static IP Address and type your ISP assigned information in the field below. Enter the IP address assigned by your ISP if you select Static IP Address. Enter a subnet mask in dotted decimal notation when you select IP in the Encapsulation field. You must specify a gateway IP address (supplied by your ISP) when you select IP in the Encapsulation field. User Name Password Service Name IP Address IP Address Subnet Mask Gateway IP address DNS Server IAD Users Guide 57 Chapter 6 WAN Table 8 Internet Access Setup (continued) LABEL First DNS Server DESCRIPTION Select FromISP if your ISP dynamically assigns DNS server information (and the IAD's WAN IP address) and you select Obtain an IP Address Automatically. Second DNS Server Third DNS Server Connection Nailed-Up Connection Connection Demand Select UserDefined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose UserDefined, but leave the IP address set to 0.0.0.0, UserDefined changes to None after you click Apply. If you set a second choice to UserDefined, and enter the same IP address, the second UserDefined changes to None after you click Apply. Select None if you do not want to configure DNS servers. You must have another DNS server on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it. Select Nailed-Up Connection when you want your connection up all the time. The IAD will try to bring up the connection automatically if it is disconnected. Select Connection Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field. Max Idle Timeout Specify an idle time-out in the Max Idle Timeout field when you Apply Cancel select Connection Demand. The default setting is 0, which means the Internet session will not timeout. Click Apply to save the changes. Click Cancel to begin configuring this screen afresh. 58 IAD Users Guide CHAPTER 7 LAN Setup This chapter describes how to configure LAN settings. 7.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses. See Section 7.4 on page 63 to configure the LAN screens. 7.1.1 LANs, WANs and the ZyXEL Device The actual physical connection determines whether the IAD ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next. Figure 18 LAN and WAN IP Addresses LAN WAN 7.1.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can IAD Users Guide 59 Chapter 7 LAN Setup configure the IAD as a DHCP server or disable it. When configured as a server, the IAD provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. 7.1.2.1 IP Pool Setup The IAD is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN computers. 7.2 DNS Server Addresses DNS (Domain Name System) maps a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The DNS server addresses you enter when you set up DHCP are passed to the client machines along with the assigned IP address and subnet mask. There are two ways that an ISP disseminates the DNS server addresses. The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen. Some ISPs choose to disseminate the DNS server addresses using the DNS server extensions of IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The IAD supports the IPCP DNS server extensions through the DNS proxy feature. If the DNS Server fields in the DHCP Setup screen are set to DNS Relay, the IAD tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the IAD, the IAD acts as a DNS proxy and forwards the query to the real DNS server learned through IPCP and relays the response back to the computer. Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses in the DHCP Setup screen. 7.3 LAN TCP/IP The IAD has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 60 IAD Users Guide 7.3.1 IP Address and Subnet Mask Chapter 7 LAN Setup Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number. Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the IAD. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network. Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 10.0.0.138, for your IAD, but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your IAD will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the IAD unless you are instructed to do otherwise. 7.3.1.1 Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:
10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for IAD Users Guide 61 Chapter 7 LAN Setup your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Note: Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 7.3.2 RIP Setup RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to:
Both - the IAD will broadcast its routing table periodically and incorporate the RIP information that it receives. In Only - the IAD will not send any RIP packets but will accept all RIP packets received. Out Only - the IAD will send out RIP packets but will not accept any RIP packets received. None - the IAD will not send any RIP packets and will ignore any RIP packets received. The Version field controls the format and the broadcasting method of the RIP packets that the IAD sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. 7.3.3 Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not 62 IAD Users Guide Chapter 7 LAN Setup assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The IAD supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-
v2). At start up, the IAD queries all directly connected networks to gather group membership. After that, the IAD periodically updates this information. IP multicasting can be enabled/disabled on the IAD LAN and/or WAN interfaces in the Web Configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces. 7.4 Configuring LAN IP and DHCP Click Network > LAN to open the IP & DHCP screen. See Section 7.1 on page 59 for background information. Use this screen to set the Local Area Network IP address and subnet mask of your IAD. You can also edit your IAD's RIP and multicast settings, and DNS server information that the IAD sends to the DHCP client devices on the LAN. Figure 19 LAN IP & DHCP IAD Users Guide 63 Chapter 7 LAN Setup The following table describes the fields in this screen. Table 9 LAN IP & DHCP LABEL LAN TCP/IP IP Address DESCRIPTION IP Subnet Mask Advanced/Basic RIP & Multicast Setup RIP Direction RIP Version Multicast DHCP Setup DHCP Enter the LAN IP address you want to assign to your IAD in dotted decimal notation, for example, 10.0.0.138 (factory default). Type the subnet mask of your network in dotted decimal notation, for example 255.255.255.0 (factory default). Your IAD automatically computes the subnet mask based on the IP Address you enter, so do not change this field unless you are instructed to do so. Click Advanced to display and edit RIP and multicast settings. Otherwise, click Basic to hide them. Select the RIP direction from None, Both, In Only and Out Only. Select the RIP version from RIP-1, RIP-2B and RIP-2M. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The IAD supports both IGMP version 1 (IGMP-v1) and IGMP-v2. Select None to disable it. If set to Server, your IAD can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled. If set to Relay, the IAD acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients. Enter the IP address of the actual, remote DHCP server in the Remote DHCP Server field in this case. IP Pool Starting Address Pool Size Remote DHCP Server DNS Server When DHCP is used, the following items need to be set:
This field specifies the first of the contiguous addresses in the IP address pool. This field specifies the size, or count of the IP address pool. If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here. This section displays only when you select Server in the DHCP field. The IAD passes a DNS (Domain Name System) server IP address to the DHCP clients. 64 IAD Users Guide Chapter 7 LAN Setup Table 9 LAN IP & DHCP (continued) LABEL First DNS Server DESCRIPTION Select FromISP if your ISP dynamically assigns DNS server information (and the IAD's WAN IP address). Second DNS Server Third DNS Server Apply Cancel Select UserDefined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose UserDefined, but leave the IP address set to 0.0.0.0, UserDefined changes to None after you click Apply. If you set a second choice to UserDefined, and enter the same IP address, the second UserDefined changes to None after you click Apply. Select DNS Relay to have the IAD act as a DNS proxy only when the ISP uses IPCP DNS server extensions. The IAD's LAN IP address displays in the field to the right (read-only). The IAD tells the DHCP clients on the LAN that the IAD itself is the DNS server. When a computer on the LAN sends a DNS query to the IAD, the IAD forwards the query to the real DNS server learned through IPCP and relays the response back to the computer. You can only select DNS Relay for one of the three servers; if you select DNS Relay for a second or third DNS server, that choice changes to None after you click Apply. Select None if you do not want to configure DNS servers. You must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. 7.5 LAN Client List DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the IAD as a DHCP server or disable it. When configured as a server, the IAD provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured. Click Network > LAN > Client List to open the following screen. The read-only table shows current DHCP client information of all network clients using the IADs IAD Users Guide 65 Chapter 7 LAN Setup DHCP server. Use this screen to view IP addresses on the LAN assigned to specific individual computers based on their MAC Addresses. Figure 20 LAN Client List The following table describes the labels in this screen. Table 10 LAN Client List LABEL
IP Address MAC Address DESCRIPTION This is the index number of the IP table entry (row). This field displays the IP address assigned to the client computer. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. Expiration Time This field displays the MAC address of the client computer. This field displays the date and time the IP address expires. The client computer then cannot use this IP address and needs to request information from the DHCP server again. 7.6 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The IAD supports three logical LAN interfaces via its single physical Ethernet interface with the IAD itself as the gateway for each LAN network. When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). Note: Make sure that the subnets of the logical networks do not overlap. 66 IAD Users Guide Chapter 7 LAN Setup The following figure shows a LAN divided into subnets A, B, and C. Figure 21 Physical Network & Partitioned Logical Networks Ethernet Interface A: 192.168.1.1 - 192.168.1.24 B: 192.168.2.1 - 192.168.2.24 C: 192.168.3.1 - 192.168.3.24 Click Network > LAN > IP Alias to open the following screen. Use this screen to change your IADs IP alias settings. Figure 22 LAN IP Alias The following table describes the labels in this screen. Table 11 LAN IP Alias LABEL IP Alias 1, 2 IP Address DESCRIPTION Select the check box to configure another LAN network for the IAD. Enter the IP address of your IAD in dotted decimal notation. IP Subnet Mask Apply Cancel Alternatively, click the right mouse button to copy and/or paste the IP address. Your IAD will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the IAD. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. IAD Users Guide 67 Chapter 7 LAN Setup 68 IAD Users Guide CHAPTER 8 Wireless LAN 8.1 Overview This chapter describes how to perform tasks related to setting up and optimizing your wireless network, including the following. Turning the wireless connection on or off. Configuring a name, wireless channel and security for the network. Using WiFi Protected Setup (WPS) to configure your wireless network. Using a MAC (Media Access Control) address filter to restrict access to the wireless network. See Chapter 3 on page 35 for a tutorial showing how to set up your wireless connection in an example scenario. See Section 8.10 on page 89 for advanced technical information on wireless networks. 8.1.1 What You Can Do in this Chapter This chapter describes the IADs Network > Wireless LAN screens. Use these screens to set up your IADs wireless connection. The General screen lets you turn the wireless connection on or off, set up wireless security and make other basic configuration changes (Section 8.4 on page 73). You can also configure the MAC filter to allow or block access to the IAD based on the MAC addresses of the wireless stations. The More AP screen lets you set up multiple wireless networks on your IAD
(Section 8.5 on page 82). Use the WPS screen and the WPS Station screen to use WiFi Protected Setup
(WPS). WPS lets you set up a secure network quickly, when connecting to other WPS-enabled devices. Use the WPS screen (see Section 8.6 on page 83) to enable or disable WPS, generate a security PIN (Personal Identification Number) and see information about the IADs WPS status. Use the WPS Station (see Section 8.7 on page 85) screen to set up WPS by pressing a button or using a PIN. IAD Users Guide 69 Chapter 8 Wireless LAN The WDS screen lets you set up a Wireless Distribution System, in which the IAD acts as a bridge with other ZyXEL access points (Section 8.8 on page 86). The Advanced Setup screen lets you change the wireless mode, and make other advanced wireless configuration changes (Section 8.9 on page 88). You dont necessarily need to use all these screens to set up your wireless connection. For example, you may just want to set up a network name, a wireless radio channel and some security in the General screen. 8.2 What You Need to Know Wireless Basics Wireless is essentially radio communication. In the same way that walkie-talkie radios send and receive information over the airwaves, wireless networking devices exchange information with one another. A wireless networking device is just like a radio that lets your computer exchange information with radios attached to other computers. Like walkie-talkies, most wireless networking devices operate at radio frequency bands that are open to the public and do not require a license to use. However, wireless networking is different from that of most traditional radio communications in that there a number of wireless networking standards available with different methods of data encryption. Wireless Network Construction Wireless networks consist of wireless clients, access points and bridges. A wireless client is a radio connected to a users computer. An access point is a radio with a wired connection to a network, which can connect with numerous wireless clients and let them access the network. A bridge is a radio that relays communications between access points and wireless clients, extending a networks range. Traditionally, a wireless network operates in one of two ways. An infrastructure type of network has one or more access points and one or more wireless clients. The wireless clients connect to the access points. An ad-hoc type of network is one in which there is no access point. Wireless clients connect to one another in order to exchange information. Network Names Each network must have a name, referred to as the SSID - Service Set IDentifier. The service set is the network, so the service set identifier is the networks name. This helps you identify your wireless network when wireless 70 IAD Users Guide Chapter 8 Wireless LAN networks coverage areas overlap and you have a variety of networks to choose from. Radio Channels In the radio spectrum, there are certain frequency bands allocated for unlicensed, civilian use. For the purposes of wireless networking, these bands are divided into numerous channels. This allows a variety of networks to exist in the same place without interfering with one another. When you create a network, you must select a channel to use. Since the available unlicensed spectrum varies from one country to another, the number of available channels also varies. Wireless Security By their nature, radio communications are simple to intercept. For wireless data networks, this means that anyone within range of a wireless network without security can not only read the data passing over the airwaves, but also join the network. Once an unauthorized person has access to the network she/he can either steal information or introduce malware (malicious software) intended to compromise the network. For these reasons, a variety of security systems have been developed to ensure that only authorized people can use a wireless data network, or understand the data carried on it. These security standards do two things. First, they authenticate. This means that only people presenting the right credentials (often a username and password, or a key phrase) can access the network. Second, they encrypt. This means that the information sent over the air is encoded. Only people with the code key can understand the information, and only people who have been authenticated are given the code key. These security standards vary in effectiveness. Some can be broken, such as the old Wired Equivalent Protocol (WEP). Using WEP is better than using no security at all, but it will not keep a determined attacker out. Other security standards are secure in themselves but can be broken if a user does not use them properly. For example, the WPA-PSK security standard is perfectly secure if you use a long key which is difficult for an attackers software to guess - for example, a twenty-letter long string of apparently random numbers and letters - but it is not very secure if you use a short key which is very easy to guess. Because of the damage that can be done by a malicious attacker, its not just people who have sensitive information on their network who should use security. Everybody who uses any wireless network should ensure that effective security is in place. IAD Users Guide 71 Chapter 8 Wireless LAN A good way to come up with effective security keys, passwords and so on is to use obscure information that you personally will easily remember, and to enter it in a way that appears random and does not include real words. For example, if your mother owns a 1970 Dodge Challenger and her favorite movie is Vanishing Point
(which you know was made in 1971) you could use 70dodchal71vanpoi as your security key. Signal Problems Because wireless networks are radio networks, their signals are subject to limitations of distance, interference and absorption. Problems with distance occur when the two radios are too far apart. Problems with interference occur when other radio waves interrupt the data signal. Interference may come from other radio transmissions, such as military or air traffic control communications, or from machines that are coincidental emitters such as electric motors or microwaves. Problems with absorption occur when physical objects
(such as thick walls) are between the two radios, muffling the signal. 8.3 Before You Begin Before you start using these screens, ask yourself the following questions. See Section 8.2 on page 70 if some of the terms used here do not make sense to you. What wireless standards do the other wireless devices support (IEEE 802.11g, for example)? What is the most appropriate standard to use?
What security options do the other wireless devices support (WPA-PSK, for example)? What is the best one to use?
Do the other wireless devices support WPS (Wi-Fi Protected Setup)? If so, you can set up a well-secured network very easily. Even if some of your devices support WPS and some do not, you can use WPS to set up your network and then add the non-WPS devices manually, although this is somewhat more complicated to do. What advanced options do you want to configure, if any? If you want to configure advanced options, ensure that you know precisely what you want to do. If you do not want to configure advanced options, leave them alone. 72 IAD Users Guide Chapter 8 Wireless LAN 8.4 The General Screen Note: If you are configuring the IAD from a computer connected to the wireless LAN and you change the IADs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the IADs new settings. Click Network > Wireless LAN to open the General screen. Figure 23 Network > Wireless LAN > General The following table describes the labels in this screen. Table 12 Network > Wireless LAN > General LABEL Active Wireless LAN Channel Selection DESCRIPTION Click the check box to activate wireless LAN. Set the operating frequency/channel depending on your particular region. Select a channel or use Auto to have the IAD automatically determine a channel to use. If you are having problems with wireless interference, changing the channel may help. Try to use a channel that is as many channels away from any channels used by neighboring APs as possible. The channel number which the IAD is currently using then displays next to this field. IAD Users Guide 73 Chapter 8 Wireless LAN Table 12 Network > Wireless LAN > General LABEL Bandwidth DESCRIPTION Select whether the IAD uses a wireless channel width of 20MHz or 40MHz. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300 Mbps. 40MHz (channel bonding or dual channel) bonds two adjacent radio channels to increase throughput. The wireless clients must also support 40 MHz. It is often better to use the 20 MHz setting in a location where the environment hinders the wireless signal. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. This field is available only when you set the 802.11 Mode to 802.11n Only or 802.11b/g/n Mixed in the Advanced Setup screen. This is available for some regions when you select a specific channel and set the Bandwidth field to 40MHz. Set whether the control channel (set in the Channel field) should be in the Lower or Upper range of channel bands. This field is available only when you set the 802.11 Mode to 802.11n Only or 802.11b/g/n Mixed in the Advanced Setup screen. The SSID (Service Set IDentity) identifies the service set with which a wireless device is associated. Wireless devices associating to the access point (AP) must have the same SSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. Note: If you are configuring the IAD from a computer connected to the wireless LAN and you change the IADs SSID or wireless security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the IADs new settings. Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool. Select this check box to allow the IAD to convert wireless multicast traffic into wireless unicast traffic. This shows the MAC address of the wireless interface on the IAD when wireless LAN is enabled. See the following sections for more details about this field. Click this button to go to the MAC Filter screen to configure whether the wireless devices with the MAC addresses listed are allowed or denied to access the IAD using this SSID. Click this to save your changes back to the IAD. Click this to reload the previous configuration for this screen. Control Sideband Network Name (SSID) Hide Network Name (SSID) Enable Wireless Multicast Forwarding
(WMF) BSSID Security Mode MAC Filter Apply Reset 74 IAD Users Guide Chapter 8 Wireless LAN 8.4.1 No Security Select No Security to allow wireless devices to communicate with the access points without any data encryption or authentication. Note: If you do not enable any wireless security on your IAD, your network is accessible to any wireless networking device that is within range. Figure 24 Wireless LAN > General: No Security The following table describes the labels in this screen. Table 13 Wireless LAN > General: No Security LABEL Security Mode DESCRIPTION Choose No Security from the drop-down list box. IAD Users Guide 75 Chapter 8 Wireless LAN 8.4.2 WEP Encryption In order to configure and enable WEP encryption; click Network > Wireless LAN to display the General screen. Select WEP from the Security Mode list. Figure 25 Wireless LAN > General: Static WEP Encryption The following table describes the wireless LAN security labels in this screen. Table 14 Network > Wireless LAN > General: Static WEP Encryption LABEL Security Mode DESCRIPTION Choose WEP from the drop-down list box. 76 IAD Users Guide Chapter 8 Wireless LAN Table 14 Network > Wireless LAN > General: Static WEP Encryption LABEL WEP Encryption DESCRIPTION WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network. Select 64-bit or 128-bit to enable data encryption. The WEP key is used to secure your data from eavesdropping by unauthorized wireless users. Both the IAD and the wireless stations must use the same WEP key for data transmission. Key 1 to Key 4 Only one key can be activated at any one time. Select a default key to use for data encryption. If you chose 64-bit in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 128-bit in the WEP Encryption field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. 8.4.3 WPA(2)-PSK In order to configure and enable WPA(2)-PSK authentication; click Network >
Wireless LAN to display the General screen. Select WPA-PSK or WPA2-PSK from the Security Mode list. Figure 26 Wireless LAN > General: WPA(2)-PSK IAD Users Guide 77 Chapter 8 Wireless LAN The following table describes the wireless LAN security labels in this screen. Table 15 Wireless LAN > General: WPA(2)-PSK LABEL Auto Generate Key DESCRIPTION This field is only available for WPA-PSK. Select this option to have the IAD automatically generate an SSID and pre-shared key. The SSID and Pre-Shared Key fields will not be configurable when you select this option. Choose WPA-PSK or WPA2-PSK from the drop-down list box. This field is only available for WPA2-PSK. Select this if you want the IAD to support WPA-PSK and WPA2-PSK simultaneously. Select the encryption type (TKIP, AES or TKIP+AES) for data encryption. Security Mode Active Compatible Encryption Select TKIP if your wireless clients can all use TKIP. Select AES if your wireless clients can all use AES. Select TKIP+AES to allow the wireless clients to use either TKIP or AES. Pre-Shared Key The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters
(including spaces and symbols). The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. Group Key Update Timer 8.4.4 WPA(2) Authentication Use this screen to configure and enable WPA or WPA2 authentication; click the Wireless LAN link under Network to display the General screen. Select WPA or WPA2 from the Security Mode list. Note: WPA or WPA2 is not available if you enable WPS before you configure WPA or WPA2 in the Wireless LAN > General screen. 78 IAD Users Guide Chapter 8 Wireless LAN Note: If you select WPA or WPA2 in the Wireless LAN > General screen, the WDS and WPS features are not available on the IAD. Figure 27 Wireless LAN > General: WPA(2) The following table describes the wireless LAN security labels in this screen. Table 16 Wireless LAN > General: WPA(2) LABEL Security Mode Active Compatible Encryption DESCRIPTION Choose WPA or WPA2 from the drop-down list box. This field is only available for WPA2. Select this if you want the IAD to support WPA and WPA2 simultaneously. Select the encryption type (TKIP, AES or TKIP+AES) for data encryption. Select TKIP if your wireless clients can all use TKIP. Select AES if your wireless clients can all use AES. Select TKIP+AES to allow the wireless clients to use either TKIP or AES. IAD Users Guide 79 Chapter 8 Wireless LAN Table 16 Wireless LAN > General: WPA(2) LABEL WPA2 Preauthenticatio n DESCRIPTION This field is available only when you select WPA2. Network Re-auth Interval Pre-authentication enables fast roaming by allowing the wireless client
(already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. Select Enabled to turn on preauthentication in WAP2. Otherwise, select Disabled. This field is available only when you select WPA2. Specify how often wireless clients have to resend usernames and passwords in order to stay connected. Enter a time interval between 10 and 2147483647 seconds. Note: If wireless client authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Group Key Update Timer Authentication Server The Group Key Update Timer is the rate at which the RADIUS server sends a new group key out to all clients. IP Address Port Number Enter the IP address of the external authentication server in dotted decimal notation. Enter the port number of the external authentication server. The default port number is 1812. You need not change this value unless your network administrator instructs you to do so with additional information. Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the IAD. The key must be the same on the external authentication server and your IAD. The key is not sent over the network. 8.4.5 MAC Filter This screen allows you to configure the IAD to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the IAD (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen. 80 IAD Users Guide Chapter 8 Wireless LAN Use this screen to change your IADs MAC filter settings. Click the Edit button in the Wireless LAN > General screen. The following screen displays. Figure 28 Wireless LAN > MAC Filter The following table describes the labels in this screen. Table 17 Wireless LAN > MAC Filter LABEL MAC Restrict Mode DESCRIPTION Define the filter action for the list of MAC addresses in the table below. Select Disabled to turn off MAC address filtering. Select Allow to permit access to the IAD, MAC addresses not listed will be denied access to the IAD. Select Deny to block access to the IAD, MAC addresses not listed will be allowed to access the IAD This is the index number of the MAC address. This is the MAC addresses of the wireless devices that are allowed or denied access to the IAD. Click the Remove icon to delete the entry. Click this to return to the previous screen without saving changes. Click this to create a new MAC filtering rule.
MAC Address Modify Back Add 8.4.6 Adding a New MAC Filtering Rule Click the Add button in the MAC Filter screen. The following screen displays. Figure 29 Wireless LAN > MAC Filter > Add IAD Users Guide 81 Chapter 8 Wireless LAN The following table describes the labels in this screen. Table 18 Wireless LAN > MAC Filter > Add LABEL MAC Address DESCRIPTION Enter the MAC addresses of the wireless devices that are allowed or denied access to the IAD in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc. Click this to return to the previous screen without saving changes. Click this to save your changes and go back to the previous screen. Back Apply 8.5 The More AP Screen This screen allows you to enable and configure multiple wireless networks on the IAD. Click Network > Wireless LAN > More AP. The following screen displays. Figure 30 Network > Wireless LAN > More AP The following table describes the labels in this screen. Table 19 Network > Wireless LAN > More AP LABEL
Active SSID DESCRIPTION This is the index number of each SSID profile. Select the check box to activate an SSID profile. An SSID profile is the set of parameters relating to one of the IADs BSSs. The SSID (Service Set IDentifier) identifies the Service Set with which a wireless device is associated. This field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. This field indicates the security mode of the SSID profile. Click the Edit icon to configure the SSID profile. Security Modify 82 IAD Users Guide Chapter 8 Wireless LAN Table 19 Network > Wireless LAN > More AP LABEL Apply Reset DESCRIPTION Click Apply to save your changes back to the IAD. Click Reset to reload the previous configuration for this screen. 8.5.1 More AP Edit Use this screen to edit an SSID profile. Click the Edit icon next to an SSID in the More AP screen. The following screen displays. Figure 31 Network > Wireless LAN > More AP: Edit See Section 8.4 on page 73 for more details about the fields in this screen. 8.6 The WPS Screen Use this screen to configure WiFi Protected Setup (WPS) on your IAD. WPS allows you to quickly set up a wireless network with strong security, without having to configure security settings manually. Set up each WPS connection between two devices. Both devices must support WPS. IAD Users Guide 83 Chapter 8 Wireless LAN Click Network > Wireless LAN >WPS. The following screen displays. Figure 32 Network > Wireless LAN > WPS The following table describes the labels in this screen. DESCRIPTION Table 20 Network > Wireless LAN > WPS LABEL WPS Setup Enable WPS PIN Number Select the check box to activate WPS on the IAD. This shows the PIN (Personal Identification Number) of the IAD. Enter this PIN in the configuration utility of the device you want to connect to using WPS. Generate WPS Status Release_Co nfiguration The PIN is not necessary when you use WPS push-button method. Click this button to have the IAD create a new PIN. This displays Configured when the IAD has connected to a wireless network using WPS or Enable WPS is selected and wireless or wireless security settings have been changed. The current wireless and wireless security settings also appear in the screen. This displays Unconfigured if WPS is disabled and there is no wireless or wireless security changes on the IAD or you click Release_Configuration to remove the configured wireless and wireless security settings. This button is available when the WPS status is Configured but not configurable if you disable WPS. Click this button to remove all configured wireless and wireless security settings for WPS connections on the IAD. Click Apply to save your changes back to the IAD. Apply 84 IAD Users Guide 8.7 The WPS Station Screen Chapter 8 Wireless LAN Use this screen to set up a WPS wireless network using either Push Button Configuration (PBC) or PIN Configuration. Note: If you select No Security in the Wireless LAN > General screen and click Push Button in the WPS Station screen, the IAD automatically changes to use WPA-PSK/WPA2-PSK mixed mode and generates a pre-shared key. Click Network > Wireless LAN > WPS Station. The following screen displays. Figure 33 Network > Wireless LAN > WPS Station The following table describes the labels in this screen. Table 21 Network > Wireless LAN > WPS Station LABEL Push Button DESCRIPTION Click this button to add another WPS-enabled wireless device (within wireless range of the IAD) to your wireless network. This button may either be a physical button on the outside of device, or a menu button similar to the Push Button on this screen. Note: You must press the other wireless devices WPS button within two minutes of pressing this button. Or input station's PIN number Enter the PIN of the device that you are setting up a WPS connection with and click Start to authenticate and add the wireless device to your wireless network. You can find the PIN either on the outside of the device, or by checking the devices settings. Note: You must also activate WPS on that device within two minutes to have it present its PIN to the IAD. IAD Users Guide 85 Chapter 8 Wireless LAN 8.8 The WDS Screen A Wireless Distribution System (WDS) is a wireless connection between two or more APs. Use this screen to set up your WDS links between the IADs. You need to know the MAC address of the peer device. Once the security settings of peer sides match one another, the connection between the devices is made. Note: You cannot use WDS when WPS is enabled or wireless security is set to WPA"
or "WPA2". The wireless security settings apply to both WDS links and the connections between the ZyXEL Device and any wireless clients. Note: At the time of writing, WDS is only compatible with other ZyXEL Devices of the same model. Click Network > Wireless LAN > WDS. The following screen displays. WDS is turned on and this screen is configurable when the ZyXEL Device's wireless security mode is No Security, WEP or WPA(2)-PSK. Figure 34 Network > Wireless LAN > WDS 86 IAD Users Guide Chapter 8 Wireless LAN The following table describes the labels in this screen. Table 22 Network > Wireless LAN > WDS LABEL WDS Operating Mode Select the operating mode for your IAD. DESCRIPTION Access Point + Bridge - The IAD functions as a bridge and access point simultaneously. Wireless Bridge - The IAD acts as a wireless network bridge and establishes wireless links with other APs. In this mode, clients cannot connect to the IAD wirelessly. You need to know the MAC address of the peer device, which must be of the same model and also WDS-enabled. The IAD can establish up to four wireless links with other APs. This field is available only when you set operating mode to Access Point + Bridge. Select Enabled to turn on WDS and enter the peer devices MAC address manually in the table below. Bridge Restrict Select Enabled(Scan) to turn on WDS, search and display the available APs within range in the table below. Enter the MAC address of the peer device that your IAD wants to make a bridge connection with. Remote Bridges MAC Address You can connect to up to 4 peer devices. This field is available only when you select Enabled(Scan) in the Bridge Restrict field. Select the check box and click Apply to have the IAD establish a wireless link with the selected wireless device. This field is available only when you select Enabled(Scan) in the Bridge Restrict field. This shows the SSID of the available wireless device within range. This field is available only when you select Enabled(Scan) in the Bridge Restrict field. This shows the MAC address of the available wireless device within range. Click Refresh to update the Remote Bridges MAC Address table when Bridge Restrict is set to Enabled(Scan). Click Apply to save your changes to IAD. SSID BSSID Refresh Apply IAD Users Guide 87 Chapter 8 Wireless LAN 8.9 The Advanced Setup Screen To configure advanced wireless settings, click Network > Wireless LAN >
Advanced Setup. The screen appears as shown. Figure 35 Wireless LAN > Advanced Setup The following table describes the labels in this screen. DESCRIPTION Enter a value between 0 and 2432. Table 23 Wireless LAN > Advanced Setup LABEL RTS/CTS Threshold Fragmentation Threshold Number of Wireless Stations Allowed Output Power This is the maximum data fragment size that can be sent. Enter a value between 256 and 2432. Specify the maximum number (from 1 to 64) of the wireless stations that may connect to the IAD. Set the output power of the IAD. If there is a high density of APs in an area, decrease the output power to reduce interference with other APs. Select one of the following 20%, 40%, 60%, 80% or 100%. Multicast Rate Select a data rate at which the IAD transmits wireless multicast traffic. If you select a high rate, multicast traffic may occupy all the bandwidth and cause metwork congestion. 88 IAD Users Guide Chapter 8 Wireless LAN Table 23 Wireless LAN > Advanced Setup LABEL 802.11 Mode DESCRIPTION Select 802.11b Only to only allow IEEE 802.11b compliant WLAN devices to associate with the IAD. Select 802.11g Only to allow IEEE 802.11g compliant WLAN devices to associate with the IAD. IEEE 802.11b compliant WLAN devices can associate with the IAD only when they use the short premble type. Select 802.11n Only to only allow IEEE 802.11n compliant WLAN devices to associate with the IAD. This can increase transmission rates, although IEEE 802.11b or IEEE 802.11g clients will not be able to connect to the IAD. Select 802.11b/g Mixed to allow either IEEE 802.11b or IEEE 802.11g compliant WLAN devices to associate with the IAD. The IAD adjusts the transmission rate automatically according to the wireless standard supported by the wireless devices. Select 802.11 b/g/n mixed mode to allow both IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the IAD. The transmission rate of your IAD might be reduced. Enabling this feature can help prevent collisions in mixed-mode networks
(networks with both IEEE 802.11b and IEEE 802.11g traffic). Select Auto to have the wireless devices transmit data after a RTS/CTS handshake. This helps improve IEEE 802.11g performance. Select Off to disable 802.11 protection. The transmission rate of your IAD might be reduced in a mixed-mode network. This field displays Off and is not configurable when you set 802.11 Mode to 802.11b Only. Select a preamble type from the drop-down list menu. Choices are Long or Short. The default setting is Long. See the appendix for more information. This field is not configurable and the IAD uses Short when you set 802.11 Mode to 802.11g Only or 802.11n Only. Click this to save your changes back to the IAD. Click this to reload the previous configuration for this screen. 802.11 Protection Preamble Apply Reset 8.10 Technical Reference This section discusses wireless LANs in depth. For more information, see the appendix. IAD Users Guide 89 Chapter 8 Wireless LAN 8.10.1 Wireless Network Overview The following figure provides an example of a wireless network. Figure 36 Example of a Wireless Network AP A B The wireless network is the part in the blue circle. In this wireless network, devices A and B use the access point (AP) to interact with the other devices (such as the printer) or with the Internet. Your IAD is the AP. Every wireless network must follow these basic guidelines. Every device in the same wireless network must use the same SSID. The SSID is the name of the wireless network. It stands for Service Set IDentity. If two wireless networks overlap, they should use a different channel. Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information. Every device in the same wireless network must use security compatible with the AP. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 90 IAD Users Guide Chapter 8 Wireless LAN 8.10.2 Additional Wireless Terms The following table describes some wireless network terms and acronyms used in the IADs Web Configurator. Table 24 Additional Wireless Terms TERM RTS/CTS Threshold In a wireless network which covers a large area, wireless devices DESCRIPTION are sometimes not aware of each others presence. This may cause them to send information to the AP at the same time and result in information colliding and not getting through. By setting this value lower than the default value, the wireless devices must sometimes get permission to send information to the IAD. The lower the value, the more often the devices must get permission. If this value is greater than the fragmentation threshold value (see below), then wireless devices never have to get permission to send information to the IAD. A preamble affects the timing in your wireless network. There are two preamble modes: long and short. If a device uses a different preamble mode than the IAD does, it cannot communicate with the IAD. The process of verifying whether a wireless device is allowed to use the wireless network. A small fragmentation threshold is recommended for busy networks, while a larger threshold provides faster performance if the network is not very busy. Preamble Authentication Fragmentation Threshold 8.10.3 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network. 8.10.3.1 SSID Normally, the IAD acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the IAD does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess. This type of security is fairly weak, however, because there are ways for unauthorized wireless devices to get the SSID. In addition, unauthorized wireless devices can still see the information that is sent in the wireless network. 8.10.3.2 MAC Address Filter Every device that can use a wireless network has a unique identification number, called a MAC address.1 A MAC address is usually written using twelve hexadecimal IAD Users Guide 91 Chapter 8 Wireless LAN characters2; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each device in the wireless network, see the devices Users Guide or other documentation. You can use the MAC address filter to tell the IAD which devices are allowed or not allowed to use the wireless network. If a device is allowed to use the wireless network, it still has to have the correct information (SSID, channel, and security). If a device is not allowed to use the wireless network, it does not matter if it has the correct information. This type of security does not protect the information that is sent in the wireless network. Furthermore, there are ways for unauthorized wireless devices to get the MAC address of an authorized device. Then, they can use that MAC address to use the wireless network. 8.10.3.3 User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it. However, every device in the wireless network has to support IEEE 802.1x to do this. For wireless networks, you can store the user names and passwords for each user in a RADIUS server. This is a server used in businesses more than in homes. If you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network. 8.10.3.4 Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message. 1. Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses. 2. Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. 92 IAD Users Guide The types of encryption you can choose depend on the type of authentication.
(See Section 8.10.3.3 on page 92 for information about this.) Chapter 8 Wireless LAN Table 25 Types of Encryption for Each Type of Authentication Weakest NO AUTHENTICATION RADIUS SERVER No Security Static WEP WPA-PSK Stronges t WPA2-PSK WPA WPA2 For example, if the wireless network has a RADIUS server, you can choose WPA or WPA2. If users do not log in to the wireless network, you can choose no encryption, Static WEP, WPA-PSK, or WPA2-PSK. Usually, you should set up the strongest encryption that every device in the wireless network supports. For example, suppose you have a wireless network with the IAD and you do not have a RADIUS server. Therefore, there is no authentication. Suppose the wireless network has two devices. Device A only supports WEP, and device B supports WEP and WPA. Therefore, you should set up Static WEP in the wireless network. Note: It is recommended that wireless networks use WPA-PSK, WPA, or stronger encryption. The other types of encryption are better than none at all, but it is still possible for unauthorized wireless devices to figure out the original information pretty quickly. When you select WPA2 or WPA2-PSK in your IAD, you can also select an option
(WPA compatible) to support WPA as well. In this case, if some of the devices support WPA and some support WPA2, you should set up WPA2-PSK or WPA2
(depending on the type of wireless network login) and select the WPA compatible option in the IAD. Many types of encryption use a key to protect the information in the wireless network. The longer the key, the stronger the encryption. Every device in the wireless network must have the same key. 8.10.4 WiFi Protected Setup Your IAD supports WiFi Protected Setup (WPS), which is an easy way to set up a secure wireless network. WPS is an industry standard specification, defined by the WiFi Alliance. WPS allows you to quickly set up a wireless network with strong security, without having to configure security settings manually. Each WPS connection works IAD Users Guide 93 Chapter 8 Wireless LAN between two devices. Both devices must support WPS (check each devices documentation to make sure). Depending on the devices you have, you can either press a button (on the device itself, or in its configuration utility) or enter a PIN (a unique Personal Identification Number that allows one device to authenticate the other) in each of the two devices. When WPS is activated on a device, it has two minutes to find another device that also has WPS activated. Then, the two devices connect and set up a secure network by themselves. 8.10.4.1 Push Button Configuration WPS Push Button Configuration (PBC) is initiated by pressing a button on each WPS-enabled device, and allowing them to connect automatically. You do not need to enter any information. Not every WPS-enabled device has a physical WPS button. Some may have a WPS PBC button in their configuration utilities instead of or in addition to the physical button. Take the following steps to set up WPS using the button. 1 Ensure that the two devices you want to set up are within wireless range of one another. 2 3 Look for a WPS button on each device. If the device does not have one, log into its configuration utility and locate the button (see the devices Users Guide for how to do this - for the IAD, see Section 8.7 on page 85). Press the button on one of the devices (it doesnt matter which). For the IAD you must press the WPS button for more than three seconds. 4 Within two minutes, press the button on the other device. The registrar sends the network name (SSID) and security key through an secure connection to the enrollee. If you need to make sure that WPS worked, check the list of associated wireless clients in the APs configuration utility. If you see the wireless client in the list, WPS was successful. 8.10.4.2 PIN Configuration Each WPS-enabled device has its own PIN (Personal Identification Number). This may either be static (it cannot be changed) or dynamic (in some devices you can generate a new PIN by clicking on a button in the configuration interface). 94 IAD Users Guide Chapter 8 Wireless LAN Use the PIN method instead of the push-button configuration (PBC) method if you want to ensure that the connection is established between the devices you specify, not just the first two devices to activate WPS in range of each other. However, you need to log into the configuration interfaces of both devices to use the PIN method. When you use the PIN method, you must enter the PIN from one device (usually the wireless client) into the second device (usually the Access Point or wireless router). Then, when WPS is activated on the first device, it presents its PIN to the second device. If the PIN matches, one device sends the network and security information to the other, allowing it to join the network. Take the following steps to set up a WPS connection between an access point or wireless router (referred to here as the AP) and a client device using the PIN method. 1 Ensure WPS is enabled on both devices. 2 Access the WPS section of the APs configuration interface. See the devices Users Guide for how to do this. 3 Look for the clients WPS PIN; it will be displayed either on the device, or in the WPS section of the clients configuration interface (see the devices Users Guide for how to find the WPS PIN - for the IAD, see Section 8.6 on page 83). 4 Enter the clients PIN in the APs configuration interface. Note: If the client devices configuration interface has an area for entering another devices PIN, you can either enter the clients PIN in the AP, or enter the APs PIN in the client - it does not matter which. 5 Start WPS on both devices within two minutes. Note: Use the configuration utility to activate WPS, not the push-button on the device itself. 6 On a computer connected to the wireless client, try to connect to the Internet. If you can connect, WPS was successful. If you cannot connect, check the list of associated wireless clients in the APs configuration utility. If you see the wireless client in the list, WPS was successful. IAD Users Guide 95 Chapter 8 Wireless LAN The following figure shows a WPS-enabled wireless client (installed in a notebook computer) connecting to the WPS-enabled AP via the PIN method. Figure 37 Example WPS Process: PIN Method ENROLLEE REGISTRAR WPS This devices WPS PIN: 123456 WPS Enter WPS PIN from other device:
WPS WPS START START WITHIN 2 MINUTES SECURE EAP TUNNEL SSID WPA(2)-PSK COMMUNICATION 8.10.4.3 How WPS Works When two WPS-enabled devices connect, each device must assume a specific role. One device acts as the registrar (the device that supplies network and security settings) and the other device acts as the enrollee (the device that receives network and security settings. The registrar creates a secure EAP (Extensible Authentication Protocol) tunnel and sends the network name (SSID) and the WPA-
PSK or WPA2-PSK pre-shared key to the enrollee. Whether WPA-PSK or WPA2-PSK is used depends on the standards supported by the devices. If the registrar is already part of a network, it sends the existing information. If not, it generates the SSID and WPA(2)-PSK randomly. 96 IAD Users Guide Chapter 8 Wireless LAN The following figure shows a WPS-enabled client (installed in a notebook computer) connecting to a WPS-enabled access point. Figure 38 How WPS works ACTIVATE WPS ACTIVATE WPS ENROLLEE WITHIN 2 MINUTES WPS HANDSHAKE SECURE TUNNEL SECURITY INFO COMMUNICATION REGISTRAR The roles of registrar and enrollee last only as long as the WPS setup process is active (two minutes). The next time you use WPS, a different device can be the registrar if necessary. The WPS connection process is like a handshake; only two devices participate in each WPS transaction. If you want to add more devices you should repeat the process with one of the existing networked devices and the new device. Note that the access point (AP) is not always the registrar, and the wireless client is not always the enrollee. All WPS-certified APs can be a registrar, and so can some WPS-enabled wireless clients. By default, a WPS devices is unconfigured. This means that it is not part of an existing network and can act as either enrollee or registrar (if it supports both functions). If the registrar is unconfigured, the security settings it transmits to the enrollee are randomly-generated. Once a WPS-enabled device has connected to another device using WPS, it becomes configured. A configured wireless client can still act as enrollee or registrar in subsequent WPS connections, but a configured access point can no longer act as enrollee. It will be the registrar in all subsequent WPS connections in which it is involved. If you want a configured AP to act as an enrollee, you must reset it to its factory defaults. IAD Users Guide 97 Chapter 8 Wireless LAN 8.10.4.4 Example WPS Network Setup This section shows how security settings are distributed in an example WPS setup. The following figure shows an example network. In step 1, both AP1 and Client 1 are unconfigured. When WPS is activated on both, they perform the handshake. In this example, AP1 is the registrar, and Client 1 is the enrollee. The registrar randomly generates the security information to set up the network, since it is unconfigured and has no existing information. Figure 39 WPS: Example Network Step 1 ENROLLEE CLIENT 1 SECURITY INFO REGISTRAR AP1 In step 2, you add another wireless client to the network. You know that Client 1 supports registrar mode, but it is better to use AP1 for the WPS handshake with the new client since you must connect to the access point anyway in order to use the network. In this case, AP1 must be the registrar, since it is configured (it already has security information for the network). AP1 supplies the existing security information to Client 2. Figure 40 WPS: Example Network Step 2 REGISTRAR AP1 EXISTING CONNECTION O F Y I N R I T U C E S CLIENT 1 ENROLLEE CLIENT 2 In step 3, you add another access point (AP2) to your network. AP2 is out of range of AP1, so you cannot use AP1 for the WPS handshake with the new access 98 IAD Users Guide Chapter 8 Wireless LAN point. However, you know that Client 2 supports the registrar function, so you use it to perform the WPS handshake instead. Figure 41 WPS: Example Network Step 3 CLIENT 1 REGISTRAR CLIENT 2 EXISTING CONNECTION N T I O C E N N O G C T I N X I S E SECURITY INFO AP1 ENROLLEE AP2 8.10.4.5 Limitations of WPS WPS has some limitations of which you should be aware. WPS works in Infrastructure networks only (where an AP and a wireless client communicate). It does not work in Ad-Hoc networks (where there is no AP). When you use WPS, it works between two devices only. You cannot enroll multiple devices simultaneously, you must enroll one after the other. For instance, if you have two enrollees and one registrar you must set up the first enrollee (by pressing the WPS button on the registrar and the first enrollee, for example), then check that it successfully enrolled, then set up the second device in the same way. WPS works only with other WPS-enabled devices. However, you can still add non-WPS devices to a network you already set up using WPS. WPS works by automatically issuing a randomly-generated WPA-PSK or WPA2-
PSK pre-shared key from the registrar device to the enrollee devices. Whether the network uses WPA-PSK or WPA2-PSK depends on the device. You can check the configuration interface of the registrar device to discover the key the network is using (if the device supports this feature). Then, you can enter the key into the non-WPS device and join the network as normal (the non-WPS device must also support WPA-PSK or WPA2-PSK). IAD Users Guide 99 Chapter 8 Wireless LAN When you use the PBC method, there is a short period (from the moment you press the button on one device to the moment you press the button on the other device) when any WPS-enabled device could join the network. This is because the registrar has no way of identifying the correct enrollee, and cannot differentiate between your enrollee and a rogue device. This is a possible way for a hacker to gain access to a network. You can easily check to see if this has happened. WPS works between only two devices simultaneously, so if another device has enrolled your device will be unable to enroll, and will not have access to the network. If this happens, open the access points configuration interface and look at the list of associated clients (usually displayed by MAC address). It does not matter if the access point is the WPS registrar, the enrollee, or was not involved in the WPS handshake; a rogue device must still associate with the access point to gain access to the network. Check the MAC addresses of your wireless clients
(usually printed on a label on the bottom of the device). If there is an unknown MAC address you can remove it or reset the AP. 100 IAD Users Guide CHAPTER 9 Network Address Translation
(NAT) 9.1 Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network. This chapter discusses how to configure NAT on the IAD. See Section 9.6 on page 112 for advanced technical information on NAT. 9.1.1 What You Can Do in this Chapter Use the General screen (Section 9.2 on page 102) to configure the NAT setup settings. Use the Port Forwarding screen (Section 9.3 on page 104) to configure forward incoming service requests to the server(s) on your local network. Use the Address Mapping screen (Section 9.4 on page 108) to change your IADs address mapping settings. Use the ALG screen (Section 9.5 on page 111) to enable and disable the SIP
(VoIP) ALG in the IAD. 9.1.2 What You Need To Know Inside/Outside and Global/Local Inside/outside denotes where a host is located relative to the IAD, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts. Global/local denotes the IP address of a host in a packet as the packet traverses a router, for example, the local address refers to the IP address of a host when the IAD Users Guide 101 Chapter 9 Network Address Translation (NAT) packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. NAT In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world. SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The IAD also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 33 on page 115. Choose SUA Only if you have just one public WAN IP address for your IAD. Choose Full Feature if you have multiple public WAN IP addresses for your IAD. 9.2 The NAT General Screen Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the IAD. 102 IAD Users Guide Chapter 9 Network Address Translation (NAT) Click Network > NAT to open the following screen. Figure 42 Network > NAT > General The following table describes the labels in this screen. DESCRIPTION Select this check box to enable NAT. Table 26 Network > NAT > General LABEL Active Network Address Translation
(NAT) SUA Only Select this radio button if you have just one public WAN IP address for your IAD. Full Feature Select this radio button if you have multiple public WAN IP addresses for Max NAT/
Firewall Session Per User Apply Cancel your IAD. When computers use peer to peer applications, such as file sharing applications, they need to establish NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet. Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/Firewall sessions client computers can establish through the IAD. If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is exhausting all of the available NAT sessions. Click Apply to save your changes back to the IAD. Click Cancel to reload the previous configuration for this screen. IAD Users Guide 103 Chapter 9 Network Address Translation (NAT) 9.3 The Port Forwarding Screen Note: This screen is available only when you select SUA only in the NAT > General screen. Use the Port Forwarding screen to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. You can allocate a server IP address that corresponds to a port or a range of ports. The most often used port numbers and services are shown in Appendix F on page 313. Please refer to RFC 1700 for further information about port numbers. Note: Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP. Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the IAD discards all packets received for ports that are not specified here or in the remote management setup. Configuring Servers Behind Port Forwarding (Example) Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP 104 IAD Users Guide Chapter 9 Network Address Translation (NAT) addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 43 Multiple Servers Behind NAT Example A=192.168.1.33 LAN WAN B=192.168.1.34 192.168.1.1 IP Address assigned by ISP C=192.168.1.35 D=192.168.1.36 9.3.1 Configuring the Port Forwarding Screen Click Network > NAT > Port Forwarding to open the following screen. See Appendix F on page 313 for port numbers commonly used for particular services. Figure 44 Network > NAT > Port Forwarding The following table describes the fields in this screen. Table 27 Network > NAT > Port Forwarding LABEL Default Server Setup Default Server DESCRIPTION In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the IAD discards all packets received for ports that are not specified here or in the remote management setup. IAD Users Guide 105 Chapter 9 Network Address Translation (NAT) DESCRIPTION Table 27 Network > NAT > Port Forwarding LABEL Port Forwarding Service Name Server IP Address Add
Active Click this button to add a rule to the table below. This is the rule index number (read-only). This field indicates whether the rule is active or not. Select a service from the drop-down list box. Enter the IP address of the server for the specified service. Clear the check box to disable the rule. Select the check box to enable it. This is a services name. This is the transport layer protocol used for the service. This is the first external port number that identifies a service. This is the last external port number that identifies a service. This is the first internal port number that identifies a service. This is the last internal port number that identifies a service. This is the servers IP address. Click the edit icon to go to the screen where you can edit the port forwarding rule. Click the delete icon to delete an existing port forwarding rule. Note that subsequent address mapping rules move up by one when you take this action. Click Apply to save your changes back to the IAD. Click Cancel to return to the previous configuration. Service Name Protocol Start Port End Port Port Translation Start Port End Port Server IP Address Modify Apply Cancel 106 IAD Users Guide Chapter 9 Network Address Translation (NAT) 9.3.2 The Port Forwarding Rule Edit Screen Use this screen to edit a port forwarding rule. Select User define in the Service Name field of the Port Forwarding screen or click an existing rules edit icon in the Port Forwarding screen to display the screen shown next. Figure 45 Network > NAT > Port Forwarding: Edit The following table describes the fields in this screen. DESCRIPTION Table 28 Network > NAT > Port Forwarding: Edit LABEL Rule Setup Active Service Name Enter a name to identify this port-forwarding rule. Protocol Click this check box to enable the rule. Select the transport layer protocol supported by this virtual server. Choices are TCP, UDP, or ALL. Enter the original destination port for the packets. Start Port To forward only one port, enter the port number again in the End Port field. To forward a series of ports, enter the start port number here and the end port number in the End Port field. Enter the last port of the original destination port range. End Port To forward only one port, enter the port number again in the Start Port field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port field above. Enter the inside IP address of the server here. 107 Server IP Address IAD Users Guide Chapter 9 Network Address Translation (NAT) Table 28 Network > NAT > Port Forwarding: Edit (continued) LABEL Port Translation Start Port DESCRIPTION Enter the port number here to which you want the IAD to translate the incoming port. For a range of ports, enter the first number of the range to which you want the incoming ports translated. Enter the last port of the translated port range. Click Back to return to the previous screen. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. End Port Back Apply Cancel 9.4 The Address Mapping Screen Note: The Address Mapping screen is available only when you select Full Feature in the NAT > General screen. Ordering your rules is important because the IAD applies the rules in the order that you specify. When a rule matches the current packet, the IAD takes the corresponding action and the remaining rules are ignored. To change your IADs address mapping settings, click Network > NAT >
Address Mapping to open the following screen. Figure 46 Network > NAT > Address Mapping 108 IAD Users Guide Chapter 9 Network Address Translation (NAT) The following table describes the fields in this screen. Table 29 Network > NAT > Address Mapping LABEL
Local Start IP DESCRIPTION This is the rule index number. This is the starting Inside Local IP Address (ILA). Local IP addresses are -
for Server port mapping. This is the end Inside Local IP Address (ILA). If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address. This field is - for One-to-one and Server mapping types. This is the starting Inside Global IP Address (IGA). This field is - here if you have a dynamic IP address (0.0.0.0) from your ISP. You can only do this for Many-to-One, one-to-one and Server mapping types. This is the ending Inside Global IP Address (IGA). This field is - for One-
to-one, Many-to-One and Server mapping types. 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. Local End IP Global Start IP Global End IP Type M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. M-M Ov (Overload): Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses. MM No (No Overload): Many-to-Many No Overload mode maps each local IP address to unique global IP addresses. Modify Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Click the edit icon to go to the screen where you can edit the address mapping rule. Click the delete icon to delete an existing address mapping rule. Note that subsequent address mapping rules move up by one when you take this action. IAD Users Guide 109 Chapter 9 Network Address Translation (NAT) 9.4.1 The Address Mapping Rule Edit Screen To edit an address mapping rule, click the rules edit icon in the Address Mapping screen to display the screen shown next. Figure 47 Network > NAT > Address Mapping: Edit The following table describes the fields in this screen. Table 30 Network > NAT > Address Mapping: Edit LABEL Type DESCRIPTION Choose the port mapping type from one of the following. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses. Many-to-Many No Overload: Many-to-Many No Overload mode maps each local IP address to unique global IP addresses. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Local Start IP This is the starting local IP address (ILA). Local IP addresses are N/A for Local End IP Server port mapping. This is the end local IP address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address. This field is N/A for One-to-One and Server mapping types. This is the starting global IP address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP. Global Start IP Global End IP This is the ending global IP address (IGA). This field is N/A for One-to-
One, Many-to-One and Server mapping types. 110 IAD Users Guide Chapter 9 Network Address Translation (NAT) Table 30 Network > NAT > Address Mapping: Edit (continued) LABEL Server Mapping Set DESCRIPTION Only available when Type is set to Server. Select a number from the drop-down menu to choose a port forwarding set. Click this link to go to the Port Forwarding screen to edit a port forwarding set that you have selected in the Server Mapping Set field. Click Back to return to the previous screen. Click Apply to save your changes to the IAD. Click Cancel to begin configuring this screen afresh. Edit Details Back Apply Cancel 9.5 The ALG Screen Some NAT routers may include a SIP Application Layer Gateway (ALG). A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. When the IAD registers with the SIP register server, the SIP ALG translates the IADs private IP address inside the SIP data stream to a public IP address. You do not need to use STUN or an outbound proxy if your IAD is behind a SIP ALG. Use this screen to enable and disable the SIP (VoIP) ALG in the IAD. To access this screen, click Network > NAT > ALG. Figure 48 Network > NAT > ALG Each field is described in the following table. Table 31 Network > NAT > ALG LABEL Enable SIP ALG Select this to make sure SIP (VoIP) works correctly with port-
DESCRIPTION Apply Reset forwarding and address-mapping rules. Click this to save your changes and to apply them to the IAD. Click this to return to previously saved configuration. IAD Users Guide 111 Chapter 9 Network Address Translation (NAT) 9.6 NAT Technical Reference This chapter contains more information regarding NAT. 9.6.1 NAT Definitions Inside/outside denotes where a host is located relative to the IAD, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts. Global/local denotes the IP address of a host in a packet as the packet traverses a router, for example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information. Table 32 NAT Definitions DESCRIPTION ITEM Inside This refers to the host on the LAN. This refers to the host on the WAN. Outside This refers to the packet address (source or destination) as the packet travels Local on the LAN. This refers to the packet address (source or destination) as the packet travels on the WAN. Global NAT never changes the IP address (either local or global) of an outside host. 9.6.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the 112 IAD Users Guide Chapter 9 Network Address Translation (NAT) outside world. If you do not define any servers (for Many-to-One and Many-to-
Many Overload mapping see Table 33 on page 115), NAT offers the additional benefit of firewall protection. With no servers defined, your IAD filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT). 9.6.3 How NAT Works Each packet has two addresses a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The IAD keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this. Figure 49 How NAT Works LAN 192.168.1.13 192.168.1.12 SA 192.168.1.10 WAN NAT Table Inside Local IP Address 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 Inside Global IP Address IGA 1 IGA 2 IGA 3 IGA 4 SA IGA1 Inside Local Address (ILA) Inside Global Address (IGA) 192.168.1.11 192.168.1.10 IAD Users Guide 113 Chapter 9 Network Address Translation (NAT) 9.6.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs
(logical LANs using IP alias) behind the IAD can communicate with three distinct WAN networks. Figure 50 NAT Application With IP Alias Corporation B LAN2: 192.168.1.X Network Server Admin=192.168.1.1 Corporation A Server in Admin Network
=IP1 (IGA 1) NAT Server 192.168.1.1 LAN2: 192.168.2.X Network Server Sales=192.168.2.1 NAT Server 192.168.2.1 LAN3: 192.168.3.X Network Server R&D=192.168.3.1 NAT Server 192.168.3.1 Server in Sales Network
=IP2 (IGA 2) Server in R&D Network
=IP3 (IGA 3) WAN Addresses: LAN Addresses: (Default IPs) IGA 1 ---------------> 192.168.1.1 IGA 2 ---------------> 192.168.2.1 IGA 3 ---------------> 192.168.3.1 9.6.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are:
One to One: In One-to-One mode, the IAD maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the IAD maps multiple local IP addresses to one global IP address. This is equivalent to SUA (for instance, PAT, port address translation), ZyXELs Single User Account feature that previous ZyXEL routers supported (the SUA Only option in todays routers). 114 IAD Users Guide Chapter 9 Network Address Translation (NAT) Many to Many Overload: In Many-to-Many Overload mode, the IAD maps the multiple local IP addresses to shared global IP addresses. Many-to-Many No Overload: In Many-to-Many No Overload mode, the IAD maps each local IP address to a unique global IP address. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do NOT change for One-to-One and Many-to-Many No Overload NAT mapping types. The following table summarizes these types. Table 33 NAT Mapping Types TYPE One-to-One Many-to-One (SUA/PAT) IP MAPPING ILA1 IGA1 ILA1 IGA1 Many-to-Many Overload Many-to-Many No Overload Server ILA2 IGA1 ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 9.6.6 Port Translation The IAD can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the local network. When you use port forwarding without port translation, a single server on the local network can use a specific port number and be accessible to the outside world through a single WAN IP address. When you use port translation with port forwarding, multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address. IAD Users Guide 115 Chapter 9 Network Address Translation (NAT) The following example has two web servers on a LAN. Server A uses IP address 192.168.1.33 and server B uses 192.168.1.34. Both servers use port 80. The letters a.b.c.d represent the WAN ports IP address. The IAD translates port 8080 of traffic received on the WAN port (IP address a.b.c.d) to port 80 and sends it to server A (IP address 192.168.1.33). The IAD also translates port 8100 of traffic received on the WAN port (also IP address a.b.c.d) to port 80, but sends it to server B (IP address 192.168.1.34). Note: In this example, anyone wanting to access server A from the Internet must use port 8080. Anyone wanting to access server B from the Internet must use port 8100. Figure 51 Port Translation Example A=192.168.1.33 HTTP: 80 LAN 192.168.1.1 WAN B=192.168.1.34 HTTP: 80 Port Translation 192.168.1.33: 80 <--------> a.b.c.d: 8080 192.168.1.34: 80 <--------> a.b.c.d: 8100 116 IAD Users Guide CHAPTER 10 Voice 10.1 Introduction This chapter provides background information on VoIP and SIP and explains how to configure your devices voice settings. VoIP is the sending of voice signals over Internet Protocol. This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit-switched telephone network. You can also use servers to run telephone service applications like PBX services and voice mail. Internet Telephony Service Provider (ITSP) companies provide VoIP service. Circuit-switched telephone networks require 64 kilobits per second (Kbps) in each direction to handle a telephone call. VoIP can use advanced voice coding techniques with compression to reduce the required bandwidth. 10.1.1 What You Need to Know The following terms and concepts may help as you read through this chapter. SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-
switched telephone networks. SIP Identities A SIP account uses an identity (sometimes referred to as a SIP address). A complete SIP identity is called a SIP URI (Uniform Resource Identifier). A SIP account's URI identifies the SIP account in a way similar to the way an e-mail IAD Users Guide 117 Chapter 10 Voice address identifies an e-mail account. The format of a SIP identity is SIP-
Number@SIP-Service-Domain. SIP Number The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP number can use letters like in an e-mail address (johndoe@your-ITSP.com for example) or numbers like a telephone number (1122334455@VoIP-provider.com for example). SIP Service Domain The SIP service domain of the VoIP service provider is the domain name in a SIP URI. For example, if the SIP address is 1122334455@VoIP-provider.com, then VoIP-provider.com is the SIP service domain. 10.2 SIP Service Provider Use this screen to maintain basic information about each SIP account. Your VoIP service provider (the company that lets you make phone calls over the Internet) should provide this. You can also enable and disable each SIP account. To access this screen, click VoIP > SIP. Figure 52 VoIP > SIP > SIP Service Provider 118 IAD Users Guide Chapter 10 Voice Each field is described in the following table. Table 34 VoIP > SIP > SIP Service Provider LABEL Server Profile Selection DESCRIPTION Enter your SIP service providers name, using up to 256 printable English-keyboard characters. Select this to make use these settings for all SIP phone calls. SIP Service Provider Name Active General SIP Local Port SIP Server Address SIP Server Port REGISTER Server Address REGISTER Server Port SIP Service Domain Enter the IADs listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value. Enter the IP address or domain name of the SIP server provided by your VoIP service provider. You can use up to 32 printable English key-
board characters. It does not matter whether the SIP server is a proxy, redirect or register server. Enter the SIP servers listening port number, if your VoIP service pro-
vider gave you one. Otherwise, keep the default value. Enter the IP address or domain name of the SIP register server, if your VoIP service provider gave you one. Otherwise, enter the same address you entered in the SIP Server Address field. You can use up to 32 printable English keyboard characters. Enter the SIP register servers listening port number, if your VoIP ser-
vice provider gave you one. Otherwise, enter the same port number you entered in the SIP Server Port field. Enter the SIP service domain name. In the full SIP URI, this is the part after the @ symbol. You can use up to 32 printable English keyboard characters. Click this to save your changes. Click this to exit the screen without saving any changes. Apply Cancel Advanced Setup Click this to edit the advanced settings for this SIP account. The Advanced SIP Settings screen appears. IAD Users Guide 119 Chapter 10 Voice 10.2.1 Advanced SIP Settings Use this screen to maintain advanced settings for each SIP account. Click Advanced in VoIP > SIP > SIP Service Provider. The following screen displays. Figure 53 SIP Service Provider > Advanced Each field is described in the following table. Table 35 SIP Service Provider > Advanced LABEL Timer Settings Registration Period DESCRIPTION Register Expires Register Re-
send timer Session Expires Enter the number of seconds allocated for the IAD to register with a SIP service. Enter the number of seconds your SIP account is registered with the SIP register server before the registration is downgraded to inactive and all SIP functions for the account are blocked. The IAD automatically tries to re-register your SIP account when one-half of this time has passed. (The SIP register server might have a different expiration, which takes priority over this setting.) Enter the number of seconds the IAD waits before it tries again to register the SIP account, if the first try failed or if there is no response. Enter the number of seconds the SIP server waits for a keep alive signal from the IAD before disconnecting the call. The keep alive signal is periodically sent from the IAD during a call as long as the connection between it and the server remains constant. If interference happens somewhere along the line, or the connection is unexpectedly terminated, then the SIP server uses this setting as a timer to automatically disconnect the call. 120 IAD Users Guide Chapter 10 Voice Table 35 SIP Service Provider > Advanced (continued) LABEL DESCRIPTION Enter the minimum number of seconds the IAD accepts for a session expiration time when it receives a request to start a SIP session. If the request has a shorter time, the IAD rejects it. Min-SE RTP Port Range Start Port End Port Enter the listening port number(s) for RTP traffic, if your VoIP service provider gave you this information. Otherwise, keep the default values. To enter one port number, enter the port number in the Start Port and End Port fields. To enter a range of ports, enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field. Dialing Interval Selection Dialing Interval Selection Apply Cancel Basic Select the number of seconds the IAD waits before placing a dialed call. Click this to save your changes. Click this to exit the screen without saving any changes. Click this to return to the basic SIP Settings screen without saving your changes. IAD Users Guide 121 Chapter 10 Voice 10.3 SIP Account Use this screen to set up your basic SIP account information. Click VoIP > SIP >
SIP Account to display this screen. Figure 54 VoIP > SIP > SIP Account Each field is described in the following table. Table 36 VoIP > SIP > SIP Account LABEL SIP Account Selection DESCRIPTION SIP Account Select the SIP account you want to see in this screen. If you change this field, the screen automatically refreshes. General Active SIP Account Number Authentication User Name Password Apply Cancel Advanced Select this if you want the IAD to use this account. Clear it if you do not want the IAD to use this account. Enter your SIP number. In the full SIP URI, this is the part before the @
symbol. You can use up to 50 printable English keyboard characters. Enter the user name for registering this SIP account, exactly as it was given to you. You can use up to 20 printable English keyboard charac-
ters. Enter the user name for registering this SIP account, exactly as it was given to you. You can use up to 20 printable English keyboard charac-
ters. Click this to save your changes. Click this to exit the screen without saving any changes. Click this to edit the advanced settings for this SIP account. The Advanced SIP Account Settings screen appears. 122 IAD Users Guide Chapter 10 Voice 10.3.1 Advanced Account Settings Use this screen to maintain advanced settings for each SIP account. Click Advanced in VoIP > SIP > SIP Account. The following screen displays. Figure 55 SIP Account > Advanced IAD Users Guide 123 Chapter 10 Voice Each field is described in the following table. Table 37 SIP Account > Advanced LABEL DESCRIPTION Voice Feature Primary Compression Type Secondary Compression Type Third Compression Type Active G.168
(Echo Cancellation) Active VAD Call Feature Active Call Transfer Active Call Waiting Call Waiting Reject Timer Select the type of voice coder/decoder (codec) that you want the IAD to use. G.711 provides high voice quality but requires more bandwidth
(64 kbps). G.711A is typically used in Europe. G.711u is typically used in North America and Japan. G.729 operates at 8 kbps and is often the codec of choice for VoIP because of its low bandwidth requirements. The IAD must use the same codec as the peer. When two SIP devices start a SIP session, they must agree on a codec. Select the IADs second choice for voice coder/decoder. Select the IADs third choice for voice coder/decoder. Select this if you want to eliminate the echo caused by the sound of your voice reverberating in the telephone receiver while you talk. Select this if the IAD should transmit smaller packets when you are not speaking. This reduces the bandwidth used. Call features are described in detail in Chapter 11 on page 129. Select this to enable the call transfer feature. Select this to enable the call waiting feature. Enter the number of seconds for call waiting to stay engaged before disconnecting the caller. Select this, then enter a phone number to which incoming calls are forwarded. Active Unconditional Forward Active Busy Forward Select this, then enter a phone number to which calls are Active No Answer Forward No Answer Ring Count Active Do Not Disturb Apply Cancel Basic forwarded when your phone is off the hook. Select this, then enter a phone number to which calls are forwarded when the phone is not answered. Enter the number of rings the IAD waits before forwarding unanswered calls. Select this to enable the DND feature. Click this to save your changes. Click this to exit the screen without saving any changes. Click this to return to the basic SIP Account screen without saving your changes. 124 IAD Users Guide Chapter 10 Voice 10.4 Analog Phone Use this screen to link the IADs analog phone ports with one or more SIP accounts to handle outgoing and incoming calls. Click VoIP > Phone. The following screen displays. Figure 56 Phone > Analog Phone Each field is described in the following table. Table 38 Phone > Analog Phone LABEL Phone Port Selection DESCRIPTION Phone Port Selection SIP Account to Make Outgoing Call SIP Account Association SIP Number SIP Account(s) to Receive Incoming Calls SIP Account SIP Number SIP Account Status Apply Cancel Select a phone port to configure on this screen. Select a SIP account for all outgoing calls on this port to use. Indicates the SIP number associated with this account. Click it to open the SIP Account screen, where you can enter a new number. This indicates the SIP account. This indicates the SIP accounts number. You can click it to open the SIP Account screen, where you can change it. This indicates whether the account is active or not. Click it to open the SIP Account screen, where you can change the status. Click this to save your changes. Click this to exit the screen without saving any changes. IAD Users Guide 125 Chapter 10 Voice 10.5 Speed Dial Speed dial provides shortcuts for dialing frequently used (VoIP) phone numbers. You also have to create speed-dial entries if you want to make peer-to-peer calls or call SIP numbers that contain letters. Once you have configured a speed dial rule, you can use a shortcut (the speed dial number, #01 for example) on your phone's keypad to call the phone number. Use this screen to add, edit, or remove speed-dial numbers for outgoing calls. To access this screen, click VoIP > Phone Book > Speed Dial. Figure 57 Phone Book > Speed Dial Each field is described in the following table. Table 39 Phone Book > Speed Dial LABEL Speed Dial
Number DESCRIPTION Use this section to create or edit speed-dial entries. Select the speed-dial number you want to use for this phone number. Enter the SIP number you want the IAD to call when you dial the speed-
dial number. Enter a description for this speed dial number. You can use up to 127 alphanumeric characters. Click this to use the information in the Speed Dial section to update the Speed Dial Phone Book section. Use this section to look at all the speed-dial entries and to erase them. Description Add Speed Dial Phone Book 126 IAD Users Guide Chapter 10 Voice Table 39 Phone Book > Speed Dial (continued) LABEL
DESCRIPTION This field displays the speed-dial number you should dial to use this entry. This field displays the SIP number the IAD calls when you dial the speed-dial number. This field is blank, if the speed-dial entry uses one of your SIP accounts. Otherwise, this field shows the IP address or domain name of the SIP server or other party. (This field corresponds with the Type field in the Speed Dial section.) Use this field to edit or erase the speed-dial entry. Click the Edit icon to copy the information for this speed-dial entry into the Speed Dial section, where you can change it. Click the Remove icon to erase this speed-dial entry. Click this to erase all the speed-dial entries. Click this to set every field in this screen to its last-saved value. Number Destination Modify Clear Cancel IAD Users Guide 127 Chapter 10 Voice 128 IAD Users Guide CHAPTER 11 Phone Usage 11.1 Overview This chapter describes how to use a phone connected to your IAD for basic tasks. Note: Not all service providers support all features. 11.2 Dialing a Telephone Number The PHONE LED turns green when your SIP account is registered. Dial a SIP number like 12345 on your phones keypad. Use speed dial entries (see Section 10.5 on page 126) for peer-to-peer calls or SIP numbers that use letters. Dial the speed dial entry on your telephones keypad. Use your VoIP service providers dialing plan to call regular telephone numbers. 11.3 Using Speed Dial After configuring the speed dial entry and adding it to the phonebook, press the speed dial entrys key combination on your phones keypad. 11.4 Using Call Park and Pickup Do the following to put a call on hold on one phone and continue it on another
(connected to the IAD). This feature may not be supported by all service providers. 1 During the call, press *97# and then any number (up to 8 digits long). You need to remember this number in order to pick up the call on another phone. Hang up the receiver. IAD Users Guide 129 Chapter 11 Phone Usage 2 Pick up another phones receiver. Press #97# followed by the same number you entered before to continue the call. 11.5 Checking the IADs IP Address Do the following to listen to the IADs current IP address. 1 2 3 4 Pick up your phones receiver. Press **** on your phones keypad and wait for the message that says you are in the configuration menu. Press 5 followed by the # key. Listen to the IP address and make a note of it. 5 Hang up the receiver. 11.6 Auto Provisioning and Auto Firmware Upgrade If your service provider uses an auto-provisioning server to set up your device, you must first authenticate your IAD with the auto provisioning server, allowing you to use the service. On a phone connected to the device, enter *99**, your SIP number, *, then
#. For example, if your SIP number is 0123456, you would enter
*99**0123456#. During auto-provisioning, the IAD checks to see if there is a newer firmware version (if your service provider activates this feature). If newer firmware is available, the IAD plays a recording when you pick up your phones handset. Press *99# to upgrade the IADs firmware. Press #99# to not upgrade the IADs firmware. 130 IAD Users Guide Chapter 11 Phone Usage 11.7 Phone Services Overview Supplementary services such as call hold, call waiting, call transfer, etc. are generally available from your VoIP service provider. The IAD supports the following services:
Call Hold Call Waiting Making a Second Call Call Transfer Call Forwarding Three-Way Conference Internal Calls Call Park and Pickup Do not Disturb Note: To take full advantage of the supplementary phone services available through the IAD's phone port, you may need to subscribe to the services from your VoIP service provider. 11.7.1 The Flash Key Flashing means to press the hook for a short period of time (a few hundred milliseconds) before releasing it. On newer telephones, there should be a "flash"
key (button) that generates the signal electronically. If the flash key is not available, you can tap (press and immediately release) the hook by hand to achieve the same effect. However, using the flash key is preferred since the timing is much more precise. With manual tapping, if the duration is too long, it may be interpreted as hanging up by the IAD. You can invoke all the supplementary services by using the flash key. 11.7.2 Europe Type Supplementary Phone Services This section describes how to use supplementary phone services with the Europe Type Call Service Mode. Commands for supplementary services are listed in the table below. IAD Users Guide 131 Chapter 11 Phone Usage After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-
command, the current operation will be aborted. Table 40 European Flash Key Commands COMMAND SUB-
DESCRIPTION COMMAND Flash Flash Flash Flash 0 1 2 Flash Flash 3
*98#
11.7.2.1 European Call Hold Put a current call on hold to place a second call. Switch back to the call (if there is no second call). Drop the call presently on hold or reject an incoming call which is waiting for answer. Disconnect the current phone connection and answer the incoming call or resume with caller presently on hold. 1. Switch back and forth between two calls. 2. Put a current call on hold to answer an incoming call. 3. Separate the current three-way conference call into two individual calls (one is on-line, the other is on hold). Create three-way conference connection. Transfer the call to another phone. Call hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key and then 2 to switch back and forth between caller A and B by putting either one on hold. Press the flash key and then 0 to disconnect the call presently on hold and keep the current call on line. Press the flash key and then 1 to disconnect the current call and resume the call on hold. If you hang up the phone but a caller is still on hold, there will be a remind ring. 11.7.2.2 European Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to a telephone number, you will hear a call waiting tone. Take one of the following actions. Reject the second call. Press the flash key and then press 0. 132 IAD Users Guide Chapter 11 Phone Usage Disconnect the first call and answer the second call. Either press the flash key and press 1, or just hang up the phone and then answer the phone after it rings. Put the first call on hold and answer the second call. Press the flash key and then 2. 11.7.2.3 European Call Transfer Do the following to transfer an incoming call (that you have answered) to another phone. 1 Press the flash key to put the caller on hold. 2 When you hear the dial tone, dial *98# followed by the number to which you want to transfer the call. to operate the Intercom. 3 After you hear the ring signal or the second party answers it, hang up the phone. 11.7.2.4 European Three-Way Conference Use the following steps to make three-way conference calls. 1 When you are on the phone talking to someone, press the flash key to put the caller on hold and get a dial tone. 2 Dial a phone number directly to make another call. 3 When the second call is answered, press the flash key and press 3 to create a three-way conversation. 4 Hang up the phone to drop the connection. 5 If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key and press 2. 11.7.3 USA Type Supplementary Services This section describes how to use supplementary phone services with the USA Type Call Service Mode. Commands for supplementary services are listed in the table below. IAD Users Guide 133 Chapter 11 Phone Usage After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-
command, the current operation will be aborted. Table 41 USA Flash Key Commands COMMAND SUB-
DESCRIPTION COMMAND Flash Flash
*98#
11.7.3.1 USA Call Hold Put a current call on hold to place a second call. After the second call is successful, press the flash key again to have a three-way conference call. Put a current call on hold to answer an incoming call. Transfer the call to another phone. Call hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key to switch back and forth between caller A and B by putting either one on hold. If you hang up the phone but a caller is still on hold, there will be a remind ring. 11.7.3.2 USA Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to your telephone number, you will hear a call waiting tone. Press the flash key to put the first call on hold and answer the second call. 11.7.3.3 USA Call Transfer Do the following to transfer an incoming call (that you have answered) to another phone. 1 Press the flash key to put the caller on hold. 2 When you hear the dial tone, dial *98# followed by the number to which you want to transfer the call. to operate the Intercom. 3 After you hear the ring signal or the second party answers it, hang up the phone. 134 IAD Users Guide 11.7.3.4 USA Three-Way Conference Use the following steps to make three-way conference calls. Chapter 11 Phone Usage 1 When you are on the phone talking to someone (party A), press the flash key to put the caller on hold and get a dial tone. 2 Dial a phone number directly to make another call (to party B). 3 When party B answers the second call, press the flash key to create a three-way conversation. 4 Hang up the phone to drop the connection. 5 6 7 If you want to separate the activated three-way conference into two individual connections (with party A on-line and party B on hold), press the flash key. If you want to go back to the three-way conversation, press the flash key again. If you want to separate the activated three-way conference into two individual connections again, press the flash key. This time the party B is on-line and party A is on hold. 11.8 Phone Functions Summary The following table shows the key combinations you can enter on your phones keypad to use certain features. FUNCTION Table 42 Phone Functions Summary ACTI ON
*99# Enable firmware update
#99# Disable firmware update DESCRIPTION
*98# Call transfer
*97# Call park
#97# Call pickup
*66# Call return
*95# Enable Do Not Disturb
#95# Disable Do Not Disturb Use these to upload or not upload new firmware to the IAD, if requested by your service provider. See Section 11.6 on page 130. Transfer a call to another phone. See Section 11.7.2 on page 131 (Europe type) and Section 11.7.3 on page 133 (USA type). Use these to place a call on hold on one phone and then continue it on another (if supported by your service provider). See Chapter 23 on page 231. Place a call to the last person who called you. See Chapter 23 on page 231. Use these to set your phone not to ring when someone calls you, or to turn this function off. Chapter 23 on page 231 IAD Users Guide 135 Chapter 11 Phone Usage FUNCTION Table 42 Phone Functions Summary ACTI ON
*41# Enable call waiting
#41# Disable call waiting DESCRIPTION
*21# Enable call forward
#21# Disable call forward
*22* Uncondition forward
*23* No answer forward
*24* Busy forward Use these to allow you to put a call on hold while answering another, or to turn this function off. See Section 11.7.2 on page 131 (Europe type) and Section 11.7.3 on page 133 (USA type). Use these to allow you to use the call forwarding tables you set in the IAD, or to turn this function off. Forward all incoming calls. Forward incoming calls if you do not answer. Forward calls if you are already making a call. 136 IAD Users Guide CHAPTER 12 Firewalls 12.1 Overview Use these screens to enable and configure the firewall that protects your IAD and your LAN from unwanted or malicious traffic. Enable the firewall to protect your LAN computers from attacks by hackers on the Internet and control access between the LAN and WAN. By default the firewall:
allows traffic that originates from your LAN computers to go to all of the networks. blocks traffic that originates on the other networks from going to the LAN. The following figure illustrates the default firewall action. User A can initiate an IM
(Instant Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked
(3 and 4). Figure 58 Default Firewall Action LAN WAN A 1 2 3 4 See Section 12.1.3 on page 140 for an example of setting up a firewall. See Section 12.5 on page 154 for advanced technical information on firewall. IAD Users Guide 137 Chapter 12 Firewalls 12.1.1 What You Can Do in this Chapter Use the General screen (Section 12.2 on page 143) to enable firewall and/or triangle route on the IAD, and set the default action that the firewall takes on packets that do not match any of the firewall rules. Use the Rules screen (Section 12.3 on page 145) to view the configured firewall rules and add, edit or remove a firewall rule. Use the Threshold screen (Section 12.4 on page 151) to set the thresholds that the IAD uses to determine when to start dropping sessions that do not become fully established (half-open sessions). 12.1.2 What You Need to Know Firewall The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network. The IAD firewall is a stateful inspection firewall and restricts access by screening data packets against defined access rules. The IAD physically separates the LAN and the WAN and acts as a secure gateway for all data passing between the networks. The IAD protects against Denial of Service (DoS) attacks, prevents theft, destruction and modification of data, and logs events. Firewall Rules Your customized rules take precedence and override the IADs default settings. The IAD checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the IAD takes the action specified in the rule. Firewall rules are grouped based on the direction of travel of packets to which they apply:
LAN to LAN/ Router LAN to WAN WAN to LAN WAN to WAN/ Router Note: The LAN includes both the LAN port and the WLAN. By default, the IADs stateful packet inspection allows packets traveling in the following directions:
138 IAD Users Guide Chapter 12 Firewalls LAN to LAN/ Router These rules specify which computers on the LAN can manage the IAD (remote management) and communicate between networks or subnets connected to the LAN interface (IP alias). Note: You can also configure the remote management settings to allow only a specific computer to manage the IAD. LAN to WAN These rules specify which computers on the LAN can access which computers or services on the WAN. By default, the IADs stateful packet inspection drops packets traveling in the following directions:
WAN to LAN These rules specify which computers on the WAN can access which computers or services on the LAN. Note: You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow computers on the WAN to access devices on the LAN. WAN to WAN/ Router By default the IAD stops computers on the WAN from managing the IAD or using the IAD as a gateway to communicate with other computers on the WAN. You could configure one of these rules to allow a WAN computer to manage the IAD. Note: You also need to configure the remote management settings to allow a WAN computer to manage the IAD. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so. For example, you may create rules to:
Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet. Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN. Allow everyone except your competitors to access a web server. Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by comparing the source IP address, destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the IADs default rules. IAD Users Guide 139 Chapter 12 Firewalls 12.1.3 Firewall Rule Setup Example The following Internet firewall rule example allows a Doom connection from the Internet. 1 Click Security > Firewall > Rules. 2 Select WAN to LAN in the Packet Direction field. 3 Select the index number after that you want to add the rule. For example, if you select 6, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8. 4 Click Add to display the firewall rule configuration screen. Figure 59 Firewall Example: Rules 5 In the Edit Rule screen, click the Edit Customized Services link to open the Customized Service screen. 140 IAD Users Guide 6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply. Figure 60 Edit Custom Port Example Chapter 12 Firewalls 7 Select Any in the Destination Address List box and then click Delete. 8 Configure the destination address screen as follows and click Add. Figure 61 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. IAD Users Guide 141 Chapter 12 Firewalls Note: Custom services show up with an * before their names in the Services list box and the Rules list box. Figure 62 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. 142 IAD Users Guide Chapter 12 Firewalls Rule 1 allows a Doom connection from the WAN to IP addresses 10.1.1.10 through 10.1.1.15 on the LAN. Figure 63 Firewall Example: Rules: MyService 12.2 The Firewall General Screen Click Security > Firewall to display the following screen. Activate the firewall by selecting the Active Firewall check box as seen in the following screen. Figure 64 Security > Firewall > General IAD Users Guide 143 Chapter 12 Firewalls The following table describes the labels in this screen. Table 43 Security > Firewall > General LABEL Active Firewall DESCRIPTION Select this check box to activate the firewall. The IAD performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. If an alternate gateway on the LAN has an IP address in the same subnet as the IADs LAN IP address, return traffic may not go through the IAD. This is called an asymmetrical or triangle route. This causes the IAD to reset the connection, as the connection has not been acknowledged. Bypass Triangle Route Select this check box to have the IAD permit the use of asymmetrical route topology on the network (not reset the connection). Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the IAD. A better solution is to use IP alias to put the IAD and the backup gateway on separate subnets. See Section 12.5.3.1 on page 155 for an example. Packet Direction This is the direction of travel of packets (LAN to LAN / Router, LAN to WAN, WAN to WAN / Router, WAN to LAN). Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, LAN to LAN / Router means packets traveling from a computer/subnet on the LAN to either another computer/subnet on the LAN interface of the IAD or the IAD itself. Use the drop-down list boxes to select the default action that the firewall is to take on packets that are traveling in the selected direction and do not match any of the firewall rules. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender. Select Permit to allow the passage of the packets. Select the check box to create a log (when the above action is taken) for packets that are traveling in the selected direction and do not match any of your customized rules. Click this button to display more information. Click this button to display less information. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. Default Action Log Expand... Basic... Apply Cancel 144 IAD Users Guide 12.3 The Firewall Rules Screen Chapter 12 Firewalls Note: The ordering of your rules is very important as rules are applied in turn. Refer to Section 12.5 on page 154 for more information. Click Security > Firewall > Rules to bring up the following screen. This screen displays a list of the configured firewall rules. Note the order in which the rules are listed. Figure 65 Security > Firewall > Rules The following table describes the labels in this screen. Table 44 Security > Firewall > Rules LABEL Firewall Rules Storage Space in Use DESCRIPTION This read-only bar shows how much of the IAD's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. Use the drop-down list box to select a direction of travel of packets for which you want to configure firewall rules. Select an index number and click Add to add a new firewall rule after the selected index number. For example, if you select 6, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8. The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings in the General screen. This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. This field displays whether a firewall is turned on or not. Select the check box to enable the rule. Clear the check box to disable the rule. Packet Direction Create a new rule after rule number
Active IAD Users Guide 145 Chapter 12 Firewalls Table 44 Security > Firewall > Rules (continued) LABEL Source IP DESCRIPTION This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. Destination IP This drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. This drop-down list box displays the services to which this firewall rule applies. See Appendix F on page 313 for more information. This field displays whether the firewall silently discards packets (Drop), discards packets and sends a TCP reset packet or an ICMP destination-
unreachable message to the sender (Reject) or allows the passage of packets (Permit). This field tells you whether a schedule is specified (Yes) or not (No). This field shows you whether a log is created when packets match this rule (Yes) or not (No). Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing firewall rule. A window displays asking you to confirm that you want to delete the firewall rule. Note that subsequent firewall rules move up by one when you take this action. Click the Move icon to display the Move the rule to field. Type a number in the Move the rule to field and click the Move button to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. Service Action Schedule Log Modify Order Apply Cancel 12.3.1 Configuring Firewall Rules Refer to Section 12.1.2 on page 138 for more information. 146 IAD Users Guide Chapter 12 Firewalls In the Rules screen, select an index number and click Add or click a rules Edit icon to display this screen and refer to the following table for information on the labels. Figure 66 Security > Firewall > Rules: Edit IAD Users Guide 147 Chapter 12 Firewalls The following table describes the labels in this screen. Table 45 Security > Firewall > Rules: Edit LABEL Active Action for Matched Packet DESCRIPTION Select this option to enable this firewall rule. Use the drop-down list box to select whether to discard (Drop), deny and send an ICMP destination-unreachable message to the sender of
(Reject) or allow the passage of (Permit) packets that match this rule. Source/
Destination Address Address Type Start IP Address End IP Address Subnet Mask Add >>
Edit <<
Delete Services Available/
Selected Services Edit Customized Service Schedule Day to Apply Time of Day to Apply (24-Hour Format) Log Log Packet Detail Information Alert Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for instance, 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address. Enter the single IP address or the starting IP address in a range here. Enter the ending IP address in a range here. Enter the subnet mask here, if applicable. Click Add >> to add a new address to the Source or Destination Address box. You can add multiple addresses, ranges of addresses, and/or subnets. To edit an existing source or destination address, select it from the box and click Edit <<. Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it. Please see Appendix F on page 313 for more information on services available. Highlight a service from the Available Services box on the left, then click Add >> to add it to the Selected Services box on the right. To remove a service, highlight it in the Selected Services box on the right, then click Remove. Custom services are prefixed with an asterisk. Click the Edit Customized Services link to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Select everyday or the day(s) of the week to apply the rule. Select All Day or enter the start and end times in the hour-minute format to apply the rule. This field determines if a log for packets that match the rule is created or not. Go to the Log Settings page and select the Access Control logs category to have the IAD record these logs. 148 IAD Users Guide Chapter 12 Firewalls DESCRIPTION Select the check box to have the IAD generate an alert when the rule is matched. Table 45 Security > Firewall > Rules: Edit (continued) LABEL Send Alert Message to Administrator When Matched Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Click Cancel to exit this screen without saving. 12.3.2 Customized Services Configure customized services and port numbers not predefined by the IAD. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. See Appendix F on page 313 for some examples. Click the Edit Customized Services link while editing a firewall rule to configure a custom service port. This displays the following screen. Figure 67 Security > Firewall > Rules: Edit: Edit Customized Services The following table describes the labels in this screen. Table 46 Security > Firewall > Rules: Edit: Edit Customized Services LABEL No. DESCRIPTION This is the number of your customized port. Click a rules number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service. This is the name of your customized service. Name IAD Users Guide 149 Chapter 12 Firewalls Table 46 Security > Firewall > Rules: Edit: Edit Customized Services LABEL Protocol DESCRIPTION This shows the IP protocol (TCP, UDP or TCP/UDP) that defines your customized service. This is the port number or range that defines your customized service. Click Back to return to the Firewall Edit Rule screen. Port Back 12.3.3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen. Figure 68 Security > Firewall > Rules: Edit: Edit Customized Services: Config The following table describes the labels in this screen. Table 47 Security > Firewall > Rules: Edit: Edit Customized Services: Config LABEL Service Name Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized DESCRIPTION Type a unique name for your custom port. port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service. Type a single port number or the range of port numbers that define your customized service. Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Click Cancel to return to the previously saved settings. Click Delete to delete the current rule. Port Number Back Apply Cancel Delete 150 IAD Users Guide 12.4 The Firewall Threshold Screen Chapter 12 Firewalls For DoS attacks, the IAD uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions. For TCP, half-open means that the session has not reached the established state-
the TCP three-way handshake has not yet been completed. Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established. Figure 69 Three-Way Handshake For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack. 12.4.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the IAD has been receiving DoS attacks that are not recorded in the logs or the logs show that the IAD is classifying normal traffic as DoS attacks. Factors influencing choices for threshold values are:
1 2 3 The maximum number of opened sessions. The minimum capacity of server backlog in your LAN network. The CPU power of servers in your LAN network. 4 Network bandwidth. IAD Users Guide 151 Chapter 12 Firewalls 5 Type of traffic for certain servers. Reduce the threshold values if your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy). If you often use P2P applications such as file sharing with eMule or eDonkey, its recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the IAD may classify them as DoS attacks. 12.4.2 Configuring Firewall Thresholds The IAD also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall > Threshold to bring up the next screen. Figure 70 Security > Firewall > Threshold The following table describes the labels in this screen. Table 48 Security > Firewall > Threshold LABEL Denial of Service Thresholds DESCRIPTION The IAD measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. One Minute Low This is the rate of new half-open sessions per minute that causes the firewall to stop deleting half-open sessions. The IAD continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number. 152 IAD Users Guide Table 48 Security > Firewall > Threshold (continued) LABEL One Minute High This is the rate of new half-open sessions per minute that causes the DESCRIPTION Chapter 12 Firewalls firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the IAD deletes half-
open sessions as required to accommodate new connection attempts. For example, if you set the one minute high to 100, the IAD starts deleting half-open sessions when more than 100 session establishment attempts have been detected in the last minute. It stops deleting half-
open sessions when the number of session establishment attempts detected in a minute goes below the number set as the one minute low. This is the number of existing half-open sessions that causes the firewall to stop deleting half-open sessions. The IAD continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number. This is the number of existing half-open sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the IAD deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number. For example, if you set the maximum incomplete high to 100, the IAD starts deleting half-open sessions when the number of existing half-
open sessions rises above 100. It stops deleting half-open sessions when the number of existing half-open sessions drops below the number set as the maximum incomplete low. An unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host. Specify the number of existing half-open TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address. Enter a number between 1 and 256. As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth. The IAD sends alerts whenever the TCP Maximum Incomplete is exceeded. Select the action that IAD should take when the TCP maximum incomplete threshold is reached. You can have the IAD either:
Delete the oldest half open session when a new connection request comes. or Deny new connection requests for the number of minutes that you specify (between 1 and 255). Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. Maximum Incomplete Low Maximum Incomplete High TCP Maximum Incomplete Action taken when TCP Maximum Incomplete reached threshold Apply Cancel IAD Users Guide 153 Chapter 12 Firewalls 12.5 Technical Reference This section provides some technical background information about the topics covered in this chapter. 12.5.1 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via web configurator. 2 3 Think about access control before you connect to the network in any way. Limit who can access your router. 4 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5 6 For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. Protect against IP spoofing by making sure the firewall is active. 7 Keep the firewall in a secured (locked) room. 12.5.2 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the IAD and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule:
1 Does this rule stop LAN users from accessing critical resources on the Internet?
For example, if IRC is blocked, are there users that require this service?
2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?
3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 154 IAD Users Guide 4 Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the web configurator screens. Chapter 12 Firewalls 12.5.3 Triangle Route When the firewall is on, your IAD acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the IAD to protect your LAN against attacks. Figure 71 Ideal Firewall Setup LAN 1 2 WAN 12.5.3.1 The Triangle Route Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet
(through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the IADs LAN IP address), the triangle route
(also called asymmetrical route) problem may occur. The steps below describe the triangle route problem. 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN. 2 3 The IAD reroutes the SYN packet through Gateway A on the LAN to the WAN. The reply from the WAN goes directly to the computer on the LAN without going through the IAD. IAD Users Guide 155 Chapter 12 Firewalls As a result, the IAD resets the connection, as the connection has not been acknowledged. Figure 72 Triangle Route Problem LAN 1 3 2 WAN ISP 1 ISP 2 12.5.3.2 Solving the Triangle Route Problem A If you have the IAD allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the IAD and its firewall protection. Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your IAD supports up to three logical LAN interfaces with the IAD being the gateway for each logical network. Its like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the IAD to your LAN. The following steps describe such a scenario. 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2 3 The IAD reroutes the packet to Gateway A, which is in Subnet 2. The reply from the WAN goes to the IAD. 156 IAD Users Guide 4 The IAD then sends it to the computer on the LAN in Subnet 1. Figure 73 IP Alias Chapter 12 Firewalls LAN Subnet 1 1 4 2 3 A Subnet 2 WAN ISP 1 ISP 2 IAD Users Guide 157 Chapter 12 Firewalls 158 IAD Users Guide CHAPTER 13 Static Route 13.1 Overview The IAD usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the IAD send data to devices not reachable through the default gateway, use static routes. For example, the next figure shows a computer (A) connected to the IADs LAN interface. The IAD routes most traffic from A to the Internet through the IADs default gateway (R1). You create one static route to connect to services offered by your ISP behind router R2. You create another static route to communicate with a separate network behind a router R3 connected to the LAN. Figure 74 Example of Static Routing Topology A R3 LAN WAN R1 R2 13.1.1 What You Can Do in this Chapter The Static Route screens let you view and configure IP static routes on the IAD
(Section 13.2 on page 160). IAD Users Guide 159 Chapter 13 Static Route 13.2 The Static Route Screen Click Advanced > Static Route to open the Static Route screen. Figure 75 Static Route The following table describes the labels in this screen. Table 49 Static Route LABEL
Active DESCRIPTION This is the number of an individual static route. This field indicates whether the rule is active or not. Name Destination Netmask Gateway Modify Apply Cancel Clear the check box to disable the rule. Select the check box to enable it. This is the name that describes or identifies this route. This parameter specifies the IP network address of the final destination. Routing is always based on network number. This parameter specifies the IP network subnet mask of the final destination. This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Click the Edit icon to go to the screen where you can set up a static route on the IAD. Click the Remove icon to remove a static route from the IAD. A window displays asking you to confirm that you want to delete the route. Click this to apply your changes to the IAD. Click this to return to the previously saved configuration. 160 IAD Users Guide Chapter 13 Static Route 13.2.1 Static Route Edit Select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 76 Static Route Edit The following table describes the labels in this screen. Table 50 Static Route Edit LABEL Active Route Name DESCRIPTION This field allows you to activate/deactivate this static route. Enter the name of the IP static route. Leave this field blank to delete this static route. This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID. Enter the IP subnet mask here. Enter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Click Back to return to the previous screen without saving. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. Destination IP Address IP Subnet Mask Gateway IP Address Back Apply Cancel IAD Users Guide 161 Chapter 13 Static Route 162 IAD Users Guide CHAPTER 14 Quality of Service (QoS) 14.1 Overview Quality of Service (QoS) refers to both a networks ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth. Without QoS, all traffic data is equally likely to be dropped when the network is congested. This can cause a reduction in network performance and make the network inadequate for time-critical application such as video-on-
demand. Configure QoS on the IAD to group and prioritize application traffic and fine-tune network performance. Setting up QoS involves these steps:
1 Configure classifiers to sort traffic into different flows. 2 Assign priority and define actions to be performed for a classified traffic flow. The IAD assigns each packet a priority and then queues the packet accordingly. Packets assigned a high priority are processed more quickly than those with low priority if there is congestion, allowing time-sensitive applications to flow more smoothly. Time-sensitive applications include both those that require a low level of latency (delay) and a low level of jitter (variations in delay) such as Voice over IP
(VoIP) or Internet gaming, and those for which jitter alone is a problem such as Internet radio or streaming video. 14.1.1 What You Can Do in this Chapter The General screen lets you lets you enable or disable QoS and set the upstream bandwidth (Section 14.2 on page 164). The Class Setup screen lets you add, edit or delete QoS classifiers (Section 14.3 on page 166). The Monitor screen lets you view the IAD's QoS-related packet statistics
(Section 14.4 on page 175). IAD Users Guide 163 Chapter 14 Quality of Service (QoS) 14.1.2 What You Need to Know The following terms and concepts may help as you read through this chapter. QoS versus Cos QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. CoS technologies include IEEE 802.1p layer 2 tagging and DiffServ (Differentiated Services or DS). IEEE 802.1p tagging makes use of three bits in the packet header, while DiffServ is a new protocol and defines a new DS field, which replaces the eight-bit ToS (Type of Service) field in the IP header. Tagging and Marking In a QoS class, you can configure whether to add or change the DSCP (DiffServ Code Point) value, IEEE 802.1p priority level and VLAN ID number in a matched packet. When the packet passes through a compatible network, the networking device, such as a backbone switch, can provide specific treatment or service based on the tag or marker. 14.2 The QoS General Screen Click Advanced > QoS to open the screen as shown next. 164 IAD Users Guide Chapter 14 Quality of Service (QoS) Use this screen to enable or disable QoS, and select to have the IAD automatically assign priority to traffic according to the IEEE 802.1p priority level, IP precedence and/or packet length. See Section 14.1 on page 163 for more information. Figure 77 QoS > General The following table describes the labels in this screen. Table 51 QoS > General DESCRIPTION LABEL Active QoS Select the check box to turn on QoS to improve your network performance. WAN Managed Bandwidth You can give priority to traffic that the IAD forwards out through the WAN interface. Give high priority to voice and video to make them run more smoothly. Similarly, give low priority to many large file downloads so that they do not reduce the quality of other applications. Enter the amount of bandwidth for the WAN interface that you want to allocate using QoS. The recommendation is to set this speed to match the interfaces actual transmission speed. For example, set the WAN interface speed to 100000 kbps if your Internet connection has an upstream transmission speed of 100 Mbps. You can set this number higher than the interfaces actual transmission speed. This will stop lower priority traffic from being sent if higher priority traffic uses all of the actual bandwidth. You can also set this number lower than the interfaces actual transmission speed. This will cause the IAD to not use some of the interfaces available bandwidth. IAD Users Guide 165 Chapter 14 Quality of Service (QoS) Table 51 QoS > General LABEL DESCRIPTION These fields are ignored if traffic matches a class you configured in the Traffic Class Setup screen. priority will be automatical ly assigned by If you select ON and traffic does not match a class configured in the Class Setup screen, the IAD assigns priority to unmatched traffic based on the IEEE 802.1p priority level, IP precedence and/or packet length. See Section 14.5.4 on page 177 for more information. If you select OFF, traffic which does not match a class is mapped to queue two. Click Apply to save your settings back to the IAD. Click Cancel to begin configuring this screen afresh. Apply Cancel 14.3 The Class Setup Screen Use this screen to add, edit or delete classifiers. A classifier groups traffic into data flows according to specific criteria such as the source address, destination address, source port number, destination port number or incoming interface. For example, you can configure a classifier to select traffic from the same protocol port (such as Telnet) to form a flow. 166 IAD Users Guide Chapter 14 Quality of Service (QoS) Click Advanced > QoS > Class Setup to open the following screen. Figure 78 QoS > Class Setup The following table describes the labels in this screen. Table 52 QoS > Class Setup LABEL Create a new Class Order DESCRIPTION Click Add to create a new classifier. Active Name Interface Priority Filter Content Modify Apply Cancel This is the number of each classifier. The ordering of the classifiers is important as the classifiers are applied in turn. Select the check box to enable this classifier. This is the name of the classifier. This shows the interface from which traffic of this classifier should come. This is the priority assigned to traffic of this classifier. This shows criteria specified in this classifier. Click the Edit icon to go to the screen where you can edit the classifier. Click the Remove icon to delete an existing classifier. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. IAD Users Guide 167 Chapter 14 Quality of Service (QoS) 14.3.1 Class Configuration Click the Add button or the Edit icon in the Modify field to configure a classifier. Figure 79 QoS Class Configuration 168 IAD Users Guide Chapter 14 Quality of Service (QoS) See Appendix F on page 313 for a list of commonly-used services. The following table describes the labels in this screen. DESCRIPTION Table 53 QoS Class Configuration LABEL Class Configuration Active Name Interface Priority Select the check box to enable this classifier. Enter a descriptive name of up to 20 printable English keyboard characters, including spaces. Select from which interface traffic of this class should come. Select a priority level (between 0 and 7) or select Auto to have the IAD map the matched traffic to a queue according to the internal QoS mapping table. See Section 14.5.4 on page 177 for more information. Routing Policy
"0" is the lowest priority level and "7" is the highest. Select the next hop to which traffic of this class should be forwarded. WAN Index Gateway Address Order Tag Configuration DSCP Value Select By Routing Table to have the IAD use the routing table to find a next hop and forward the matched packets automatically. Select To Gateway Address to route the matched packets to the router or switch you specified in the Gateway Address field. This field in not configurable at the time of writing. Enter the IP address of the gateway, which should be a router or switch on the same segment as the IADs interface(s), that can forward the packet to the destination. This shows the ordering number of this classifier. Select an existing number for where you want to put this classifier and click Apply to move the classifier to the number you selected. For example, if you select 2, the classifier you are moving becomes number 2 and the previous classifier 2 gets pushed down one. Select Same to keep the DSCP fields in the packets. Select Auto to map the DSCP value to 802.1 priority level automatically. 802.1Q Tag Select Mark to set the DSCP field with the value you configure in the field provided. Select Same to keep the priority setting and VLAN ID of the frames. Select Auto to map the 802.1 priority level to the DSCP value automatically. Select Remove to delete the priority queue tag and VLAN ID of the frames. Select Mark to replace the 802.1 priority field and VLAN ID with the value you set in the fields below. Select Add to treat all matched traffic untagged and add a second priority queue tag and VLAN. IAD Users Guide 169 Chapter 14 Quality of Service (QoS) Table 53 QoS Class Configuration (continued) LABEL DESCRIPTION Select a priority level (between 0 and 7) from the drop down list box. Ethernet Priority VLAN ID Filter Configuration Source Address Subnet Netmask Port MAC MAC Mask Exclude Destination Address Subnet Netmask Port MAC MAC Mask Exclude Others Specify a VLAN ID number between 2 and 4094. Use the following fields to configure the criteria for traffic classification. Select the check box and enter the source IP address in dotted decimal notation. A blank source IP address means any source IP address. Enter the source subnet mask. Refer to the appendix for more information on IP subnetting. Select the check box and enter the port number of the source. 0 means any source port number. See Appendix F on page 313 for some common services and port numbers. Select the check box and enter the source MAC address of the packet. Type the mask for the specified MAC address to determine which bits a packets MAC address should match. Enter f for each bit of the specified source MAC address that the traffics MAC address should match. Enter 0 for the bit(s) of the matched traffics MAC address, which can be of any hexadecimal character(s). For example, if you set the MAC address to 00:13:49:00:00:00 and the mask to ff:ff:ff:00:00:00, a packet with a MAC address of 00:13:49:12:34:56 matches this criteria. Select this option to exclude the packets that match the specified criteria from this classifier. Select the check box and enter the destination IP address in dotted decimal notation. Enter the destination subnet mask. Refer to the appendix for more information on IP subnetting. Select the check box and enter the port number of the destination. 0 means any source port number. See Appendix F on page 313 for some common services and port numbers. Select the check box and enter the destination MAC address of the packet. Type the mask for the specified MAC address to determine which bits a packets MAC address should match. Enter f for each bit of the specified destination MAC address that the traffics MAC address should match. Enter 0 for the bit(s) of the matched traffics MAC address, which can be of any hexadecimal character(s). For example, if you set the MAC address to 00:13:49:00:00:00 and the mask to ff:ff:ff:00:00:00, a packet with a MAC address of 00:13:49:12:34:56 matches this criteria. Select this option to exclude the packets that match the specified criteria from this classifier. 170 IAD Users Guide Chapter 14 Quality of Service (QoS) Table 53 QoS Class Configuration (continued) LABEL Service DESCRIPTION This field simplifies classifier configuration by allowing you to select a predefined application. When you select a predefined application, you do not configure the rest of the filter fields. SIP (Session Initiation Protocol) is a signaling protocol used in Internet telephony, instant messaging and other VoIP (Voice over IP) applications. Select the check box and select VoIP(SIP) from the drop-down list box to configure this classifier for traffic that uses SIP. File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. Select the check box and select FTP from the drop-down list box to configure this classifier for FTP traffic. Select this option and select the protocol (TCP or UDP) or select User defined and enter the protocol (service type) number. 0 means any protocol number. Select this option and enter the minimum and maximum packet length (from 28 to 1500) in the fields provided. Select this option and specify a DSCP (DiffServ Code Point) number between 0 and 63 in the field provided. Select this option and select a priority level (between 0 and 7) from the drop down list box.
"0" is the lowest priority level and "7" is the highest. Select this option and specify a VLAN ID number between 2 and 4094. Select this option and select a LAN port. Select this option to exclude the packets that match the specified criteria from this classifier. Select this option to set this classifier for TCP ACK (acknowledgement) packets. Click Back to go to the previous screen. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. Protocol Packet Length DSCP Ethernet Priority VLAN ID Physical Port Exclude TCP ACK Back Apply Cancel 14.3.2 QoS Example In the following figure, your Internet connection has an upstream transmission speed of 50 Mbps. You configure a classifier to assign the highest priority queue
(6) to VoIP traffic from the LAN interface, so that voice traffic would not get delayed when there is network congestion. Traffic from the bosss IP address
(10.1.1.23 for example) is mapped to queue 5. Traffic that does not match these IAD Users Guide 171 Chapter 14 Quality of Service (QoS) two classes are assigned priority queue based on the internal QoS mapping table on the IAD. Figure 80 QoS Example VoIP: Queue 6 Boss: Queue 5 IP=10.1.1.23 Ethernet 50 Mbps 172 IAD Users Guide Chapter 14 Quality of Service (QoS) Figure 81 QoS Class Example: VoIP IAD Users Guide 173 Chapter 14 Quality of Service (QoS) Figure 82 QoS Class Example: Boss 174 IAD Users Guide Chapter 14 Quality of Service (QoS) 14.4 The QoS Monitor Screen To view the IADs QoS packet statistics, click Advanced > QoS > Monitor. The screen appears as shown. Figure 83 QoS Monitor The following table describes the labels in this screen. Table 54 QoS Monitor LABEL Priority Queue DESCRIPTION This shows the priority queue number. Pass Drop Poll Interval(s) Set Interval Stop Traffic assigned to higher index queues gets through faster while traffic in lower index queues is dropped if the network is congested. This shows how many packets mapped to this priority queue are transmitted successfully. This shows how many packets mapped to this priority queue are dropped. Enter the time interval for refreshing statistics in this field. Click this button to apply the new poll interval you entered in the Poll Interval(s) field. Click Stop to stop refreshing statistics. 14.5 Technical Reference The following section contains additional technical information about the IAD features described in this chapter. IAD Users Guide 175 Chapter 14 Quality of Service (QoS) 14.5.1 IEEE 802.1Q Tag The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges. A VLAN tag includes the 12-bit VLAN ID and 3-bit user priority. The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network. IEEE 802.1p specifies the user priority field and defines up to eight separate traffic types. The following table describes the traffic types defined in the IEEE 802.1d standard (which incorporates the 802.1p). Table 55 IEEE 802.1p Priority Level and Traffic Type PRIORITY LEVEL Level 7 TRAFFIC TYPE Typically used for network control traffic such as router configuration messages. Typically used for voice traffic that is especially sensitive to jitter (jitter is the variations in delay). Typically used for video that consumes high bandwidth and is sensitive to jitter. Typically used for controlled load, latency-sensitive traffic such as SNA
(Systems Network Architecture) transactions. Typically used for excellent effort or better than best effort and would include important business traffic that can tolerate some delay. This is for spare bandwidth. This is typically used for non-critical background traffic such as bulk transfers that are allowed but that should not affect other applications and users. Typically used for best-effort traffic. Level 6 Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 14.5.2 IP Precedence Similar to IEEE 802.1p prioritization at layer-2, you can use IP precedence to prioritize packets in a layer-3 network. IP precedence uses three bits of the eight-
bit ToS (Type of Service) field in the IP header. There are eight classes of services
(ranging from zero to seven) in IP precedence. Zero is the lowest priority level and seven is the highest. 14.5.3 DiffServ QoS is used to prioritize source-to-destination traffic flows. All packets in the flow are given the same priority. You can use CoS (class of service) to give different priorities to different packet types. 176 IAD Users Guide Chapter 14 Quality of Service (QoS) DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. 14.5.3.1 DSCP and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. DSCP (6 bits) Unused (2 bits) The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. 14.5.4 Automatic Priority Queue Assignment If you enable QoS on the IAD, the IAD can automatically base on the IEEE 802.1p priority level, IP precedence and/or packet length to assign priority to traffic which does not match a class. The following table shows you the internal layer-2 and layer-3 QoS mapping on the IAD. On the IAD, traffic assigned to higher priority queues gets through faster while traffic in lower index queues is dropped if the network is congested. Table 56 Internal Layer2 and Layer3 QoS Mapping PRIORITY QUEUE 0 1 LAYER 2 IEEE 802.1P USER PRIORITY
(ETHERNET PRIORITY) 1 2 LAYER 3 TOS (IP PRECEDENCE) DSCP IP PACKET LENGTH (BYTE) 0 000000 IAD Users Guide 177 Chapter 14 Quality of Service (QoS) Table 56 Internal Layer2 and Layer3 QoS Mapping PRIORITY QUEUE 2 3 4 5 6 7 LAYER 2 IEEE 802.1P USER PRIORITY
(ETHERNET PRIORITY) 0 3 4 5 6 7 LAYER 3 TOS (IP PRECEDENCE) DSCP IP PACKET LENGTH (BYTE) 0 1 2 3 4 5 6 7
>1100 250~1100
<250 000000 001110 001100 001010 001000 010110 010100 010010 010000 011110 011100 011010 011000 100110 100100 100010 100000 101110 101000 110000 111000 178 IAD Users Guide CHAPTER 15 Dynamic DNS Setup 15.1 Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-
SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address. First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key. 15.1.1 What You Can Do in this Chapter Use the Dynamic DNS screen (Section 15.2 on page 180) to enable DDNS and configure the DDNS settings on the IAD. 15.1.2 What You Need To Know DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. If you have a private WAN IP address, then you cannot use Dynamic DNS. IAD Users Guide 179 Chapter 15 Dynamic DNS Setup 15.2 The Dynamic DNS Screen To change your IADs DDNS, click Advanced > Dynamic DNS. The screen appears as shown. See Section 15.1 on page 179 for more information. Figure 84 Dynamic DNS The following table describes the fields in this screen. DESCRIPTION Table 57 Dynamic DNS LABEL Dynamic DNS Setup Active Dynamic DNS Service Provider Dynamic DNS Type Host Name Select this check box to use dynamic DNS. Select the name of your Dynamic DNS service provider. Select the type of service that you are registered for from your Dynamic DNS service provider. Type the domain name assigned to your IAD by your Dynamic DNS provider. Type your user name. Type the password assigned to you. If you select WWW.No-IP.com or WWW.TZO.com in the Service Provider field, enter the user name you used to register for this service. User Name Password Email Address 180 IAD Users Guide Chapter 15 Dynamic DNS Setup Table 57 Dynamic DNS (continued) LABEL Key DESCRIPTION If you select WWW.TZO.com in the Service Provider field, enter the password you used to register for this service. Select the check box to enable DynDNS Wildcard. Enable Wildcard Option Enable off line option IP Address Update Policy Use WAN IP Address Dynamic DNS server auto detect IP Address This option is available when CustomDNS is selected in the DDNS Type field. Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line. Select this option to update the IP address of the host name to the WAN IP address. Select this option only when there are one or more NAT routers between the IAD and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address. Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the IAD and the DDNS server. Use specified IP Address Apply Cancel Type the IP address of the host name. Use this if you have a static IP address. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. IAD Users Guide 181 Chapter 15 Dynamic DNS Setup 182 IAD Users Guide CHAPTER 16 Remote Management 16.1 Overview Remote management allows you to determine which services/protocols can access which IAD interface (if any) from which computers. The following figure shows remote management of the IAD coming in from the WAN. Figure 85 Remote Management From the WAN LAN WAN HTTP Telnet Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. You may manage your IAD from a remote location via:
Internet (WAN only) ALL (LAN and WAN) LAN only, Neither (Disable). Note: When you choose WAN only or LAN & WAN, you still need to configure a firewall rule to allow access. To disable remote management of a service, select Disable in the corresponding Access Status field. IAD Users Guide 183 Chapter 16 Remote Management You may only have one remote management session running at a time. The IAD automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows. 1 SSH 2 Telnet 3 HTTP 16.1.1 What You Can Do in this Chapter Use the WWW screen (Section 16.2 on page 185) to configure through which interface(s) and from which IP address(es) users can use HTTP to manage the IAD. Use the Telnet screen (Section 16.3 on page 186) to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the IAD. Use the FTP screen (Section 16.4 on page 187) to configure through which interface(s) and from which IP address(es) users can use FTP to access the IAD. Use the SNMP screen (Section 16.5.3 on page 190) to configure your IADs settings for Simple Network Management Protocol management. Use the DNS screen (Section 16.6 on page 191) to configure through which interface(s) and from which IP address(es) users can send DNS queries to the IAD. Use the ICMP screen (Section 16.7 on page 192) to set whether or not your IAD will respond to pings and probes for services that you have not made available. Use the SSH screen (Section 16.11 on page 195) to change your IADs Secure Shell settings. Use the TR-069 screen 16.1.2 What You Need to Know Remote Management Limitations Remote management does not work when:
You have not enabled that service on the interface in the corresponding remote management screen. You have disabled that service in one of the remote management screens. The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the IAD will disconnect the session immediately. 184 IAD Users Guide Chapter 16 Remote Management There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. There is a firewall rule that blocks it. Remote Management and NAT When NAT is enabled:
Use the IADs WAN IP address when configuring from the WAN. Use the IADs LAN IP address when configuring from the LAN. System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The IAD automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. 16.2 The HTTP Screen To change your IADs World Wide Web settings, click Advanced > Remote MGMT to display the WWW screen. Figure 86 Remote Management > HTTP IAD Users Guide 185 Chapter 16 Remote Management The following table describes the labels in this screen. Table 58 Remote Management > WWW LABEL Port DESCRIPTION You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the IAD using this service. A secured client is a trusted computer that is allowed to communicate with the IAD using this service. Select All to allow any computer to access the IAD using this service. Choose Selected to just allow the computer with the IP address that you specify to access the IAD using this service. Click Apply to save your settings back to the IAD. Click Cancel to begin configuring this screen afresh. Access Status Secured Client IP Apply Cancel 16.3 The Telnet Screen You can use Telnet to access the IADs command line interface. Specify which interfaces allow Telnet access and from which IP address the access can come. Click Advanced > Remote MGMT > Telnet to display the screen as shown. Figure 87 Remote Management > Telnet 186 IAD Users Guide The following table describes the labels in this screen. Chapter 16 Remote Management Table 59 Remote Management > Telnet LABEL Port DESCRIPTION You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the IAD using this service. A secured client is a trusted computer that is allowed to communicate with the IAD using this service. Access Status Secured Client IP Select All to allow any computer to access the IAD using this service. Choose Selected to just allow the computer with the IP address that you specify to access the IAD using this service. Click Apply to save your customized settings and exit this screen. Click Cancel to begin configuring this screen afresh. Apply Cancel 16.4 The FTP Screen You can use FTP (File Transfer Protocol) to upload and download the IADs firmware and configuration files, please see the Users Guide chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. To change your IADs FTP settings, click Advanced > Remote MGMT > FTP. The screen appears as shown. Use this screen to specify which interfaces allow FTP access and from which IP address the access can come. Figure 88 Remote Management > FTP IAD Users Guide 187 Chapter 16 Remote Management The following table describes the labels in this screen. Table 60 Remote Management > FTP LABEL Port DESCRIPTION You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the IAD using this service. A secured client is a trusted computer that is allowed to communicate with the IAD using this service. Select All to allow any computer to access the IAD using this service. Choose Selected to just allow the computer with the IP address that you specify to access the IAD using this service. Click Apply to save your customized settings and exit this screen. Click Cancel to begin configuring this screen afresh. Access Status Secured Client IP Apply Cancel 16.5 SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your IAD supports SNMP agent functionality, which allows a manager station to manage and monitor the IAD through the network. The IAD supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation. 188 IAD Users Guide Chapter 16 Remote Management Note: SNMP is only available if TCP/IP is configured. Figure 89 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the IAD). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:
Get - Allows the manager to retrieve an object variable from the agent. GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set - Allows the manager to set values for object variables within an agent. Trap - Used by the agent to inform the manager of some events. IAD Users Guide 189 Chapter 16 Remote Management 16.5.1 Supported MIBs The IAD supports MIB II, which is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 16.5.2 SNMP Traps The IAD will send traps to the SNMP manager when any one of the following events occurs:
Table 61 SNMP Traps TRAP # TRAP NAME 0 coldStart (defined in RFC-
1215) warmStart (defined in RFC-
1215) 1 DESCRIPTION A trap is sent after booting (power on). A trap is sent after booting (software reboot). 16.5.3 The SNMP Screen To change your IADs SNMP settings, click Advanced > Remote MGMT > SNMP. The screen appears as shown. Figure 90 Remote Management > SNMP 190 IAD Users Guide The following table describes the labels in this screen. Chapter 16 Remote Management Table 62 Remote Management > SNMP LABEL SNMP Port DESCRIPTION Access Status You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the IAD using this service. Secured Client IP A secured client is a trusted computer that is allowed to communicate with the IAD using this service. Select All to allow any computer to access the IAD using this service. Choose Selected to just allow the computer with the IP address that you specify to access the IAD using this service. SNMP Configuration Get Community Set Community Trap Community Destination Apply Cancel Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests. Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests. Type the IP address of the station to send your SNMP traps to. Click Apply to save your customized settings and exit this screen. Click Cancel to begin configuring this screen afresh. 16.6 The DNS Screen Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 on page 59 for background information. IAD Users Guide 191 Chapter 16 Remote Management Click Advanced > Remote MGMT > DNS to change your IADs DNS settings. Use this screen to set from which IP address the IAD will accept DNS queries and on which interface it can send them your IADs DNS settings. Figure 91 Remote Management > DNS The following table describes the labels in this screen. Table 63 Remote Management > DNS LABEL Port Access Status DESCRIPTION The DNS service port number is 53 and cannot be changed here. Select the interface(s) through which a computer may send DNS queries to the IAD. A secured client is a trusted computer that is allowed to send DNS queries to the IAD. Secured Client IP Apply Cancel Select All to allow any computer to send DNS queries to the IAD. Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the IAD. Click Apply to save your customized settings and exit this screen. Click Cancel to begin configuring this screen afresh. 16.7 The ICMP Screen To change your IADs security settings, click Advanced > Remote MGMT >
ICMP. The screen appears as shown. If an outside user attempts to probe an unsupported port on your IAD, an ICMP response packet is automatically returned. This allows the outside user to know the IAD exists. Your IAD supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your IAD when unsupported ports are probed. 192 IAD Users Guide Chapter 16 Remote Management Note: If you want your device to respond to pings and requests for unauthorized services, you may also need to configure the firewall anti probing settings to match. Figure 92 Remote Management > ICMP The following table describes the labels in this screen. Table 64 Remote Management > ICMP LABEL ICMP DESCRIPTION Internet Control Message Protocol is a message control and error-
reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user. The IAD will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN &
WAN to reply to both incoming LAN and WAN Ping requests. Select this option to prevent hackers from finding the IAD by probing for unused ports. If you select this option, the IAD will not respond to port request(s) for unused ports, thus leaving the unused ports and the IAD unseen. If this option is not selected, the IAD will reply with an ICMP port unreachable packet for a port probe on its unused UDP ports and a TCP reset packet for a port probe on its unused TCP ports. Note that the probing packets must first traverse the IAD's firewall rule checks before reaching this anti-probing mechanism. Therefore if a firewall rule stops a probing packet, the IAD reacts based on the firewall rule to either send a TCP reset packet for a blocked TCP packet (or an ICMP port-unreachable packet for a blocked UDP packets) or just drop the packets without sending a response packet. Click Apply to save your customized settings and exit this screen. Click Cancel to begin configuring this screen afresh. Respond to Ping on Do not respond to requests for unauthorized services Apply Cancel 16.8 SSH You can use SSH (Secure SHell) to securely access the IADs command line interface. Specify which interfaces allow SSH access and from which IP address the access can come. IAD Users Guide 193 Chapter 16 Remote Management Unlike Telnet or FTP, which transmit data in plaintext (clear or unencrypted text), SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. 16.9 How SSH Works The following table summarizes how a secure connection is established between two remote hosts. Figure 93 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. 194 IAD Users Guide Chapter 16 Remote Management 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 16.10 SSH Implementation on the IAD Your IAD supports SSH version 1.0 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the IAD for remote SMT management and file transfer on port 22. Only one SSH connection is allowed at a time. 16.10.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the IAD over SSH. 16.11 The SSH Screen Click Click Advanced > Remote MGMT > Telnet to change your IADs Secure Shell settings. Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 94 Remote Management > SSH IAD Users Guide 195 Chapter 16 Remote Management The following table describes the labels in this screen. Table 65 Remote Management > SSH LABEL Server Host Key DESCRIPTION Select the certificate whose corresponding private key is to be used to identify the IAD for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 16 on page 37 for details). You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the IAD using this service. A secure client is a trusted computer that is allowed to communicate with the IAD using this service. Select All to allow any computer to access the IAD using this service. Choose Selected to just allow the computer with the IP address that you specify to access the IAD using this service. Click Apply to save your customized settings and exit this screen. Click Reset to begin configuring this screen afresh. Port Access Status Secured Client IP Apply Reset 196 IAD Users Guide 17 CHAPTER Universal Plug-and-Play (UPnP) 17.1 Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use. 17.1.1 What You Can Do in this Chapter Use the UPnP screen (Section 17.2 on page 198) to enable UPnP on the IAD and allow UPnP-enabled applications to automatically configure the IAD. 17.1.2 What You Need to Know How do I know if I'm using UPnP?
UPnP hardware is identified as an icon in the Network Connections folder
(Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:
Dynamic port mapping Learning public IP addresses Assigning lease times to mappings IAD Users Guide 197 Chapter 17 Universal Plug-and-Play (UPnP) Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the IAD allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP Implementers Corp. (UIC). ZyXEL's UPnP implementation supports Internet Gateway Device (IGD) 1.0. See the following sections for examples of installing and using UPnP. 17.2 The UPnP Screen Click Advanced > UPnP to display the screen shown next. 198 IAD Users Guide Chapter 17 Universal Plug-and-Play (UPnP) See Section 17.1 on page 197 for more information. Figure 95 Configuring UPnP The following table describes the fields in this screen. Table 66 Configuring UPnP LABEL Active the Universal Plug and Play (UPnP) Feature Allow users to make configuration changes through UPnP Apply Cancel DESCRIPTION Select this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the IAD's IP address (although you must still enter the password to access the web configurator). Select this check box to allow UPnP-enabled applications to automatically configure the IAD so that they can communicate through the IAD, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Click Apply to save the setting to the IAD. Click Cancel to return to the previously saved settings. 17.3 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. 1 Click Start and Control Panel. Double-click Add/Remove Programs. IAD Users Guide 199 Chapter 17 Universal Plug-and-Play (UPnP) 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Figure 96 Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 97 Add/Remove Programs: Windows Setup: Communication: Components 200 IAD Users Guide 4 Click OK to go back to the Add/Remove Programs Properties window and click Chapter 17 Universal Plug-and-Play (UPnP) Next. 5 Restart the computer when prompted. Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components . Figure 98 Network Connections IAD Users Guide 201 Chapter 17 Universal Plug-and-Play (UPnP) 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. Figure 99 Windows Optional Networking Components Wizard 202 IAD Users Guide Chapter 17 Universal Plug-and-Play (UPnP) 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 100 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 17.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the IAD. Make sure the computer is connected to a LAN port of the IAD. Turn on your computer and the IAD. Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. IAD Users Guide 203 Chapter 17 Universal Plug-and-Play (UPnP) 2 Right-click the icon and select Properties. Figure 101 Network Connections 204 IAD Users Guide Chapter 17 Universal Plug-and-Play (UPnP) 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Figure 102 Internet Connection Properties IAD Users Guide 205 Chapter 17 Universal Plug-and-Play (UPnP) 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 103 Internet Connection Properties: Advanced Settings Figure 104 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 206 IAD Users Guide Chapter 17 Universal Plug-and-Play (UPnP) 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. Figure 105 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 106 Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the IAD without finding out the IP address of the IAD first. This comes helpful if you do not know the IP address of the IAD. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. IAD Users Guide 207 Chapter 17 Universal Plug-and-Play (UPnP) 3 Select My Network Places under Other Places. Figure 107 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 208 IAD Users Guide Chapter 17 Universal Plug-and-Play (UPnP) 5 Right-click on the icon for your IAD and select Invoke. The web configurator login screen displays. Figure 108 Network Connections: My Network Places 6 Right-click on the icon for your IAD and select Properties. A properties window displays with basic information about the IAD. Figure 109 Network Connections: My Network Places: Properties: Example IAD Users Guide 209 Chapter 17 Universal Plug-and-Play (UPnP) 210 IAD Users Guide CHAPTER 18 System 18.1 Overview Use this screen to configure the IADs time and date settings. 18.1.1 What You Need to Know The following terms and concepts may help as you read through this chapter. General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". In Windows 2000, click Start > Settings > Control Panel and then double-
click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name. In Windows XP, click Start > My Computer > View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the IAD System Name. IAD Users Guide 211 Chapter 18 System 18.2 General Setup Use this screen to configure the IADs system name, inactivity timer, and password. Click Maintenance > System to open the General screen. Figure 110 System > General Setup The following table describes the labels in this screen. Table 67 General Setup LABEL General Setup System Name Choose a descriptive name for identification purposes. It is DESCRIPTION recommended you enter your computers Computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes - and underscores "_" are accepted. Type how many minutes a management session (either via the web configurator or telnet) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended). Type the default password or the existing password you use to access the system in this field. Administrator Inactivity Timer Password Old Password New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type. After you change the password, use the new password to access the IAD. Type the new password again for confirmation. Retype to Confirm Apply Cancel Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. 212 IAD Users Guide Chapter 18 System 18.3 Time Setting To change your IADs time and date, click Maintenance > System > Time Setting. The screen appears as shown. Use this screen to configure the IADs time based on your local time zone. Figure 111 System > Time Setting The following table describes the fields in this screen. Table 68 Time Setting LABEL Current Time Current Time DESCRIPTION This field displays the time of your IAD. Current Date Each time you reload this page, the IAD synchronizes the time with the time server. This field displays the date of your IAD. Each time you reload this page, the IAD synchronizes the date with the time server. Time and Date Setup Get from Time Server Time Protocol Time Server Address Apply Cancel Select this radio button to have the IAD get the time and date from the time server you specified below. Indicates that the IAD uses the NTP format, which displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. Enter the IP address or URL (up to 20 extended ASCII characters in length) of your time server. Check with your ISP/network administrator if you are unsure of this information. Click Apply to save your changes back to the IAD. Click Cancel to begin configuring this screen afresh. IAD Users Guide 213 Chapter 18 System 214 IAD Users Guide CHAPTER 19 Logs 19.1 Overview This chapter contains information about configuring general log settings and viewing the IADs logs. The web configurator allows you to choose which categories of events and/or alerts to have the IAD log and then display the logs or have the IAD send them to an administrator (as e-mail) or to a syslog server. 19.2 View Log Click Maintenance > Logs to open the View Log screen. Use this screen to see the logs for the categories that you selected in the Log Settings screen (see Section 19.3 on page 217). Log entries in red indicate alerts. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. Figure 112 View Log IAD Users Guide 215 Chapter 19 Logs The following table describes the fields in this screen. Table 69 View Log LABEL Display DESCRIPTION The categories that you select in the Log Settings screen display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Click Refresh to renew the log screen. Click Clear Log to delete all the logs. This field is a sequential value and is not associated with a specific entry. This field displays the time the log was recorded. This indicates the type of connection to the IAD. Refresh Clear Log
Time Facility Facility types are as follows:
tr069 - This indicates a log from an external auto-configuration server. ntpclient - This indicates a log from the ntpclient. login - This indicates a message from the login server. udhcpc - This indicates a log message from the devices DHCP server. dnsmasq - This indicates a log message from the devices DNS forwarder. PPPD - This indicates a log message from the devices Point-to-Point Protocol daemon. kernel - This indicates a log message related to the devices Central Processing Unit (CPU), memory, and I/O ports. OMCI - This indicates a log message about the OpenManage Client Instrumentation. VoIP - This indicates a log a message from the SIP server. This indicates the log severity. This field states the reason for the log. Click this to cycle to the first page of logs. Click this to cycle to the previous page of logs. This indicates which page you are on, out of how many. You can enter a page number here and press [Enter] to jump directly to that page. Click this to cycle to the next page of logs. Click this to cycle to the last page of logs Click this to refresh the logs screen. Level Message First Previous Page Next Last Refresh 216 IAD Users Guide Chapter 19 Logs 19.3 Log Settings Use this screen to configure which logs to display on the View Logs screen (see Chapter 19 on page 215). Click Maintenance > Logs > Log Settings. Figure 113 Log Settings The following table describes the fields in this screen. DESCRIPTION Table 70 Log Settings LABEL Active Log
[Log Type]
Apply Cancel Select the type of log you want to be displayed on the View Logs screen. Click Apply to save your customized settings and exit this screen. Click Cancel to return to the previously saved settings. IAD Users Guide 217 Chapter 19 Logs 218 IAD Users Guide CHAPTER 20 Tools 20.1 Overview This chapter explains how to upload new firmware, manage configuration files and restart your IAD. Use the instructions in this chapter to change the devices configuration file or upgrade its firmware. After you configure your device, you can backup the configuration file to a computer. That way if you later misconfigure the device, you can upload the backed up configuration file to return to your previous settings. You can alternately upload the factory default configuration file if you want to return the device to the original default settings. The firmware determines the devices available features and functionality. 20.1.1 Some Warnings The following are some friendly reminders about your device:
Do NOT turn off the IAD while a firmware upload is in progress!
Only use firmware for your devices specific model. Refer to the label on the bottom of your IAD. IAD Users Guide 219 Chapter 20 Tools 20.2 Firmware Upgrade Click Maintenance > Tools to open the Firmware screen. Follow the instructions in this screen to upload firmware to your IAD. The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Figure 114 Firmware Upgrade The following table describes the labels in this screen. Table 71 Firmware Upgrade DESCRIPTION LABEL Current This is the present Firmware version and the date created. Firmware Version File Path Browse... Upload Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Click Upload to begin the upload process. This process may take up to two minutes. After you see the Firmware Upload in Progress screen, wait three minutes before logging into the IAD again. The IAD automatically restarts in this time causing a temporary network disconnect. After two minutes, log in again and check your new firmware version in the Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the Firmware screen. 220 IAD Users Guide Chapter 20 Tools 20.3 Configuration Click Maintenance > Tools > Configuration. Information related to factory defaults, backup configuration, and restoring configuration appears in this screen, as shown next. Figure 115 Configuration 20.3.1 Backup Configuration Backup Configuration allows you to back up (save) the IADs current configuration to a file on your computer. Once your IAD is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the IADs current configuration to your computer. 20.3.2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your IAD. Table 72 Restore Configuration LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the file you want to upload. Remember that you must Upload decompress compressed (.ZIP) files before you can upload them. Click Upload to begin the upload process. IAD Users Guide 221 Chapter 20 Tools After you see a restore configuration successful screen, you must then wait one minute before logging into the IAD again. The IAD automatically restarts in this time causing a temporary network disconnect. If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (10.0.0.138). See Appendix B on page 245 for details on how to set up your computers IP address. If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. 20.3.3 Reset to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the IAD to its factory defaults. You can also press the RESET button on the rear panel to reset the factory defaults of your IAD. 20.4 Restart System restart allows you to reboot the IAD without turning the power off. Click Maintenance > Tools > Restart. Click Restart to have the IAD reboot. This does not affect the IAD's configuration. Figure 116 Restart Screen 222 IAD Users Guide CHAPTER 21 Diagnostic 21.1 Overview This read-only screen displays information to help you identify problems with the IAD. 21.2 General Click Maintenance > Diagnostic to open the screen shown next. Figure 117 Diagnostic > General The following table describes the fields in this screen. Table 73 General LABEL TCP/IP Address Ping DESCRIPTION Type the IP address of a computer that you want to ping in order to test a connection. Click this button to ping the IP address that you entered. IAD Users Guide 223 Chapter 21 Diagnostic 224 IAD Users Guide CHAPTER 22 Troubleshooting 22.1 Overview This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. Power, Hardware Connections, and LEDs IAD Access and Login Internet Access Phone Calls and VoIP 22.2 Power, Hardware Connections, and LEDs The IAD does not turn on. None of the LEDs turn on. 1 Make sure the IAD is turned on. 2 Make sure you are using the power adaptor or cord included with the IAD. 3 Make sure the power adaptor or cord is connected to the IAD and plugged in to an appropriate power source. Make sure the power source is turned on. 4 5 Turn the IAD off and on. If the problem continues, contact the vendor. IAD Users Guide 225 Chapter 22 Troubleshooting One of the LEDs does not behave as expected. 1 Make sure you understand the normal behavior of the LED. See Section 1.6 on page 26. 2 Check the hardware connections. See the Quick Start Guide. 3 4 5 Inspect your cables for damage. Contact the vendor to replace any damaged cables. Turn the IAD off and on. If the problem continues, contact the vendor. 22.3 IAD Access and Login I forgot the IP address for the IAD. 1 2 3 The default IP address is 192.168.1.1. If you changed the IP address and have forgotten it, you might get the IP address of the IAD by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the IAD (it depends on the network), so enter this IP address in your Internet browser. If this does not work, you have to reset the device to its factory defaults. See Section 1.5 on page 25. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. The default IP address is 192.168.1.1. If you changed the IP address, use the new IP address. 226 IAD Users Guide Chapter 22 Troubleshooting If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the IAD. 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide. 3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix C on page 275. 4 Reset the device to its factory defaults, and try to access the IAD with the default IP address. See Section 1.5 on page 25. 5 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. I can see the Login screen, but I cannot log in to the IAD. 1 Make sure you have entered the user name and password correctly. The default user name is admin. These fields are case-sensitive, so make sure [Caps Lock] is not on. 2 3 4 You cannot log in to the web configurator while someone is using Telnet to access the IAD. Log out of the IAD in the other session, or ask the person who is logged in to log out. Turn the IAD off and on. If this does not work, you have to reset the device to its factory defaults. See Section 22.2 on page 225. 22.4 Internet Access I cannot access the Internet. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.6 on page 26. 2 Make sure you entered your ISP account information correctly in the wizard. These fields are case-sensitive, so make sure [Caps Lock] is not on. IAD Users Guide 227 Chapter 22 Troubleshooting 3 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 4 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the IAD), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.6 on page 26. 2 3 Turn the IAD off and on. If the problem continues, contact your ISP. The Internet connection is slow or intermittent. 1 2 3 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.6 on page 26. If the IAD is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. Turn the IAD off and on. If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. 22.5 Phone Calls and VoIP The telephone port wont work or the telephone lacks a dial tone. 1 Check the telephone connections and telephone wire. 228 IAD Users Guide Chapter 22 Troubleshooting I can access the Internet, but cannot make VoIP calls. 1 2 3 The PHONE light should come on. Make sure that your telephone is connected to the PHONE port. You can also check the VoIP status in the Status screen. If the VoIP settings are correct, use speed dial to make peer-to-peer calls. If you can make a call using speed dial, there may be something wrong with the SIP server, contact your VoIP service provider. IAD Users Guide 229 Chapter 22 Troubleshooting 230 IAD Users Guide CHAPTER 23 Product Specifications The following tables summarize the IADs hardware and firmware features. Hardware Specifications Table 74 Hardware Specifications Dimensions Weight Power Specification Built-in Switch 215 W x 145 D x 35 H mm 390 g 18V DC 1A Four auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-45 Ethernet ports 2 RJ-11 FXS POTS ports 1 F-type coaxial connector 2 attached external dipole antennas, 2dBi 1 second: turn on or off WLAN PHONE Port CATV Port Antennas WPS Button RESET Button PON Port Operation Temperature Storage Temperature Operation Humidity Storage Humidity Distance between the centers of the holes
(for wall-mounting) on the devices back Screw size for wall-
mounting 5 seconds: enable WPS (Wi-Fi Protected Setup) Restores factory defaults 1 SC/UPC type fiber-optic connector 0 C ~ 40 C
-20 ~ 60 C 20% ~ 85% RH 20% ~ 90% RH 137.20mm M4 tap IAD Users Guide 231 Chapter 23 Product Specifications Voice Specifications Note: To take full advantage of the supplementary phone services available through the IAD's phone port, you may need to subscribe to the services from your VoIP service provider. Note: Not all features are supported by all service providers. Consult your service provider for more information. Table 75 Voice Features Call Park and Pickup Call park and pickup lets you put a call on hold (park) and then continue the call (pickup). The caller must still pay while the call is parked. When you park the call, you enter a number of your choice (up to eight digits), which you must enter again when you pick up the call. If you do not enter the correct number, you cannot pickup the call. This means that only someone who knows the number you have chosen can pick up the call. You can have more than one call on hold at the same time, but you must give each call a different number. With call return, you can place a call to the last number that called you (either answered or missed). The last incoming call can be through either SIP or PSTN. Phone standards and settings differ from one country to another, so the settings on your IAD must be configured to match those of the country you are in. The country code feature allows you to do this by selecting the country from a list rather than changing each setting manually. Configure the country code feature when you move the IAD from one country to another. This feature allows you to set your phone not to ring when someone calls you. You can set each phone independently using its keypad, or configure global settings for all phones using the command line interpreter. You can set the IAD to automatically dial a specified number immediately whenever you lift a phone off the hook. Use the Web Configurator to set the specified number. Use the command line interpreter to have the IAD wait a specified length of time before dialing the number. The phone config table allows you to customize the phone keypad combinations you use to access certain features on the IAD, such as call waiting, call return, call forward, etc. The phone config table is configurable in command interpreter mode. If your service provider uses an auto provisioning server, you need to enter a personal identification number (supplied by your service provider) before you first use the feature. Call Return Country Code Do not Disturb
(DnD) Auto Dial Phone config HTTP pincode 232 IAD Users Guide Chapter 23 Product Specifications Table 75 Voice Features Firmware update enable / disable If your service provider uses this feature, you hear a recorded message when you pick up the phone when new firmware is available for your IAD. Enter *99# in your phones keypad to have the IAD upgrade the firmware, or enter #99# to not upgrade. If your service provider gave you different numbers to use, enter them instead. If you enter the code to not upgrade, you can make a call as normal. You will hear the recording again each time you pick up the phone, until you upgrade. This feature allows you to hear an alert when you are already using the phone and another person calls you. You can then either reject the new incoming call, put your current call on hold and receive the new incoming call, or end the current call and receive the new incoming call. With this feature, you can set the IAD to forward calls to a specified number, either unconditionally (always), when your number is busy, or when you do not answer. You can also forward incoming calls from one specified number to another. The IAD supports caller ID, which allows you to see the originating number of an incoming call (on a phone with a suitable display). A Ringer Equivalence Number (REN) is used to determine the number of devices (like telephones or fax machines) that may be connected to the telephone line. Your device has a REN of three, so it can support three devices per telephone port. The built-in adaptive buffer helps to smooth out the variations in delay (jitter) for voice traffic. This helps ensure good voice quality for your conversations. You can simultaneously use multiple voice (SIP) accounts and assign them to to the telephone port. Your device can simultaneously handle multiple voice channels
(telephone calls). Additionally you can answer an incoming phone call on a VoIP account, even while someone else is using the account for a phone call. Voice Activity Detection (VAD) reduces the bandwidth that a call uses by not transmitting when you are not speaking. Your device generates background noise to fill moments of silence when the other device in a call stops transmitting because the other party is not speaking (as total silence could easily be mistaken for a lost connection). Call waiting Call forwarding Caller ID REN Dynamic Jitter Buffer Multiple SIP Accounts Multiple Voice Channels Voice Activity Detection/Silence Suppression Comfort Noise Generation IAD Users Guide 233 Chapter 23 Product Specifications Table 75 Voice Features Echo Cancellation You device supports G.168, an ITU-T standard for eliminating the Other Voice Features echo caused by the sound of your voice reverberating in the telephone receiver while you talk. SIP version 2 (Session Initiating Protocol RFC 3261) SDP (Session Description Protocol RFC 2327) RTP (RFC 1889) RTCP (RFC 1890) Voice codecs (coder/decoders) G.711, G.726, G.729 Fax and data modem discrimination DTMF Detection and Generation DTMF: In-band and Out-band traffic (RFC 2833),(PCM), (SIP INFO) Point-to-point call establishment between two IADs Quick dialing through predefined phone book, which maps the phone dialing number and destination URL. Flexible Dial Plan (RFC3525 section 7.1.14) The following list, which is not exhaustive, illustrates the standards supported in the IAD. Table 76 Standards Supported STANDARD RFC 867 RFC 868 RFC 1058 RFC 1112 RFC 1305 RFC 1483 RFC 1631 RFC 1661 RFC 1723 RFC 2236 RFC 2364 RFC 2408 DESCRIPTION Daytime Protocol Time Protocol. RIP-1 (Routing Information Protocol) IGMP v1 Network Time Protocol (NTP version 3) Multiprotocol Encapsulation over ATM Adaptation Layer 5 IP Network Address Translator (NAT) The Point-to-Point Protocol (PPP) RIP-2 (Routing Information Protocol) Internet Group Management Protocol, Version 2. PPP over AAL5 (PPP over ATM over ADSL) Internet Security Association and Key Management Protocol
(ISAKMP) A Method for Transmitting PPP Over Ethernet (PPPoE) Multiprotocol Encapsulation over ATM Adaptation Layer 5. Network Address Translation - Protocol Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges Port Based Network Access Control. RFC 2516 RFC 2684 RFC 2766 IEEE 802.11d IEEE 802.11x 234 IAD Users Guide Chapter 23 Product Specifications Table 76 Standards Supported (continued) STANDARD ANSI T1.413, Issue 2 Microsoft PPTP DESCRIPTION Asymmetric Digital Subscriber Line (ADSL) standard. MS PPTP (Microsoft's implementation of Point to Point Tunneling Protocol) ST2+ over ATM Protocol Specification - UNI 3.1 Version Compliant AAL5 SAR (Segmentation And Re-assembly) RFC 2383 1.363.5 Power Adaptor Specifications LEI (LEADER ELECTRONICS INC.) MU18-2180100-A1 AC 100~240Volts/50/60Hz/0.6A DC 18Volts/1A 16 Watt max UL,CUL(UL 60950-1) Table 77 Power Adaptor Specifications North American PLUG standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards EUROPEAN PLUG STANDARDS AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards UNITED KINGDOM PLUG STANDARDS AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards MU18-Y1180-K105 AC 230V~50Hz 0.5A DC 18Volts/1A 16 Watt max TUV, CE(EN 60950-1) MU18-2180100-B2 AC 100~240Volts/50/60Hz/0.6A DC 18Volts/1A 12 Watt max TUV, CE(EN 60950-1) IAD Users Guide 235 Chapter 23 Product Specifications G-PON Specification Table 78 G-PON Specifications SPECIFICATION Standard Upstream Bit Rate Downstream Bit Rate Distance Power Budget Wavelength Allocation Splitter Ratio FEC DBA Encryption DESCRIPTION IEEE 802.3ah 1.25 Gb/s 1.25 Gb/s 10 Km/20 Km Class A: 5~20 dB Class B: 10~25 dB Up: 1260~1360 nm Down: 1480~1500 nm
>16 Not Supported Not Supported Not Supported Wall-mounting Instructions Do the following to hang your IAD on a wall. Note: See Table 74 on page 231 for the size of screws to use and how far apart to place them. 1 Locate a high position on a wall that is free of obstructions. Use a sturdy wall. 2 Drill two holes for the screws. Make sure the distance between the centers of the holes matches what is listed in the product specifications appendix. Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws. 3 Do not screw the screws all the way into the wall. Leave a small gap of about 0.5 cm between the heads of the screws and the wall. 4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the IAD with the connection cables. 236 IAD Users Guide Chapter 23 Product Specifications 5 Align the holes on the back of the IAD with the screws on the wall. Hang the IAD on the screws. Figure 118 Wall-mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). Figure 119 Masonry Plug and M4 Tap Screw IAD Users Guide 237 Chapter 23 Product Specifications 238 IAD Users Guide APPENDIX A Passive Optical Networks Optical fiber allows for data to be transmitted in the form of staggered light impulses. It is composed of flexible plastic or glass piping. Light waves traverse the length of the piping by perpetually reflecting itself off of its mirrored inner core, much like an optical waveguide. The most common application for optical fiber is as a medium to transmit digital information from one location to another over great distances. However, one of the drawbacks of this medium is that light attenuates and eventually loses its coherency. The great challenge in optical fiber research lies in the development of fiber cables capable of minimizing this light attenuation for as long as physically possible. Despite this, optical fiber technology remains on the cutting edge of network communications development. Optical fiber offers enormous benefits in terms of speed, quality, and quantity over other methods such as copper wire, and is the core technology behind the Passive Optical Network (PON). What You Need to Know The following terms and concepts may help as you read through this chapter. PON A Passive Optical Network (PON) sends fiber optical cables from a service provider to the premises. "Passive" means that no power is required once the data, which is transmitted as light, enters the cables. ONU An Optical Network Unit (ONU) is a fiber optical modem that allows a subscriber or client to receive very high-speed Internet access. IAD Users Guide 239 Appendix A Passive Optical Networks OLT An Optical Line Terminal (OLT) is placed at a broadband service providers central office, where it receives voice, video, and other data from the service providers networking servers. It then converts and transmits this data as light across a fiber optical network, where it is received and translated on the opposite end by one or more Optical Network Units (ONUs). FTTx Fiber-To-The-x (FTTx) refers to networking infrastructure that extends from a service provider to the x, where x can be one of many locations: Office (FTTO), Home (FTTH), Desk (FTTD), Building (FTTB) or even Curb (FTTC), to name a few. In an FTTO connection, the Optical Network Unit (ONU) is often placed inside the building, whereas in FTTH or FTTC the fiber ends at an end-users house (or somewhere nearby), or at a curb-side unit. Gigabit Ethernet Gigabit Ethernet (IEEE 802.3z standard) uses Ethernet over copper wire technology to increase network data rates to 1 Gbit/sec. It is built upon standard 4-pair Category 5 copper cabling. GEM The Generic Encapsulation Method (GEM) provides a method for PON devices to natively transmit both Ethernet and TDM data over optical fiber. ATM Asynchronous Transfer Method (ATM) is a LAN and WAN networking technology that provides high-speed data transfer. ATM uses fixed-size packets of information called cells. With ATM, a high QoS (Quality of Service) can be guaranteed. TDM In Time Division Multiplexing (TDM), individual data subchannels can occupy the entire frequency bandwidth of a communication stream at certain specific times, and cannot transmit at other times. Each subchannel takes turns using the communications stream. TDM is typically used in FTTx and satellite communication. 240 IAD Users Guide Appendix A Passive Optical Networks How It Works There are no active components in the PON backbone that require power. Light impulses move from point A to point B with nothing inbetween to facilitate it other than optical physics. Although the devices at the point of origin and the point of termination undoubtedly require power, the network itself does not. Figure 120 An example of Passive Optical Networking A C B In this example, the PON consists of: one or more Optical Line Terminals (OLTs) located at the service providers central office (A) to convert and transmit data; a network of fiber optical cables to passively carry the data (B); and one or more Optical Network Units (ONUs) at the subscriber end to receive the data (C). PON Development As a technology, PON has been around for quite some time although it was initially unusable for network communications. One of the original improvements made to it was Asynchronous Transfer Method PON (ATM PON, more commonly called APON). The benefit of using a well established networking protocol (such as ATM in this case) to enhance the fiber network is that it is usually backwards-compatible with an existing Wide Area Network (WAN). Unfortunately, ATM has fallen out of favor due to its relative complexity and the rapid rise in popularity of the Internet Protocol (IP), which is both less complex and more cost effective due to the ubiquitousness of the hardware that supports it. A more robust off-shoot of APON offering faster transmission speeds is Broadband PON (BPON). IAD Users Guide 241 Appendix A Passive Optical Networks Ethernet PON (EPON), meanwhile, offers slightly slower data transmission rates but shows a smaller overhead and is markedly better at transmitting over the Ethernet layer using IP. Because Ethernet is so widespread and relies on a well-
established universal networking protocol, manufacturers can use existing hardware to build EPON units, making it a very cost effective solution in comparison to the other types of PON devices available. Moreover, Ethernet cables
(RJ-45) and infrastructure already exist in many office buildings, so making the transition to EPON is even easier. GEPON is the other name by which EPON is known and marketed. For all intents and purposes, it is the same. Both fall under the purview of the IEEE802.3ah specification. Gigabit Ethernet PON (GPON) offers a speed boost over APON/BPON and EPON. It retains ATM compatibility in addition to offering Time-Division Multiplexing (TDM). It can utilize both the ATM and Ethernet transport layers, but only by emulating them with the Generic Encapsulation Protocol (GEM). The following table outlines the major differences between the three PON protocols. Table 79 PON Types Comparison PARAMETERS Standard Standardization Date EPON/GEPON IEEE802.3ah 2004.07 Speed 1 Gbps APON/BPON ITU-T (FSAN) 1998 ITU.T G.983 155/622 Mbps 622/1244 Mbps Basic Protocol Protocol Overhead for IP US MAC Scheme Coding Line BER ODN Type Max Reach Ethernet Small ATM Large TDMA 8B/10B 10-12 Type1, Type2 Type1 up to 10 km Type2 up to 20 km TDMA Scramble NRZ 10-10 Class A, B 20 km Standard Driver Vendors Service Provider GPON ITU-T SG15 (FSAN) 2003.11 ITU.T G.984 1.25 Gbps symmetric and higher (up to 2.488 Gbps) Ethernet/ATM/TDM Middle TDMA Scramble NRZ 10-12 Class A, B, C 20 km (Max 60 km for ranging protocol) Service Provider PON Limitations The most significant limitation of PON is something known as attenuation. This is the gradual decrease in signal strength as the light wave passes down the fiber optical cable stemming from a combination of absorption and scattering. 242 IAD Users Guide Appendix A Passive Optical Networks Absorption happens as the lights energy is converted into heat; scattering occurs when the light hits stray particles of other matter inside the cable and some its photons are redirected in other directions. As a result, the further the light in the pipe travels, the less coherent it becomes and eventually it disintegrates. In current PON implementations, there are two standard distances that a service provider can choose: 1-10 kilometers and 1-20 kilometers. Light does not attentuate differently over the greater of the two distances; rather, the service provider simply uses much more powerful equipment to transmit the light signals into the network, thus boosting the relative signal strength to such a point that attentuation does not set in as rapidly. The other major limitation is the splitting. To make the most of available bandwidth, service providers must split a backbone line into many smaller lines which are then extended to multiple customers. For example, a backbone line leaving the service providers central office may split twice, sending subsidiary lines to branch office ONUs or secondary OLTs. These, in turn, can be split again and again until a certain number of customers have been served. However, each time a light signal is split each subsequent subsidiary beam is at a markedly lower intensity than the original. If a service providers maximum bandwith allocation is approximately 60 Mbps/sec (the physical limitation of the fiber), this bandwidth must be shared among all customers connected to the backbone. If only one customer is connected, they reap the benefits of full 60 Mbps/sec bandwidth; on the other hand, if the service provider splits the signal so that three customers in three disparate locations can benefit, each one only receives ~20 Mbps/sec of bandwidth because of the tripartite split. The maximum number of splits that a service provider can make is 64, at which point the data flood from the signal source becomes but a trickle by the time it reaches the end of its journey. Bit Rate Requirements The kind of transmission speeds a PON provides depends primarily on the kind of network your service provider maintains and any bandwidth limits it enforces (if it does so at all). Various programs and applications can take advantage of the networks bandwidth as long as it meets their requirements. Below is a table listing the minimum bit rates various types of applications require in order to operate at their full potential over a PON. If you are not sure about IAD Users Guide 243 Appendix A Passive Optical Networks your connection speeds, check with your service provider or network administrator. Table 80 Applications and Required Bit Rates APPLICATION Voice over Internet Protocol (VoIP) Full-screen Video Conferenceing (H.263) Basic Web Browsing 5-Megapixel JPG in 10 seconds SDTV (MPEG-2) SDTV (MPEG-4) HDTV (MPEG-2) HDTV (MPEG-4) MINIMUM BIT RATE 16 kbps 384 kbps 1 Mbps 1.5 Mbps 4 Mbps 1.5 Mbps 15 Mbps 7-9 Mbps 244 IAD Users Guide B APPENDIX Setting Up Your Computers IP Address Note: Your specific IAD may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported. This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network. Windows Vista/XP/2000, Mac OS 9/OS X, and all versions of UNIX/LINUX include the software components you need to use TCP/IP on your computer. If you manually assign IP information instead of using a dynamic IP, make sure that your networks computers have IP addresses that place them in the same subnet. In this appendix, you can set up an IP address for:
Windows XP/NT/2000 on page 245 Windows Vista on page 249 Windows 7 on page 253 Mac OS X: 10.3 and 10.4 on page 257 Mac OS X: 10.5 and 10.6 on page 261 Linux: Ubuntu 8 (GNOME) on page 264 Linux: openSUSE 10.3 (KDE) on page 269 Windows XP/NT/2000 The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT. IAD Users Guide 245 Appendix B Setting Up Your Computers IP Address 1 Click Start > Control Panel. Figure 121 Windows XP: Start Menu 2 In the Control Panel, click the Network Connections icon. Figure 122 Windows XP: Control Panel 246 IAD Users Guide Appendix B Setting Up Your Computers IP Address 3 Right-click Local Area Connection and then select Properties. Figure 123 Windows XP: Control Panel > Network Connections > Properties 4 On the General tab, select Internet Protocol (TCP/IP) and then click Properties. Figure 124 Windows XP: Local Area Connection Properties IAD Users Guide 247 Appendix B Setting Up Your Computers IP Address 5 The Internet Protocol TCP/IP Properties window opens. Figure 125 Windows XP: Internet Protocol (TCP/IP) Properties 6 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided. 7 Click OK to close the Internet Protocol (TCP/IP) Properties window. 8 Click OK to close the Local Area Connection Properties window. Verifying Settings 1 Click Start > All Programs > Accessories > Command Prompt. 248 IAD Users Guide Appendix B Setting Up Your Computers IP Address 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. Windows Vista This section shows screens from Windows Vista Professional. 1 Click Start > Control Panel. Figure 126 Windows Vista: Start Menu 2 In the Control Panel, click the Network and Internet icon. Figure 127 Windows Vista: Control Panel IAD Users Guide 249 Appendix B Setting Up Your Computers IP Address 3 Click the Network and Sharing Center icon. Figure 128 Windows Vista: Network And Internet 4 Click Manage network connections. Figure 129 Windows Vista: Network and Sharing Center 5 Right-click Local Area Connection and then select Properties. Figure 130 Windows Vista: Network and Sharing Center Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 250 IAD Users Guide
| 1 2 | Installation guide 2 of 2 | Users Manual | 2.09 MiB |
Appendix B Setting Up Your Computers IP Address 6 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Figure 131 Windows Vista: Local Area Connection Properties IAD Users Guide 251 Appendix B Setting Up Your Computers IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. Figure 132 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 8 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided.Click Advanced. 9 Click OK to close the Internet Protocol (TCP/IP) Properties window. 10 Click OK to close the Local Area Connection Properties window. Verifying Settings 1 Click Start > All Programs > Accessories > Command Prompt. 252 IAD Users Guide Appendix B Setting Up Your Computers IP Address 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. Windows 7 This section shows screens from Windows 7 Enterprise. 1 Click Start > Control Panel. Figure 133 Windows 7: Start Menu 2 In the Control Panel, click View network status and tasks under the Network and Internet category. Figure 134 Windows 7: Control Panel IAD Users Guide 253 Appendix B Setting Up Your Computers IP Address 3 Click Change adapter settings. Figure 135 Windows 7: Network And Sharing Center 4 Double click Local Area Connection and then select Properties. Figure 136 Windows 7: Local Area Connection Status Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 254 IAD Users Guide Appendix B Setting Up Your Computers IP Address 5 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Figure 137 Windows 7: Local Area Connection Properties IAD Users Guide 255 Appendix B Setting Up Your Computers IP Address 6 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. Figure 138 Windows 7: Internet Protocol Version 4 (TCP/IPv4) Properties 7 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided. Click Advanced if you want to configure advanced settings for IP, DNS and WINS. 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close the Local Area Connection Properties window. Verifying Settings 1 Click Start > All Programs > Accessories > Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. 256 IAD Users Guide Appendix B Setting Up Your Computers IP Address 3 The IP settings are displayed as follows. Figure 139 Windows 7: Internet Protocol Version 4 (TCP/IPv4) Properties Mac OS X: 10.3 and 10.4 The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. 1 Click Apple > System Preferences. Figure 140 Mac OS X 10.4: Apple Menu IAD Users Guide 257 Appendix B Setting Up Your Computers IP Address 2 In the System Preferences window, click the Network icon. Figure 141 Mac OS X 10.4: System Preferences 3 When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure. Figure 142 Mac OS X 10.4: Network Preferences 258 IAD Users Guide Appendix B Setting Up Your Computers IP Address 4 For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab. Figure 143 Mac OS X 10.4: Network Preferences > TCP/IP Tab. 5 For statically assigned settings, do the following:
From the Configure IPv4 list, select Manually. In the IP Address field, type your IP address. In the Subnet Mask field, type your subnet mask. IAD Users Guide 259 Appendix B Setting Up Your Computers IP Address In the Router field, type the IP address of your device. Figure 144 Mac OS X 10.4: Network Preferences > Ethernet 6 Click Apply Now and close the window. Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab. Figure 145 Mac OS X 10.4: Network Utility 260 IAD Users Guide Appendix B Setting Up Your Computers IP Address Mac OS X: 10.5 and 10.6 The screens in this section are from Mac OS X 10.5 but can also apply to 10.6. 1 Click Apple > System Preferences. Figure 146 Mac OS X 10.5: Apple Menu 2 In System Preferences, click the Network icon. Figure 147 Mac OS X 10.5: Systems Preferences IAD Users Guide 261 Appendix B Setting Up Your Computers IP Address 3 When the Network preferences pane opens, select Ethernet from the list of available connection types. Figure 148 Mac OS X 10.5: Network Preferences > Ethernet 4 5 From the Configure list, select Using DHCP for dynamically assigned settings. For statically assigned settings, do the following:
From the Configure list, select Manually. In the IP Address field, enter your IP address. In the Subnet Mask field, enter your subnet mask. 262 IAD Users Guide Appendix B Setting Up Your Computers IP Address In the Router field, enter the IP address of your IAD. Figure 149 Mac OS X 10.5: Network Preferences > Ethernet 6 Click Apply and close the window. IAD Users Guide 263 Appendix B Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab. Figure 150 Mac OS X 10.5: Network Utility Linux: Ubuntu 8 (GNOME) This section shows you how to configure your computers TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default Ubuntu 8 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in GNOME:
264 IAD Users Guide Appendix B Setting Up Your Computers IP Address 1 Click System > Administration > Network. Figure 151 Ubuntu 8: System > Administration Menu 2 When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password. Figure 152 Ubuntu 8: Network Settings > Connections IAD Users Guide 265 Appendix B Setting Up Your Computers IP Address 3 4 In the Authenticate window, enter your admin account name and password then click the Authenticate button. Figure 153 Ubuntu 8: Administrator Account Authentication In the Network Settings window, select the connection that you want to configure, then click Properties. Figure 154 Ubuntu 8: Network Settings > Connections 266 IAD Users Guide Appendix B Setting Up Your Computers IP Address 5 The Properties dialog box opens. Figure 155 Ubuntu 8: Network Settings > Properties In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address. In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. 6 Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen. IAD Users Guide 267 Appendix B Setting Up Your Computers IP Address 7 If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. Figure 156 Ubuntu 8: Network Settings > DNS 8 Click the Close button to apply the changes. Verifying Settings Check your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices 268 IAD Users Guide Appendix B Setting Up Your Computers IP Address tab. The Interface Statistics column shows data if your connection is working properly. Figure 157 Ubuntu 8: Network Tools Linux: openSUSE 10.3 (KDE) This section shows you how to configure your computers TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default openSUSE 10.3 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE:
IAD Users Guide 269 Appendix B Setting Up Your Computers IP Address 1 Click K Menu > Computer > Administrator Settings (YaST). Figure 158 openSUSE 10.3: K Menu > Computer Menu 2 When the Run as Root - KDE su dialog opens, enter the admin password and click OK. Figure 159 openSUSE 10.3: K Menu > Computer Menu 270 IAD Users Guide Appendix B Setting Up Your Computers IP Address 3 When the YaST Control Center window opens, select Network Devices and then click the Network Card icon. Figure 160 openSUSE 10.3: YaST Control Center 4 When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. Figure 161 openSUSE 10.3: Network Settings IAD Users Guide 271 Appendix B Setting Up Your Computers IP Address 5 When the Network Card Setup window opens, click the Address tab Figure 162 openSUSE 10.3: Network Card Setup 6 Select Dynamic Address (DHCP) if you have a dynamic IP address. Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields. 7 Click Next to save the changes and close the Network Card Setup window. 272 IAD Users Guide Appendix B Setting Up Your Computers IP Address 8 If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Figure 163 openSUSE 10.3: Network Settings 9 Click Finish to save your settings and close the window. Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information. Figure 164 openSUSE 10.3: KNetwork Manager IAD Users Guide 273 Appendix B Setting Up Your Computers IP Address When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly. Figure 165 openSUSE: Connection Status - KNetwork Manager 274 IAD Users Guide C APPENDIX Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow:
Web browser pop-up windows from your device. JavaScripts (enabled by default). Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your devices IP address. Disable Pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 166 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. IAD Users Guide 275 Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 167 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 276 IAD Users Guide Appendix C Pop-up Windows, JavaScripts and Java Permissions 2 Select Settingsto open the Pop-up Blocker Settings screen. Figure 168 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.167.1. IAD Users Guide 277 Appendix C Pop-up Windows, JavaScripts and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites. Figure 169 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 278 IAD Users Guide Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 170 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). IAD Users Guide 279 Appendix C Pop-up Windows, JavaScripts and Java Permissions 6 Click OK to close the window. Figure 171 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 280 IAD Users Guide Appendix C Pop-up Windows, JavaScripts and Java Permissions 5 Click OK to close the window. Figure 172 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. IAD Users Guide 281 Appendix C Pop-up Windows, JavaScripts and Java Permissions 3 Click OK to close the window. Figure 173 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in the screen that appears. Figure 174 Mozilla Firefox: Tools > Options 282 IAD Users Guide Appendix C Pop-up Windows, JavaScripts and Java Permissions Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 175 Mozilla Firefox Content Security IAD Users Guide 283 Appendix C Pop-up Windows, JavaScripts and Java Permissions 284 IAD Users Guide APPENDIX D IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device
(including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. Introduction to IP Addresses One part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered. Structure An IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. IAD Users Guide 285 Appendix D IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets
(192.168.1) are the network number, and the fourth octet (16) is the host ID. Figure 176 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term subnet is short for sub-network. A subnet mask has 32 bits. If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal). Table 81 IP Address Network Number and Host ID Example IP Address (Binary) Subnet Mask (Binary) Network Number Host ID 286 2ND OCTET:
(168) 10101000 4TH 1ST OCTET OCTET:
(2)
(192) 11000000 00000010 11111111 11111111 11111111 00000000 11000000 10101000 00000001 3RD OCTET:
(1) 00000001 00000010 IAD Users Guide Appendix D IP Addresses and Subnetting By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Subnet masks can be referred to by the size of the network number part (the bits with a 1 value). For example, an 8-bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 82 Subnet Masks 3RD OCTET 2ND OCTET BINARY 1ST OCTET 11111111 00000000 00000000 11111111 11111111 00000000 11111111 11111111 11111111 11111111 11111111 11111111 4TH OCTET 00000000 00000000 00000000 11111000 DECIMAL 255.0.0.0 255.255.0.0 255.255.255.0 255.255.255.248 8-bit mask 16-bit mask 24-bit mask 29-bit mask Network Size The size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network
(192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:
Table 83 Maximum Host Numbers SUBNET MASK HOST ID SIZE 255.0.0.0 8 bits 24 bits 16 bits 255.255.0.0 16 bits 24 bits 255.255.255.0 8 bits 29 bits 255.255.255.248 3 bits 224 2 216 2 28 2 23 2 MAXIMUM NUMBER OF HOSTS 16777214 65534 254 6 IAD Users Guide 287 Appendix D IP Addresses and Subnetting Notation Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 84 Alternative Subnet Mask Notation SUBNET MASK ALTERNATIVE NOTATION
/24
/25
/26
/27
/28
/29
/30 LAST OCTET
(BINARY) 0000 0000 1000 0000 1100 0000 1110 0000 1111 0000 1111 1000 1111 1100 LAST OCTET
(DECIMAL) 0 128 192 224 240 248 252 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 2 or 254 possible hosts. 288 IAD Users Guide Appendix D IP Addresses and Subnetting The following figure shows the company network before subnetting. Figure 177 Subnetting Example: Before Subnetting You can borrow one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or
/25). The borrowed host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub-networks, A and B. Figure 178 Subnetting Example: After Subnetting IAD Users Guide 289 Appendix D IP Addresses and Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 2 or 126 possible hosts (a host ID of all zeroes is the subnets address itself, all ones is the subnets broadcast address). 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to borrow two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits
(11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnets broadcast address). Table 85 Subnet 1 IP/SUBNET MASK IP Address (Decimal) IP Address (Binary) Subnet Mask (Binary) Subnet Address:
192.168.1.0 Broadcast Address:
192.168.1.63 Table 86 Subnet 2 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:
192.168.1.64 Broadcast Address:
192.168.1.127 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 00000000 11111111.11111111.11111111. 11000000 Lowest Host ID: 192.168.1.1 LAST OCTET BIT VALUE 0 Highest Host ID: 192.168.1.62 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 01000000 11111111.11111111.11111111. 11000000 Lowest Host ID: 192.168.1.65 Highest Host ID: 192.168.1.126 LAST OCTET BIT VALUE 64 290 IAD Users Guide Appendix D IP Addresses and Subnetting Table 87 Subnet 3 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:
192.168.1.128 Broadcast Address:
192.168.1.191 Table 88 Subnet 4 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:
192.168.1.192 Broadcast Address:
192.168.1.255 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 10000000 11111111.11111111.11111111. 11000000 Lowest Host ID: 192.168.1.129 LAST OCTET BIT VALUE 128 Highest Host ID: 192.168.1.190 LAST OCTET BIT VALUE 192 11000000 11000000 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001
. 11111111.11111111.11111111
. Lowest Host ID: 192.168.1.193 Highest Host ID: 192.168.1.254 Example: Eight Subnets Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 89 Eight Subnets SUBNET FIRST ADDRESS LAST SUBNET ADDRESS 0 32 64 96 128 160 192 224 1 33 65 97 129 161 193 225 1 2 3 4 5 6 7 8 ADDRESS 30 62 94 126 158 190 222 254 BROADCAST ADDRESS 31 63 95 127 159 191 223 255 IAD Users Guide 291 Appendix D IP Addresses and Subnetting Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. NO. SUBNETS NO. HOSTS PER The following table is a summary for subnet planning on a network with a 16-bit network number. NO. SUBNETS NO. HOSTS PER SUBNET MASK Table 90 24-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 2 3 4 5 6 7 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) 2 4 8 16 32 64 128 SUBNET MASK Table 91 16-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 255.255.128.0 (/17) 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16384 32768 SUBNET 126 62 30 14 6 2 1 SUBNET 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 6 2 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP 292 IAD Users Guide Appendix D IP Addresses and Subnetting addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the IAD. Once you have decided on the network number, pick an IP address for your IAD that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your IAD will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the IAD unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:
10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. IAD Users Guide 293 Appendix D IP Addresses and Subnetting IP Address Conflicts Each device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses Example More than one device can not use the same IP address. In the following example computer A has a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client. Neither can access the Internet. This problem can be solved by assigning a different static IP address to computer A or setting computer A to obtain an IP address automatically. Figure 179 Conflicting Computer IP Addresses Example Conflicting Router IP Addresses Example Since a router connects different networks, it must have interfaces using different network numbers. For example, if a router is set between a LAN and the Internet
(WAN), the routers LAN and WAN addresses must be on different subnets. In the 294 IAD Users Guide Appendix D IP Addresses and Subnetting following example, the LAN and WAN are on the same subnet. The LAN computers cannot access the Internet because the router cannot route between networks. Figure 180 Conflicting Router IP Addresses Example Conflicting Computer and Router IP Addresses Example More than one device can not use the same IP address. In the following example, the computer and the routers LAN port both use 192.168.1.1 as the IP address. The computer cannot access the Internet. This problem can be solved by assigning a different IP address to the computer or the routers LAN port. Figure 181 Conflicting Computer and Router IP Addresses Example IAD Users Guide 295 Appendix D IP Addresses and Subnetting 296 IAD Users Guide APPENDIX E Wireless LANs Note: Your specific IAD may not support all of the wireless security types described in this appendix. See the product specifications for more information about which wireless security types are supported. Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 182 Peer-to-Peer Communication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). IAD Users Guide 297 Appendix E Wireless LANs Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 183 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. 298 IAD Users Guide Appendix E Wireless LANs An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 184 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a IAD Users Guide 299 Appendix E Wireless LANs hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 185 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS
(Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. 300 IAD Users Guide Fragmentation Threshold Appendix E Wireless LANs A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the IAD uses long preamble. Note: The wireless devices MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point
(and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has IAD Users Guide 301 Appendix E Wireless LANs several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:
Table 92 IEEE 802.11g DATA RATE
(MBPS) 1 2 5.5 / 11 6/9/12/18/24/36/
48/54 MODULATION DBPSK (Differential Binary Phase Shift Keyed) DQPSK (Differential Quadrature Phase Shift Keying) CCK (Complementary Code Keying) OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the IAD are data encryption, wireless client authentication, restricting access by device MAC address and hiding the IAD identity. The following figure shows the relative effectiveness of these wireless security methods available on your IAD. Table 93 Wireless Security Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure Note: You must enable the same wireless security settings on the IAD and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional 302 IAD Users Guide Appendix E Wireless LANs accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:
User based identification that allows for roaming. Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:
Authentication Determines the identity of the users. Authorization Determines the network services available to authenticated users once they are connected to the network. Accounting Keeps track of the clients network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:
Access-Request Sent by an access point requesting authentication. Access-Reject Sent by a RADIUS server rejecting access. Access-Accept Sent by a RADIUS server allowing access. Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. IAD Users Guide 303 Appendix E Wireless LANs The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:
Accounting-Request Sent by the access point requesting accounting. Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate
(also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 304 IAD Users Guide Appendix E Wireless LANs authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the senders identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-
TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. IAD Users Guide 305 Appendix E Wireless LANs Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 94 Comparison of EAP Authentication Types Mutual Authentication Certificate Client Certificate Server Dynamic Key Exchange Credential Integrity Deployment Difficulty Client Identity Protection EAP-MD5 No No No No None Easy No EAP-TLS EAP-TTLS Yes Yes Yes Yes Strong Hard No Yes Optional Yes Yes Strong Moderate Yes LEAP PEAP Yes Yes No Optional No Yes Yes Yes Moderate Strong Moderate Moderate Yes No WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2
(IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when 306 IAD Users Guide Appendix E Wireless LANs required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP). TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-
packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but its still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-
IAD Users Guide 307 Appendix E Wireless LANs authentication. These two features are optional and may not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application Example To set up WPA(2), you need the IP address of the RADIUS server, its port number
(default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. 1 2 The AP passes the wireless client's authentication request to the RADIUS server. The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. 308 IAD Users Guide Appendix E Wireless LANs 4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 186 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 2 3 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). The AP checks each wireless client's password and allows it to join the network only if the password matches. The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. IAD Users Guide 309 Appendix E Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 187 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 95 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL Open ENCRYPTIO N METHOD None No ENTER MANUAL KEY IEEE 802.1X Open WEP Shared WEP No Yes Yes No Yes WPA WPA-PSK WPA2 WPA2-PSK TKIP/AES TKIP/AES TKIP/AES TKIP/AES Yes No Yes No Yes 310 Disable Enable without Dynamic WEP Key Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Enable Disable Enable Disable IAD Users Guide Appendix E Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz
(IEEE 802.11a) is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antennas coverage area. Antenna Gain Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. IAD Users Guide 311 Appendix E Wireless LANs Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-topoint application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 312 IAD Users Guide APPENDIX F Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/
code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. Protocol: This is the type of IP protocol used by the service. If this is TCP/
UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number. Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers. If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number. If the Protocol is USER, this is the IP protocol number. Description: This is a brief explanation of the applications that use this service or the situations in which this service is used. Table 96 Commonly Used Services NAME AH
(IPSEC_TUNNEL) PROTOCOL User-Defined AIM/New-ICQ TCP AUTH BGP BOOTP_CLIENT BOOTP_SERVER CU-SEEME TCP TCP UDP UDP TCP DNS UDP TCP/UDP 5190 113 179 68 67 7648 24032 53 PORT(S) DESCRIPTION 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service. AOLs Internet Messenger service. It is also used as a listening port by ICQ. Authentication protocol used by some servers. Border Gateway Protocol. DHCP Client. DHCP Server. A popular videoconferencing solution from White Pines Software. Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. IAD Users Guide 313 Appendix F Common Services Table 96 Commonly Used Services (continued) NAME ESP
(IPSEC_TUNNEL) PROTOCOL User-Defined PORT(S) DESCRIPTION 50 FINGER FTP H.323 HTTP HTTPS ICMP TCP TCP TCP TCP TCP TCP 79 20 21 1720 80 443 User-Defined 1 ICQ UDP 4000 IGMP
(MULTICAST) User-Defined 2 IKE IRC UDP TCP/UDP MSN Messenger TCP TCP TCP UDP TCP NEW-ICQ NEWS NFS NNTP PING 500 6667 1863 5190 144 2049 119 User-Defined 1 POP3 TCP 110 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. NetMeeting uses this protocol. Hyper Text Transfer Protocol - a client/server protocol for the world wide web. HTTPS is a secured http session often used in e-commerce. Internet Control Message Protocol is often used for diagnostic or routing purposes. This is a popular Internet chat program. Internet Group Management Protocol is used when sending packets to a specific group of hosts. The Internet Key Exchange algorithm is used for key distribution and management. This is another popular Internet chat program. Microsoft Networks messenger service uses this protocol. An Internet chat program. A protocol for news groups. Network File System - NFS is a client/
server distributed file service that provides transparent file sharing for network environments. Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). 314 IAD Users Guide Table 96 Commonly Used Services (continued) NAME PPTP PROTOCOL TCP PORT(S) DESCRIPTION 1723 PPTP_TUNNEL
(GRE) User-Defined 47 RCMD REAL_AUDIO TCP TCP REXEC RLOGIN RTELNET RTSP TCP TCP TCP TCP/UDP SFTP SMTP TCP TCP SNMP TCP/UDP SNMP-TRAPS TCP/UDP SQL-NET TCP SSH STRM WORKS SYSLOG TCP/UDP UDP UDP TACACS TELNET UDP TCP 512 7070 514 513 107 554 115 25 161 162 1521 22 1558 514 49 23 Appendix F Common Services Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel. Remote Command Service. A streaming audio service that enables real time sound over the web. Remote Execution Daemon. Remote Login. Remote Telnet. The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. Simple File Transfer Protocol. Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Simple Network Management Program. Traps for use with the SNMP
(RFC:1215). Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. Secure Shell Remote Login Program. Stream Works Protocol. Syslog allows you to send system logs to a UNIX server. Login Host Protocol used for (Terminal Access Controller Access Control System). Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. IAD Users Guide 315 Appendix F Common Services Table 96 Commonly Used Services (continued) NAME TFTP PROTOCOL UDP PORT(S) DESCRIPTION 69 VDOLIVE TCP 7000 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP
(Transmission Control Protocol). Another videoconferencing solution. 316 IAD Users Guide APPENDIX G Legal Information Copyright Copyright 2009 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice. Your use of the IAD is subject to the terms and conditions of any related service providers. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners. Certifications Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
IAD Users Guide 317 Appendix G Legal Information This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
1 Reorient or relocate the receiving antenna. 2 Increase the separation between the equipment and the receiver. 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. 4 Consult the dealer or an experienced radio/TV technician for help. FCC Radiation Exposure Statement This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. For operation within 5.15 ~ 5.25GHz frequency range, it is restricted to indoor environment. IEEE 802.11b or 802.11g operation of this product in the U.S.A. is firmware-
limited to channels 1 through 11. To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons.
318 IAD Users Guide Appendix G Legal Information 5250MHz~5350MHz Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numrique de la classe B est conforme la norme NMB-003 du Canada. CLASS 1 LASER PRODUCT APPAREIL A LASER DE CLASS 1 PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11. PRODUIT CONFORME SELON 21 CFR 1040.10 ET 1040.11. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized ZyXEL local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship IAD Users Guide 319 Appendix G Legal Information and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://
www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. 320 IAD Users Guide Index Index call transfer 133, 134 call waiting 132, 134, 233 caller ID 233 Certificate Authority See CA. certifications 317 notices 319 viewing 319 channel 299 interference 299 channel ID 73 codecs 234 comfort noise generation 233 configuration 59 Configure QoS 163 copyright 317 CoS 177 CoS technologies 164 country code 232 CTS (Clear to Send) 300 custom ports creating/editing 150 customized services 149 D default 222 default LAN IP address 29 Denial of Service. See DoS. DHCP 59, 60, 65, 179 DHCP client 65 DHCP client list 65 diagnostic 223 DiffServ (Differentiated Services) 177 DiffServ marking rule 177 disclaimer 317 DnD 232 DNS 60, 191 321 A Advanced Encryption Standard See AES. AES 307 ALG 111 alternative subnet mask notation 288 antenna directional 312 gain 311 omni-directional 312 AP (access point) 299 Application Layer Gateway 111 applications Internet access 22 attack alert 152 auto dial 232 auto firmware upgrade 130 auto provisioning 130 auto-provisioning 130 B backup 221 bandwidth management 163 Basic Service Set, See BSS 297 blinking LEDs 26 BSS 297 C CA 305 call forwarding 233 call hold 132, 134 call park and pickup 232 call return 232 call service mode 131, 133 IAD Users Guide Index do not disturb 232 domain name system see DNS DoS 138, 153 DS field 177 DS See Differentiated Services DSCP 177 DTMF detection and generation 234 dynamic DNS 179 Dynamic Host Configuration Protocol. See DHCP. dynamic jitter buffer 233 dynamic WEP key exchange 305 DYNDNS wildcard 179 E EAP Authentication 304 echo cancellation 234 encapsulation 55 PPP over Ethernet 55 encryption 306 WEP 77 ESS 298 Europe type call service mode 131 Extended Service Set IDentification 74 Extended Service Set, See ESS 298 F FCC interference statement 317 Firewall 154 firewall address type 148 creating/editing rules 146 custom ports 149 DoS 153 Dos threshold 152 enabling 143 maximum incomplete high 153 maximum incomplete low 153 one minute high 153 one minute low 152 322 rule security considerations 154 stateful inspection 137 TCP maximum incomplete 153 three-way handshake 151 firmware upload 220 upload error 220 firmware upgrade 130 flash key 131 flashing 131 fragmentation threshold 301 FTP 104, 187 G G.168 234 G.711 234 G.726 234 G.729 234 general setup 211 H hidden node 299 host 212 HTTP (Hypertext Transfer Protocol) 220 HTTP pincode 130 humidity 231 I IANA 61, 293 IANA (Internet Assigned Number Authority) 149 IBSS 297 IEEE 802.11g 301 IGMP 62, 63 Independent Basic Service Set See IBSS 297 initialization vector (IV) 307 install UPnP 199 Windows Me 199 IAD Users Guide Windows XP 201 Internet access 22 Internet Assigned Numbers Authority See IANA 293 IP address 61, 104, 105, 130 IP address assignment 56 IP pool 64 IP pool setup 60 J jitter buffer 233 K key combinations 135 keypad 135 L LAN setup 55, 59 LAN TCP/IP 60 log out 30 log out (automatic) 30 logs 215 M MAC address filter action 81 MAC filter 80, 81 Management Information Base (MIB) 189 managing the device good habits 21 maximum incomplete high 153 maximum incomplete low 153 Message Integrity Check (MIC) 306 multicast 62 multimedia 117 multiple SIP accounts 233 Index multiple voice channels 233 N NAT 61, 104, 105, 293 address mapping rule 110 application 114 definitions 112 how it works 113 mapping types 114 what it does 112 NAT (Network Address Translation) 101 NAT traversal 197 non-proxy calls 126 O one minute high 153 one minute low 152 operation humidity 231 operation temperature 231 P Pairwise Master Key (PMK) 307, 309 park 232 peer-to-peer calls 23, 126 PHB (Per-Hop Behavior) 177 phone book speed dial 126 phone config 232 phone functions 135 pickup 232 pincode 130 point-to-point calls 234 ports 26 power adaptor 234 power specifications 231 PPPoE 55 benefits 55 PPPoE (Point-to-Point Protocol over Ethernet) 55 IAD Users Guide 323 Index preamble mode 301 product registration 320 PSK 307 Q QoS 176 marking 164 tagging 164 versus CoS 164 QoS class configuration 166 Quality of Service (QoS) 163 quick dialing 234 Quick Start Guide 29 R RADIUS 303 message types 303 messages 303 shared secret key 304 region 232 registration product 320 related documentation 3 remote management how SSH works 194 SSH 193 SSH implementation 195 Telnet 186 remote management and NAT 185 remote management limitations 184 REN 233 resetting your device 25 restore 221 RFC 1631 101 RFC 1889 234 RFC 1890 234 RFC 2131. See DHCP. RFC 2132. See DHCP RFC 2327 234 RFC 3261 234 Ringer Equivalence Number 233 RIP 62 direction 62 Routing Information Protocol see RIP version 62 router features 22 RTCP 234 RTP 234 RTS (Request To Send) 300 threshold 299, 300 S safety warnings 7 SDP 234 server 115, 213 Service Set 74 service type 150 Session Description Protocol 234 Session Initiating Protocol 234 Session Initiation Protocol 117 setup 130 silence suppression 233 SIP 117 SIP account 117 SIP accounts 233 SIP ALG 111 SIP Application Layer Gateway 111 SIP identities 117 SIP number 118 SIP service domain 118 SIP URI 117 SIP version 2 234 SNMP 188 manager 189 MIBs 190 speed dial 126, 129 SSH 193 how SSH works 194 implementation 195 stateful inspection firewall 137 static route 159 324 IAD Users Guide Index status indicators 26 storage humidity 231 storage temperature 231 SUA 102 SUA (Single User Account) 102 SUA vs NAT 102 subnet 285 subnet mask 61, 148, 286 subnetting 288 supplementary services 131 syntax conventions 5 syslog 143 system name 212 system timeout 185 T TCP maximum incomplete 152, 153 Telnet 186 temperature 231 Temporal Key Integrity Protocol (TKIP) 306 three-way conference 133, 135 trademarks 317 Triangle 155 Triangle Route Solutions 156 U Uniform Resource Identifier 117 Universal Plug and Play 197 application 198 UPnP 197 forum 198 security issues 198 USA type call service mode 133 V VAD 233 voice activity detection 233 IAD Users Guide 325 Index voice channels 233 VoIP 117 peer-to-peer calls 126 VoIP features 23 VoIP standards compliance 233 W WAN (Wide Area Network) 55 warranty 319 note 320 Web 185 Web Configurator 29, 155 WEP encryption 78 Wi-Fi Protected Access 306 wireless client WPA supplicants 308 wireless security 302 wireless station list 49 WLAN interference 299 security parameters 310 WLAN button 24 WPA 306 key caching 308 pre-authentication 308 user authentication 307 vs WPA-PSK 307 wireless client supplicant 308 with RADIUS application example 308 WPA2 306 user authentication 307 vs WPA2-PSK 307 wireless client supplicant 308 with RADIUS application example 308 WPA2-Pre-Shared Key 306 WPA2-PSK 306, 307 application example 309 WPA-PSK 306, 307 application example 309 326 IAD Users Guide
| frequency | equipment class | purpose | ||
|---|---|---|---|---|
| 1 | 2009-12-30 | 5745 ~ 5825 | DTS - Digital Transmission System | Original Equipment |
| 2 | 5180 ~ 5240 | NII - Unlicensed National Information Infrastructure TX |
| app s | Applicant Information | |||||
|---|---|---|---|---|---|---|
| 1 2 | Effective |
2009-12-30
|
||||
| 1 2 | Applicant's complete, legal business name |
ZyXEL Communications Corporation
|
||||
| 1 2 | FCC Registration Number (FRN) |
0021059092
|
||||
| 1 2 | Physical Address |
No.2, Industry East Road IX, Science Park
|
||||
| 1 2 |
Hsinchu, N/A
|
|||||
| 1 2 |
Taiwan
|
|||||
| app s | TCB Information | |||||
| 1 2 | TCB Application Email Address |
h******@atcb.com
|
||||
| 1 2 | TCB Scope |
A4: UNII devices & low power transmitters using spread spectrum techniques
|
||||
| app s | FCC ID | |||||
| 1 2 | Grantee Code |
I88
|
||||
| 1 2 | Equipment Product Code |
P3202HNBA
|
||||
| app s | Person at the applicant's address to receive grant or for contact | |||||
| 1 2 | Name |
E****** B****
|
||||
| 1 2 | Title |
Section Manager
|
||||
| 1 2 | Telephone Number |
886 3******** Extension:
|
||||
| 1 2 | Fax Number |
886 3********
|
||||
| 1 2 |
E******@zyxel.com.tw
|
|||||
| app s | Technical Contact | |||||
| 1 2 | Firm Name |
Intertek Testing Services Taiwan Ltd.
|
||||
| 1 2 | Name |
R****** D******
|
||||
| 1 2 | Physical Address |
11, Ln. 275, Ko Nan 1st Street
|
||||
| 1 2 |
Hsinchu, 300
|
|||||
| 1 2 |
Taiwan
|
|||||
| 1 2 | Telephone Number |
(+886******** Extension:
|
||||
| 1 2 | Fax Number |
(+886********
|
||||
| 1 2 |
R******@intertek.com
|
|||||
| app s | Non Technical Contact | |||||
| 1 2 | Firm Name |
Intertek Testing Services Taiwan Ltd.
|
||||
| 1 2 | Name |
R**** D******
|
||||
| 1 2 | Physical Address |
11, Ln. 275, Ko Nan 1st Street
|
||||
| 1 2 |
Hsinchu, 300
|
|||||
| 1 2 |
Taiwan
|
|||||
| 1 2 | Telephone Number |
(+886******** Extension:
|
||||
| 1 2 | Fax Number |
(+886********
|
||||
| 1 2 |
R******@intertek.com
|
|||||
| app s | Confidentiality (long or short term) | |||||
| 1 2 | Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | Yes | ||||
| 1 2 | Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
| if no date is supplied, the release date will be set to 45 calendar days past the date of grant. | ||||||
| app s | Cognitive Radio & Software Defined Radio, Class, etc | |||||
| 1 2 | Is this application for software defined/cognitive radio authorization? | No | ||||
| 1 2 | Equipment Class | DTS - Digital Transmission System | ||||
| 1 2 | NII - Unlicensed National Information Infrastructure TX | |||||
| 1 2 | Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant) | 802.11N GPON VoIP IAD | ||||
| 1 2 | Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application? | No | ||||
| 1 2 | Modular Equipment Type | Does not apply | ||||
| 1 2 | Purpose / Application is for | Original Equipment | ||||
| 1 2 | Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization? | Yes | ||||
| 1 2 | Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization? | No | ||||
| 1 2 | Grant Comments | Power Output listed is the maximum combined conducted output power. Device is an 802.11n router in a 2x2 Spatial Multiplexing MIMO configuration as described in this filing. End-users and responsible parties must be provided with operating and installation instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. | ||||
| 1 2 | Is there an equipment authorization waiver associated with this application? | No | ||||
| 1 2 | If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded? | No | ||||
| app s | Test Firm Name and Contact Information | |||||
| 1 2 | Firm Name |
Intertek Testing Services Taiwan Ltd.
|
||||
| 1 2 | Name |
I****** C********
|
||||
| 1 2 | Telephone Number |
886-2******** Extension:
|
||||
| 1 2 | Fax Number |
886-2********
|
||||
| 1 2 |
i******@intertek.com
|
|||||
| Equipment Specifications | |||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
| 1 | 1 | 15C | CC | 2412 | 2462 | 0.407 | |||||||||||||||||||||||||||||||||||
| 1 | 2 | 15C | CC | 5745 | 5825 | 0.149 | |||||||||||||||||||||||||||||||||||
| Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
| 2 | 1 | 15E | CC | 5180.00000000 | 5240.00000000 | 0.0440000 | |||||||||||||||||||||||||||||||||||
some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details
This product uses the FCC Data API but is not endorsed or certified by the FCC